[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] Cyber hype



http://www.guardian.co.uk/online/story/0,3605,853535,00.html

Mike Butcher 
December 5, 2002
The Guardian 

Just hours after a surface to air missile passed within metres of an
Israeli airliner in Kenya last week, media websites began humming.  
Internet chatrooms set up by Islamic sympathisers had been buzzing
with rumours of an attack barely a week before. It was just one in a
long line of hysterical media reports alluding to the way the internet
has been co-opted by "cyberterrorists" for their evil ends.

Since September 11, for which much of the planning happened over
email, cyber-terrorism - loosely defined as using computers to
intimidate others to further political or social objectives - has
become a useful buzzword. Governments have used it to justify ramping
up internet monitoring and - some argue - a corresponding crackdown on
civil liberties online.

The official fear is that religious or political zealots could, for
instance, hack into a hospital computer system to change a ward's
dosage of medicine; or switch off a city's power supply; or change the
operations at a sewage treatment works to poison the water.

In November last year, the European Union member states signed the
Convention on Cybercrime. It was the first international treaty on
crimes committed via the internet and other computer networks, dealing
with infringements of copyright, computer-related fraud, child
pornography and violations of network security.

It also contained a series of powers, such as the search of networks
and "legitimate interception" of communications traffic. Europe is not
the only one to resort to these methods. Last Thursday, President Bush
signed legislation creating the new Homeland Security Department,
which will bring together 22 federal agencies to help stop nuclear,
chemical and biological attacks, and, specifically, cyberterrorism.

Japan is so concerned about the possibilities of cyberattack that they
have thrown a virtual fence around the country to check email and web
traffic. But Hollywood-style hacker scenarios such as those outlined
in the latest James Bond movie are far removed from reality. At least,
that's according to the people who should know: the hackers
themselves.

As hackers and security consultants gathered last week for Dublin's
Hivercon conference, a newer and simpler argument was aired: that it
is far easier to be a real-world terrorist than a virtual-world one.

Simple Nomad is a senior security analyst for BindView Corporation and
a founder of the Nomad Mobile Research Centre, an internationally
known group of hackers. He is concerned about how governments are
using the cyberterrorist pretext to "sniff" personal email and web
traffic.

"Cyberterrorism is a catchy phrase and seems to be a hot topic. I'm
not saying that a hack could never lead to someone's death, but it's
much easier for a terrorist to throw a knapsack of poison into a
reservoir than to do something remotely with a computer," he says. "If
I knew George Bush was going into hospital and would be on a life
support system, conceivably I could interrupt the power grid or hit
the back-up batteries in the middle of his operation. But most of
these systems already have a lot of safeguards, mainly just to prevent
simple accidents."

Nomad argues that the biggest hackers, in fact, are governments
themselves. "There are at least 10 governments out there - like the
US, the British, the Germans, the Chinese - with very sophisticated
teams. In the name of cyberterrorism, there is more funding than ever
going into the listening and data sniffing capability of governments."

It is this capability that is often being used by countries to gain
commercial advantage over other countries, not prevent terrorism,
claims Nomad. He says one of the biggest "sniffers" is the
international Echelon project, set up by western governments to sniff
the net, telephones, and almost everything digital to provide
intelligence for the security services.

Most of Echelon is large scale, to do with all telecommunications -
which is why, he says, national governments have had to introduce such
legislation as the UK's Regulation of Investigatory Powers Act to be
able to monitor pure ISP internet traffic.

So can hackers really gain access to sensitive data? "Most of the big
stuff, like military systems, can't be accessed anyway. There are
air-gaps - things not connected to the outside internet," says Nomad.  
He is dismissive of the recent case where Gary McKinnon, a 36-year-old
former systems administrator from London, allegedly deleted files on a
server used by a US navy command centre between April and September of
last year. Nomad believes this is a rare case and that the files could
not have been sensitive if they were accessible via the net.

Tom Reeve, editor of Security Voice magazine, agrees: "From a global
perspective, I am far less concerned about cyberterrorism and hacking
than acts of terrorism in the physical world. With bombs going off
around the world and everyone wondering when al-Qaida will strike
next, who cares if a web server gets hacked?"

