Return-Path: <sentto-279987-4047-1008252308-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 13 Dec 2001 06:07:08 -0800 (PST) Received: (qmail 30836 invoked by uid 510); 13 Dec 2001 14:05:26 -0000 Received: from n18.groups.yahoo.com (216.115.96.68) by all.net with SMTP; 13 Dec 2001 14:05:26 -0000 X-eGroups-Return: sentto-279987-4047-1008252308-fc=all.net@returns.groups.yahoo.com Received: from [216.115.97.164] by n18.groups.yahoo.com with NNFMP; 13 Dec 2001 14:05:19 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_1_2); 13 Dec 2001 14:05:07 -0000 Received: (qmail 48952 invoked from network); 13 Dec 2001 14:05:07 -0000 Received: from unknown (216.115.97.171) by m10.grp.snv.yahoo.com with QMQP; 13 Dec 2001 14:05:07 -0000 Received: from unknown (HELO red.all.net) (12.232.125.69) by mta3.grp.snv.yahoo.com with SMTP; 13 Dec 2001 14:05:09 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fBDE5oC20773 for iwar@onelist.com; Thu, 13 Dec 2001 06:05:50 -0800 Message-Id: <200112131405.fBDE5oC20773@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 13 Dec 2001 06:05:50 -0800 (PST) Subject: [iwar] [fc:Cyberterrorism:.Reality.or.Myth] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cyberterrorism: Reality or Myth By Paul Coe Clark III mailto:<a href="mailto:paul_clark@ziffdavis.com?Subject=Re:%20(ai)%20Cyberterrorism:%20Reality%20or%20Myth%2526In-Reply-To=%2526lt;B83CDEC5.1F411%25rforno@infowarrior.org">paul_clark@ziffdavis.com</a> The results of a (highly unscientific and selective) poll on the state of cybersecurity are in. The results: cyberterrorism threats are greatly overhyped -- but a concerted cyberattack, exploiting vulnerabilities yet unknown, could have a severe impact on U.S. networks and businesses. In other words, we're where we were Sept. 10 on the issue of domestic terrorism -- it seems unlikely that a massive attack could be mounted successfully, but the unlikely can break out of that category to become dreadfully real, as we discovered Sept. 11. "Poll" is perhaps the wrong word -- that opinion was the consensus of four high-level Internet and computer-security experts at a panel discussion I attended Thursday at the National Press Club. The event, moderated by Declan McCullagh of Wired News, featured experts from the Department of Justice and Net-security firms Riptech, Shadowlogic and Predictive Systems. The audience mainly consisted of execs and admins at companies worried about security, with a sprinkling of policymakers and reporters. Also mixing with the audience was Kevin Mitnick, who became probably the most famous computer cracker in the country when he led the FBI and security researcher Tsutomu Shimomura on a two-year chase that resulted in his arrest in Raleigh, N.C. Mitnick, now free after serving a 60-month sentence, now hosts a radio show in Los Angeles. Here's Mitnick's Web site: <a href="http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eNGc0DiJ3H0GAj0cPN0A3">http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eNGc0DiJ3H0GAj0cPN0A3> Panelist Tim Belcher, CTO and co-founder of Riptech, a company that does, among other things, penetration testing, provided the most worrisome statistic of the evening. His company is hired as a tiger team to try to penetrate the weaknesses of corporate networks, so that they can be fixed. What's a tiger team? Find out here: <a href="http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eNGc0DiJ3H0GAj0cPO0A4">http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eNGc0DiJ3H0GAj0cPO0A4> "Our success rate is almost perfect at breaking into these computers over the Internet," Belcher said. Less that 2 percent of those penetrations are detected by the administrators of the targeted networks, he said. Here's Riptech's spiffy site: <a href="http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eNGc0DiJ3H0GAj0cPP0A5">http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eNGc0DiJ3H0GAj0cPP0A5> All on the panel agreed that computer intrusions break down into several categories, from the trivial (one panelist said that the #1 reason for intrusions is to store pirated MP3 files), to the not-so-trivial (implanted zombies for denial-of-service attacks, viruses and worms that cost millions to clean up after), to the serious (corporate espionage, identity theft and terrorism). Most attacks fall in the trivial category, although the viruses and worms have gotten the most press. Serious attacks are comparatively rare, but have the potential to cause the most damage. With security firms selling billions of dollars of software, firewalls, and the like, why are we not more secure? Opinions varied. Christopher Painter, deputy chief of the DoJ's Computer Crime and Intellectual Property Section, said that firewalls are good, but companies must plan for what