[iwar] [fc:Cyberterrorism:.Reality.or.Myth]

From: Fred Cohen (fc@all.net)
Date: 2001-12-13 06:05:50
Next message: Fred Cohen: "[iwar] [fc:White.House.CyberSecurity.-.Jobs,.Research,.and.Rhetoric,.but.Few.Results]"
Previous message: Fred Cohen: "[iwar] [NewsBits] NewsBits - 12/12/01 (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200112131405.fBDE5oC20773@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Thu, 13 Dec 2001 06:05:50 -0800 (PST)
Subject: [iwar] [fc:Cyberterrorism:.Reality.or.Myth]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Cyberterrorism: Reality or Myth

By Paul Coe Clark III
mailto:<a href="mailto:paul_clark@ziffdavis.com?Subject=Re:%20(ai)%20Cyberterrorism:%20Reality%20or%20Myth%2526In-Reply-To=%2526lt;B83CDEC5.1F411%25rforno@infowarrior.org">paul_clark@ziffdavis.com</a>

The results of a (highly unscientific and selective) poll on
the state of cybersecurity are in.

The results: cyberterrorism threats are greatly overhyped --
but a concerted cyberattack, exploiting vulnerabilities yet
unknown, could have a severe impact on U.S. networks and
businesses.

In other words, we're where we were Sept. 10 on the issue of
domestic terrorism -- it seems unlikely that a massive
attack could be mounted successfully, but the unlikely can
break out of that category to become dreadfully real, as we
discovered Sept. 11.

"Poll" is perhaps the wrong word -- that opinion was the
consensus of four high-level Internet and computer-security
experts at a panel discussion I attended Thursday at the
National Press Club.  The event, moderated by Declan
McCullagh of Wired News, featured experts from the
Department of Justice and Net-security firms Riptech,
Shadowlogic and Predictive Systems.  The audience mainly
consisted of execs and admins at companies worried about
security, with a sprinkling of policymakers and reporters.

Also mixing with the audience was Kevin Mitnick, who became
probably the most famous computer cracker in the country
when he led the FBI and security researcher Tsutomu
Shimomura on a two-year chase that resulted in his arrest in
Raleigh, N.C.  Mitnick, now free after serving a 60-month
sentence, now hosts a radio show in Los Angeles.

Here's Mitnick's Web site:
<a href="http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eNGc0DiJ3H0GAj0cPN0A3">http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eNGc0DiJ3H0GAj0cPN0A3>

Panelist Tim Belcher, CTO and co-founder of Riptech, a
company that does, among other things, penetration testing,
provided the most worrisome statistic of the evening.  His
company is hired as a tiger team to try to penetrate the
weaknesses of corporate networks, so that they can be fixed.

What's a tiger team?  Find out here:
<a href="http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eNGc0DiJ3H0GAj0cPO0A4">http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eNGc0DiJ3H0GAj0cPO0A4>

"Our success rate is almost perfect at breaking into these
computers over the Internet," Belcher said.  Less that 2
percent of those penetrations are detected by the
administrators of the targeted networks, he said.

Here's Riptech's spiffy site:
<a href="http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eNGc0DiJ3H0GAj0cPP0A5">http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eNGc0DiJ3H0GAj0cPP0A5>

All on the panel agreed that computer intrusions break down
into several categories, from the trivial (one panelist said
that the #1 reason for intrusions is to store pirated MP3
files), to the not-so-trivial (implanted zombies for
denial-of-service attacks, viruses and worms that cost
millions to clean up after), to the serious (corporate
espionage, identity theft and terrorism).  Most attacks fall
in the trivial category, although the viruses and worms have
gotten the most press.  Serious attacks are comparatively
rare, but have the potential to cause the most damage.

With security firms selling billions of dollars of software,
firewalls, and the like, why are we not more secure?
Opinions varied.

Christopher Painter, deputy chief of the DoJ's Computer
Crime and Intellectual Property Section, said that firewalls
are good, but companies must plan for what to do when an
attack takes place.  Do you take machines down?  Do you have
a plan to collect evidence for prosecution?  Do you archive
security logs?

Here's the CC-IP section's site:
<a href="http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eNGc0DiJ3H0GAj0cPQ0A6">http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eNGc0DiJ3H0GAj0cPQ0A6>

"Too often, they don't have a plan to deal with it at all,"
Painter said.