He admits he would be as annoyed as anyone if his web site was hacked
or defaced: "But you couldn't justify diverting large amounts of
resources from anti-terrorism in the physical world to protect my
assets in the virtual world."

That's the argument of Hivercon speaker Richard Thieme, a consultant
who is also contributing editor for Information Security Magazine and
a regular speaker at the Black Hat Briefings and DefCon, the
well-known hacker conferences. Thieme says some of these cases are
legitimate causes for concern, but that usually, cyberterrorism is a
sideline affair.

"It's a lot easier to blow up a pipeline in the middle of nowhere than
it is to hack your way in over a computer terminal," he says. "A
single car bomb in the right place in Wall Street, in conjunction with
the events of 9/11, would have taken out the US financial system. Not
a hack."

Such "force multipliers" can make a terrorist attack a great deal
worse. "Using hackers in conjunction with real world events would have
more impact, but just bringing down a web server does not," he says.  
Cyberterrorising is more often than not directed at opposing groups,
rather than governments.

In the Israeli-Palestinian battle, criminal hackers, or "crackers", on
both sides are constantly attacking one another's web sites. A
Pakistani cracker once stole the credit card numbers of members of a
pro-Israel lobbying group and posted them online.

Indeed, it is the Middle East and the Indian sub-continent, not
western Europe, that have often been at the forefront of official
attempts to block techno-terrorists.

Last week, Indian mobile phone companies were facing the prospect of a
government plan to tap into SMS (short messaging service) mobile mail
services to combat malicious hackers. And last year, the Yaha virus
emerged to launch a rudimentary denial of service attack on the
Pakistan government's website. But since then, computer hackers have
reverted to type - going for corporate systems in the main.

According to Synstar, an information security company, 1,057 corporate
organisations were hacked in September - a five-fold increase over the
previous year's 225 attacks.

Thieme is one of the first to admit that the internet - the ultimate
"network technology" - helped create the events of September 11.  
Although America's intelligence communities were well aware of the
threat posed by small bands of fundamentalists before 9/11, "it
brought home to them that the way power is distributed has been
changed by network technology", says Thieme.

In fact, in common with Simple Nomad, he points out that the US itself
is capable of the biggest acts of cyberterrorism. "The US has enough
electronic warfare capabilities in its own right. High power
microwaves can knock out command and control centres. It's not
necessary to just hack the enemy's network. We did this in Kosovo, and
in Iraq."

"Ultimately, the idea of a cyber Pearl Harbor is pure hype. The
surrender of some liberties in the name of security is about physical
security and terrorism, not cyberterrorism, which is a less important
subset. People are much more worried about dirty bombs and gas
attacks."

Thieme argues that the true cyber threat does not come in the
traditional form of the disaffected hacker located in a remote
country, but the insider - the guy who already knows all the passwords
and works inside the system.

"The next stage for technology is true globalisation. We'll see a
single kind of flexible interface develop which unites all societies.  
So the biggest threat to society is an insider who uses our own
technology like an insider - just as happened on 9/11."

In the final analysis, however, hackers saying they are not going to
get involved in cyberterrorism is not going to be enough to call off
the dogs and halt the data clampdown, even if some of the most
sensitive systems are not directly connected to the internet.

Jason Hart, head of secu rity with consultants says: "As far as we
know, no one has died as a result of the work of a hacker, but we'll
never know the true answer because of the nature of hacking.

'Good' hackers don't leave any trace of their incursion into a system.  
So, for instance, someone could hack into an airline system to change
the weight allowance on an airliner's payload, causing the plane to
crash on take-off or landing.

"Everyone is aware of the physical threat to, say a reservoir, but at
the end of the day, that threat has to be checked using computer
systems, which are vulnerable," says Hart. He points to evidence that
drug cartels have employed hackers to do such things as fooling
banking systems to take a pound every month from 20,000 individual
credit card accounts.

"You can hide the fact that a pound goes missing and use that money to
fund more hacking. Terrorists could use this model to fund their own
activities. "The biggest threat is ignorance - people believing it
will not happen to them."



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@xxxxxxxxxxxxx with 'unsubscribe isn'
in the BODY of the mail.