to do when an attack takes place. Do you take machines down? Do you have a plan to collect evidence for prosecution? Do you archive security logs? Here's the CC-IP section's site: <a href="http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eNGc0DiJ3H0GAj0cPQ0A6">http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eNGc0DiJ3H0GAj0cPQ0A6> "Too often, they don't have a plan to deal with it at all," Painter said. Richard Forno, CTO of Shadowlogic, placed the blame squarely on software manufacturers, particularly Microsoft, whose software has been used for the most damaging attacks, both because of its market dominance and because of software-design decisions that don't consider security. The chief problem is "our continuing blind dependence on Microsoft operating systems," he said. Here's Shadowlogic's site: <a href="http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eNGc0DiJ3H0GAj0cPR0A7">http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eNGc0DiJ3H0GAj0cPR0A7> Microsoft's boneheaded design choices (my top examples would be activating Windows Scripting Host, which few people use, by default on millions of machines, and making attachments executable automatically in Outlook Express, and manually in Outlook) are only a symptom of a larger problem -- customers demand features, but rarely demand security -- at least near the top of their wish list. "The reason computer software is not secure is because no one is demanding security," said Mark Rasch, VP of cyberlaw at Predictive Systems. Here's the Predictive Systems site: <a href="http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eNGc0DiJ3H0GAj0cPS0A8">http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eNGc0DiJ3H0GAj0cPS0A8> Rasch, however, sees the potential for "cyberterrorism" - that is, massive, deliberate damage by a foreign state or terror group, rather than garden-variety intrusions, as low. "The threat of terrorism is a very, very small threat," said Rasch, who nevertheless added that, before Sept. 11, he would have considered the chance of terrorists crashing airliners into the World Trade Center quite small. The ongoing debate in Washington now is how much computer security should be a technical issue, and how much a legal one. In other words, does the responsibility for security fall on network admins, or do you beef up criminal and civil penalties as a deterrent. Congress has clearly been leaning toward the second path since Sept. 11. The other debate taking place is nothing new -- it's the age-old networking debate on whether to hide (in government terms, classify) computer-security weaknesses -- long a Microsoft tactic, although the company has increased its security-weakness reporting in recent years -- or whether you publicize them heavily, so that they can be fixed. Here's CERT, one of the best resources for finding weaknesses and patch reports: <a href="http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eNGc0DiJ3H0GAj0bgf0Ao">http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eNGc0DiJ3H0GAj0bgf0Ao> Forno opted for the first option, calling for a policy of "D3" -- "declassify, demystify, diversify." Make government info on potential threats available to companies, even if it's classified. Demystify the weaknesses and the ways to patch them. Use multiple types of software, so that one virus or attack replicates more slowly. "Classification is a power play," he said. While Microsoft has always leaned toward releasing no exploit report before its time, *NIX and open-source developers have always leaned toward publicizing weaknesses quickly, and pushing to get them fixed. What is clear in Washington is that penalties for intrusion are being increased -- and as we saw with the "USA-Patriot" antiterrorism act, old-style crackers are in danger of being conflated with terrorists. Painter pushed for an outlook that considers the amount of damage, rather than the motive of the cracker. "It really doesn't matter to the victim of these attacks what the motivation of the attacker is," Painter said. So far, there has been no major, concerted network attack with a terrorist aim. The panel varied widely in its opinion on the likelihood of one in the future. I'll give you two quotes -- take your pick: "Cyberterrorism, in my opinion, is an over-sensationalized myth," -- Forno. "The bad news is that no one is going to take Internet security seriously unless there is a global, catastrophic failure. The good news is that there is going to be a global, catastrophic failure." -- Rasch. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Unlimited calling with 3-way conferencing. Only $1/Mo. with CrystalVoice! FREE trial. Click Here. http://us.click.yahoo.com/Hb1xVB/HxbDAA/ySSFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 21:00:00 PST