Cyberterrorism: fear factor

Date: July 20, 2004
Source: The Age
By: Ben Wyld

For two months during 2000 he pumped hundreds of thousands of litres of raw sewage into public waterways north of Maroochydore. Engineer Vitek Boden, who had quit his job at Hunter Watertech - the supplier of Maroochy Shire's remote control and telemetry - was using his expertise to try to get a consulting job with the shire council to clean up the pollution he was causing.

His scam wasn't discovered until April 2000. Using a stolen computer and radio transmitter, Boden had set his car up as a remote command centre for sewage treatment along the Sunshine Coast.

Maroochydore District Court found Boden guilty of 30 charges of computer hacking causing serious environmental harm.

Though Boden may have had an individual agenda, his activities - theoretically - could just as easily have been carried out by operatives backed by a terrorist organisation.

As the rate of cyber attacks continues to rise, the once fanciful notion of cyber terrorism is looming larger than ever.

Largely the stuff of Hollywood films, cyber terrorism - politically motivated attacks intended to shock and terrify - has long been identified by security experts as a possible future conduit for terrorist groups.

An Australian terrorism expert, Clive Williams, director of terrorism studies at the Australian National University, says intelligence projections over recent years have consistently assessed a high risk of future terrorist cyber attack.

Though there are no known examples of cyber terrorism, Williams believes it is only a matter of time before terrorists engage in cyber-related activities.

"There is certainly the potential for terrorists to cause chaos and casualties by, for example, taking down the traffic control system at a busy airport," Williams writes in his book, Terrorism Explained (New Holland).

And with escalating rates of cyber attack and "hactivism" - politically motivated attacks on "enemy" information systems - that day could arrive sooner rather than later.

Computer security firms acknowledge a dramatic increase in malicious cyber attack activity in recent years. A British research firm, mi2g, estimates the cost of lost productivity from attacks in 2003 at $113 billion.

Local estimates, according to the 2004 Australian Computer Crime and Security Survey of more than 17 private-industry sectors and all tiers of government, found that average annual losses for electronic attacks had increased to $116,212 an organisation.

Vincent Weafer, the senior director of security response at US company Symantec, says virus worm activity, which includes the recent Slammer, Blaster, and Sasser worms, has increased 600 per cent in the past two years.

"What we have is a significant increase in various forms of cyber attack activity, particularly reconnaissance with people using mostly scripting tools," Weafer says. "They're looking for exposure and vulnerability in machines that they can steal information from."

And for owners of unprotected machines - ones without passwords, user names, anti-virus software and personal firewalls - that can happen in a matter of seconds. It used to be that PCs could be compromised within 15 to 20 minutes, but now, Weafer says, "It's less than six seconds."

"It's not who you are, but what you are ... you're an asset," he says.

Or rather a "zombie", according to David Perry, global director of education for Trend Micro. He explains that owners of such compromised machines are often unwitting participants who are used to launch global denial of service attacks - the most common form of cyber attack - against designated targets.

"A large number of computers, or 'zombies', are turned by a rogue program, usually against the knowledge of people, and the devices ask repeatedly for service from another computer," Perry says. "With 10,000, or however many machines, just saying hello to the server ... that's 2 million requests per second."

The result is a shutdown of service where the target suffers massive financial damage. Perry says the best example of how devastating a denial of service attack happened in February 2000 when a 15-year-old Canadian, known as "mafiaboy", launched a denial-of-service attack that shut down sites including Yahoo!, Amazon, etrade, eBay, Dell and CNN.

The cost was counted in "billions of dollars", Perry says. But it would seem that the focus of hackers and virus writers is shifting from inflicting damage to profiting.

In recent months, Weafer says, compromised machines have been used to launch denial-of-service attacks on online gaming and betting sites, effectively holding them to digital ransom.

And though there are only anecdotal reports that some hackers and virus writers offer their services for hire, Weafer says: "There is definitely buying and selling going on of compromised machines."

So if hackers are selling their banks of "zombies", the question remains: who is buying them, and why?

Both Weafer and Perry say it is difficult to know whether terrorist groups are gearing up their cyber attack capabilities, but both admit there are known vulnerabilities in critical infrastructure, which includes power, energy and financial services.

And there is already evidence of such vulnerabilities being exposed.

In 1997, the US National Security Agency simulated a cyber terrorist attack with 35 hackers who hacked into Department of Defence networks, shut down sections of the power grid and 911 emergency service, and even "hacked" into a navy cruiser's systems.

In Japan, during 2001, some of the 24 million users of DoCoMo's i-mode mobile phones - which provide a permanent internet service - had their handsets taken over by a malicious programming code delivered by email.

Once the email was opened, the code directed the phone's software to dial "110" - Japan's emergency hotline number. The mass numbers of phones dialling the emergency number caused the system to shut down.

In his book, Williams outlines a California police investigation during 2002 of a suspicious pattern of surveillance against Silicon Valley computers.

"Unknown persons in the Middle East and south Asia were exploring the digital systems used to manage bay area utilities," he writes.

"Emergency telephone systems, electrical generation and transmission, water storage and distribution, nuclear power plants and gas facilities had all been examined."

Though some of the probing suggested planning for a conventional attack, digital devices that would allow remote control of some services - in a similar way as Boden did - were also examined.

At the time, Williams writes, Ronald Dick, director of the FBI's National Infrastructure Protection Centre, reportedly said: "The event I fear most is a physical attack in conjunction with a successful cyber attack on the responders' 911 system or on the power grid."

Perry, however, believes cyber attacks are more likely to be in the nature of sabotage and espionage. Computers are more likely to be used to obtain information to be used in an act of terrorism, rather than used to commit such acts - though he doesn't rule out the possibility.

Perry is adamant, however, that should a group of people launch a cyber attack, there is "a community of people" working to identify threats and sew them up as quickly as possible.

He says: "Every sort of thing one might imagine happens in the regular world of espionage happens with hackers."

Which involves, he says, counter-hackers, surveillance of known hacking and virus-writing groups, and gathering intelligence. And while some hackers and virus writers do, on occasion, email code to computer security companies to highlight programming flaws, computer security companies are quick to point out they do not engage in a working relationship with such people.

"When you're working with the customer and building a long-term relationship built on trust ... do you really want a group of people with a suspicious past on your staff?" Weafer says.

The battle then, both experts say, is to better educate people about possible internet dangers and the importance of information as property.

So called "script kiddies" - aspiring hackers who don't yet have the experience to write code - are more often than not responsible for unleashing malicious code.

While writing the code - which is often found posted on hacking and virus-writing group websites is not illegal - releasing it is.

Home users and small businesses should protect themselves against attack by ensuring they follow basic security recommendations.

Perry says the other two "legs of computer security" include developing more effective gateway security products and more secure operating systems.

Inevitably this involves examining the responsibility of regular cyber whipping boy (and market leader) Microsoft, whose vulnerabilities are exploited by hackers and virus writers.

The problem, Perry says, is that rebuilding the operating platform involves examining some 450 million lines of code - a complex task.

In correcting loopholes it is difficult to know whether new flaws are being introduced, he says.

And regardless of whatever upgraded protection and improved education measures that are put in place, there will always be a hacker or virus writer looking to cause mischief.
Page 1 2 Next