/Security/ Hacked off
19/07/2006 | Filed under Discover > Security
Security experts have warned of an ‘electronic Pearl Harbour’ for years, but very few of us take digital threats seriously. .net’s Oliver Lindberg reports on what’s being done to protect us from the threat of cyber terrorism and discovers how to take a proactive approach to self-preservation online
At the beginning of the year the US government tried to hack into some of the UK’s key computer systems as part of a massive war game to test the nation’s vulnerability to cyber attacks. In different exercises held over the last few months, the US military and various universities challenged the security skills of cadets and students. But how useful are these competitions? And how much do they reflect threats experienced in the real world?
Operation Cyber Storm was a week-long exercise that imitated the effects of a large-scale online attack and involved more than 100 public and private agencies, banks, power stations and IT companies such as Microsoft, Cisco and VeriSign. It was carried out by the Department of Homeland Security and supported by the UK’s Ministry of Defence and National Infrastructure Security Co-ordination Centre (NISCC, www.niscc.gov.uk) – a part of MI5 that works towards minimising the risk of an electronic attack in the UK. For the simulation, different scenarios were played out, including hackers trying to shut down electricity in ten states. A full report on the results is expected later in the summer but Cyber Storm is believed to have caused only a small amount of disruption. The Home Office has confirmed that similar exercises are planned in the UK but no details have been announced yet.
Defending the nation
The service academies also participated as a joint team in the first National Collegiate Cyber Defense Competition, which featured five winning teams from regional preliminary rounds held between universities across the USA. The competition was hosted by the Center for Infrastructure Assurance and Security at the University of Texas. As its director, Greg White, explains: “The competition provides an environment for the students to test their knowledge and skills. The teams are to maintain the network and keep its services, such as web site and mail server, running. They’re also responsible for securing the networks in the face of a hostile force of attackers.”
Exercises like these are meant to reflect the real world as much as possible. “Students frequently want to take a system down in order to secure it,” White says, “but if this system is the one running web services for a company, the company may not allow it, since losing it may mean a loss of revenue. Administrators are thus required to secure systems while maintaining their operational status – a tricky endeavour.” This competition doesn’t focus on a possible cyber terrorist attack then, but rather the types of attacks we face on a daily basis.
Does cyber terrorism exist?
Despite dire warnings, security experts are divided over the threat posed by cyber terrorism. Steve Nice, technical director at IT support solutions provider, ForLinux (www.forlinux.co.uk), says: “In my opinion there’s a very low risk. As stated in many reports, there has not been a successful attack recorded. This may be due to the definition of ‘cyber terrorism’. For the layman it conjures images of Arabs huddled over a keyboard, shutting down power grids, crashing aircraft and opening dams. In theory it’s possible, but in reality it’s not.” Bruce Schneier, security guru and founder of Counterpane Internet Security (www.counterpane.com), has preached for years that government officials are abusing the term ‘cyber terrorism’ to fuel their budgets. In his opinion, reports on Al Qaeda hacker Irhabi 007, for example, have been blown out of proportion. “Irhabi 007 is no more a cyber terrorist than you are a cyber reporter. He was a terrorist who, like everyone I know, makes use of the internet to do his job. Cyber terrorism is largely a myth. Cyber crime is the real threat.”
That’s why cyber security exercises are still important. Cyber crime is happening every day. “The single best way for an organisation to be prepared is for them to fight themselves by having Tiger Teams constantly trying to break security in the most original ways possible,” says Drew Copley, research engineer at eEye Digital Security (www.eeye.com). “In the real world, we don’t have to worry about known attacks. What we do have to worry about are attacks unknown to us.” Also, while mass worms are possible, the real threat lies in critical intelligence that’s gained through hacking. Copley explains: “If someone hacks a nuclear facility network, it’s unlikely they can cause the facility to blow up. However, it’s very likely that they can get intelligence about that facility that can later be used to mount a physical attack.”
Russian mafia
Robert Chapman, co-founder of the Training Camp (www.trainingcamp.co.uk), which runs ethical hacking courses on how hackers think, told .net how financial institutions are constantly being threatened by the Russian mafia. Some online gambling sites actually paid up ransom money because criminals threatened to bring down their sites, which would obviously be a financial disaster for them.
Regardless of warnings, most businesses are still not prepared enough for attacks. “Security has always been a tough sell,” Oxblood Ruffin, a member of the Cult of the Dead Cow (www.cultdeadcow.com) admits. “Putting money into security resources is like buying insurance. It’s not sexy, but it’s necessary. Anyone with a broadband connection and a computer that’s ‘always on’ is part of the problem. So it’s important to do basic things, such as having up-to-date antivirus software and a firewall. These are basics that anyone should exercise, from bottom to top.”
The Training Camp’s Robert Chapman agrees but points out that it’s not enough to concentrate on security devices and software. “There was a study recently that found that 70 per cent of all security breaches inside an organisation are people-related,” he explains. “The human element is the weakest point in the link because of people’s greed or vulnerabilities.” In the aftermath of Hurricane Katrina, for example, cyber looters took advantage of the public’s desire to help and siphoned money from generous donors through mock charity sites.
To test this, the Training Camp recently conducted an experiment where they gave out 100 CDs around Liverpool Street Station in London. The CD promised it would take users to a web site where they could win a trip to Paris. The CDs, however, reported back via IP logging. Around 70 per cent of the discs, which could have come with all kinds of nasties, were put into machines by people at work, including two household insurance companies and a retail bank that’s in the top four. “That was just a simple bit of social engineering,” Chapman says. “It’s a top four bank and their security was bypassed by somebody just physically putting the CD in their briefcase and walking through the door.”
So, wherever the threat is coming from, whether it’s actual terrorists, the Russian mafia or just bored teenagers, we need to be properly protected. Cyber security exercises are a good idea no matter whether they’re run by the military, university, businesses or home users. If we don’t constantly test our security, someone, somewhere might find a hole – and then it’s too late.