Richard Forno, CTO of Shadowlogic, placed the blame squarely
on software manufacturers, particularly Microsoft, whose
software has been used for the most damaging attacks, both
because of its market dominance and because of
software-design decisions that don't consider security.  The
chief problem is "our continuing blind dependence on
Microsoft operating systems," he said.

Here's Shadowlogic's site:
<a href="http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eNGc0DiJ3H0GAj0cPR0A7">http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eNGc0DiJ3H0GAj0cPR0A7>

Microsoft's boneheaded design choices (my top examples would
be activating Windows Scripting Host, which few people use,
by default on millions of machines, and making attachments
executable automatically in Outlook Express, and manually in
Outlook) are only a symptom of a larger problem -- customers
demand features, but rarely demand security -- at least near
the top of their wish list.

"The reason computer software is not secure is because no
one is demanding security," said Mark Rasch, VP of cyberlaw
at Predictive Systems.

Here's the Predictive Systems site:
<a href="http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eNGc0DiJ3H0GAj0cPS0A8">http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eNGc0DiJ3H0GAj0cPS0A8>

Rasch, however, sees the potential for "cyberterrorism" -
that is, massive, deliberate damage by a foreign state or
terror group, rather than garden-variety intrusions, as low.

"The threat of terrorism is a very, very small threat," said
Rasch, who nevertheless added that, before Sept. 11, he
would have considered the chance of terrorists crashing
airliners into the World Trade Center quite small.

The ongoing debate in Washington now is how much computer
security should be a technical issue, and how much a legal
one.  In other words, does the responsibility for security
fall on network admins, or do you beef up criminal and civil
penalties as a deterrent.  Congress has clearly been leaning
toward the second path since Sept. 11.

The other debate taking place is nothing new -- it's the
age-old networking debate on whether to hide (in government
terms, classify) computer-security weaknesses -- long a
Microsoft tactic, although the company has increased its
security-weakness reporting in recent years -- or whether
you publicize them heavily, so that they can be fixed.

Here's CERT, one of the best resources for finding
weaknesses and patch reports:
<a href="http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eNGc0DiJ3H0GAj0bgf0Ao">http://eletters1.ziffdavis.com/cgi-bin10/flo?y=eNGc0DiJ3H0GAj0bgf0Ao>

Forno opted for the first option, calling for a policy of
"D3" -- "declassify, demystify, diversify."  Make government
info on potential threats available to companies, even if
it's classified.  Demystify the weaknesses and the ways to
patch them.  Use multiple types of software, so that one
virus or attack replicates more slowly.  "Classification is
a power play," he said.

While Microsoft has always leaned toward releasing no
exploit report before its time, *NIX and open-source
developers have always leaned toward publicizing weaknesses
quickly, and pushing to get them fixed.

What is clear in Washington is that penalties for intrusion
are being increased -- and as we saw with the "USA-Patriot"
antiterrorism act, old-style crackers are in danger of being
conflated with terrorists.  Painter pushed for an outlook
that considers the amount of damage, rather than the motive
of the cracker.

"It really doesn't matter to the victim of these attacks
what the motivation of the attacker is," Painter said.

So far, there has been no major, concerted network attack
with a terrorist aim. The panel varied widely in its opinion
on the likelihood of one in the future.

I'll give you two quotes -- take your pick:

"Cyberterrorism, in my opinion, is an over-sensationalized
myth," -- Forno.

"The bad news is that no one is going to take Internet
security seriously unless there is a global, catastrophic
failure.  The good news is that there is going to be a
global, catastrophic failure." -- Rasch.

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Unlimited calling with 3-way conferencing. Only $1/Mo.
with CrystalVoice! FREE trial. Click Here.
http://us.click.yahoo.com/Hb1xVB/HxbDAA/ySSFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
Next message: Fred Cohen: "[iwar] [fc:White.House.CyberSecurity.-.Jobs,.Research,.and.Rhetoric,.but.Few.Results]"
Previous message: Fred Cohen: "[iwar] [NewsBits] NewsBits - 12/12/01 (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
This archive was generated by hypermail 2.1.2 : 2001-12-31 21:00:00 PST