Roger's Security Blog : Terrorism

Paper on Information Warfare

rhalbh — Thu, 09 Jul 2009 09:27:07 GMT

I often see a lot of discussions on Information Warfare. Today I just stumbled across a paper published by RAND called Strategic Information Warfare – A New Face of War – from my first impression definitely worth reading

Roger

After Estonia now Kyrgyzstan

rhalbh — Fri, 30 Jan 2009 15:49:52 GMT

There is definitely proof that during war times, armies add a virtual component to the “real life” war.

Additionally we have seen the attacks to Estonia, where nobody really knew where they originated from (I do not mean the country but whether a government was behind them of just a group of hackers).

Now, we see attacks on Kyrgyzstan – a country completely knocked off the Internet and this is scary! Think about the country you are living in: What would happen if you would be taken offline for a day – what would be the economical impact?

I quote from the article below:

Beyond the immediate effect on Kyrgyzstan, what's worrisome to Jackson is the speed with which this attack was mounted. "To put some perspective on this, it's been an escalating pattern from Estonia to Georgia to here," he said, referring to the 2007 and 2008 attacks against other former Soviet republics. "The attacks are more closely coinciding with events that are core to the Russian interest, with increasingly fast response and quick mobilization.

"When it once took days or weeks, now we're seeing it within hours," Jackson said.

Russian 'cybermilitia' knocks Kyrgyzstan offline

Cyberterrorism is definitely something we have to have a look at in the near future!

Roger

How to circumvent Privacy Laws

rhalbh — Wed, 20 Aug 2008 10:10:54 GMT

As you all know, most jurisdictions allow individuals to ask for data collected by an organization (being it a company or a governmental organization). A lot of countries have Data Protection Commissioners that look into what companies and more often governments do with regards to PII (Personal Identifiable Information). After 9/11 the United States forced airlines to violate the local Privacy Legislation as the airlines had – if they wanted to fly to the US – deliver PII to the US (mainly information in the Passenger Name Record), which then had to be accepted by the Data Protection Commissioners as they would kill the airline business if the airlines would not be allowed to do so. So, the US seems to have the power to make companies violate the laws – the background is the fight against terrorism.

Now they even go a step further by circumventing their own legislation: According to Federal Computer Week (Analysis tool exempt from some privacy laws) the DHS developed a system to collect and analyze data collected by immigration and customs. Even worse, they seem to correlate data from different sources: DHS-internal sources as well as commercial databases. The key point is that they decided to exclude this system from several Privacy Acts. Therefore you will not be able to look into the data they collect and make sure it is accurate. If the article mentioned above is correct, it really scares me. Look at that:

The information contained by ICEPIC can include names, dates of birth, phone numbers, addresses, nationalities, fingerprints, photographs, a person's immigration history and alien registration information, according to DHS. Agents and analysts can also use commercial databases to verify or resolve any gaps in ICEPIC data.

So, they start to analyze and if some data points are inaccurate there is no way for you to know and most probably no way for you to make them correct it – scary, isn't it?

Roger

SANS Commits $1 Million to Fight Cybercrime in Developing Countries

rhalbh — Sat, 24 May 2008 17:25:21 GMT

You know that I criticize SANS from time to time. Especially when it come to their handlers, I am convinced that they are creating the problem rather than solving it.

This time I have to say that I am impressed as they are helping developing countries to help to fight Cybercrime. This is as "we are all in this together". As I say often, that we have to collaborate and build partnerships in order to fight the criminals.

Read the announcement by SANS: SANS Institute Commits $1 Million for Joint Cyber Defence Program with International Multilateral Partnership Against Cyber-Terrorism (IMPACT)

Roger

Analysis of the Estonian Attacks

rhalbh — Wed, 21 May 2008 19:25:01 GMT

I just read a paper on the political analysis of the Estonian Attack. If you are interested reading my post on my other blog (as the analysis is not really technical but interesting) there you go: Analysis of the Estonian Attacks

Roger

How long does it take to hack a Power Plant?

rhalbh — Mon, 14 Apr 2008 22:19:00 GMT

I start to get scared – more and more. Back in September I blogged on Critical Infrastructure Protection – Live which shows what would happen if somebody would be able to tamper with power generators. Now, during RSA there was a guy called Ira Winkler telling the audience that they had the job to do a penetration testing on a power company network and that they got in in a day. I do not think that this is surprising especially as part of their successful attack was using social engineering techniques (which the attackers usually do heavily) but it is still very, very scary! It is said that they gained access to the grid. The question is – how far. Read it yourself.

Roger

Analysis of Cyber-Terror

rhalbh — Thu, 13 Mar 2008 13:21:06 GMT

The US Military just released a pretty interesting in-depth article on Cyber-Terrorism and the different aspects of it. Even though it has a little bit more than 40 pages, it is worth reading: Cyber Operations and Cyber Terrorism

Roger

DHS Security Level on your Webpage

rhalbh — Sat, 01 Mar 2008 07:24:21 GMT

A blog reader sent me a mail informing me that he wrote a small application that links the DHS security level to your webpage. I added it to my news section and it looks pretty interesting. If you want to do that as well, here is the link: http://www.milestactical.com/hlsa.html

Thanks to Justin Hofer, making this available to me

Roger

How critical are the Undersea Cables?

rhalbh — Fri, 08 Feb 2008 13:05:00 GMT

OK, I think I need to take this up a little bit as well. Let's look into what happened over the last few days. I think up to now we ended up with five cables cut in the Middle East. So, there are a lot of theories who was actually damaging those cables. The best one comes from WSJ J

But there were a few pretty remarkable things: One is a statement I found in article about these cables. It is from Stephan Beckert of TeleGeography:

He said there are approximately 50 cable cuts a year, 65 percent of which are due to fishing trawlers dragging heavy nets and 18 percent of which are due to ships' anchors. "They don't even track terrorism," he said. "Cable cuts are a routine part of the business."

So, it is even a question whether this could not have been really business as usual and just the press and the bloggers taking it up.

The second thing was that it does not seem to me that any of the Critical Infrastructure bodies I know of got really nervous. How far would a critical infrastructure be hit if a region or a country would have been cut off the Internet? Well, for water, power etc. it would probably not be a real problem. What about the rest? In a lot of countries the banks are part of the critical infrastructure as they are critical to public wealth. If they lose international connectivity, this would be a serious problem. The same is true for a lot of businesses but for the perspective of the national critical infrastructure? I doubt.

Roger

Was the plain crash caused by hackers?

rhalbh — Thu, 24 Jan 2008 10:47:00 GMT

If Al Qaida really has these capabilities, I am starting to get scared when I have to fly (which happens to me pretty often): There are reports that the plan crash last week could be caused by hackers attacking the plane before take-off in Beijing…. Al-Qaida ties to British crash probed

Roger

What is more important: Security or Privacy?

rhalbh — Thu, 17 Jan 2008 10:40:50 GMT

This is basically a very interesting and pretty fundamental question for the society. After 9/11 the US changed the way they work significantly. Just as an example: Airlines had to give the US government information about passengers flying to the US that actually violate the privacy laws in Europe. So, the decision had to be made: Either you violate the laws or you do not fly to the US anymore… What do you do now? Well, the Data Protection Officers actually had to give in.

So, if you look at it from a broader perspective: It is pretty natural that National Intelligence as well as Law Enforcement is looking for as much information as possible to fight crime. And I guess, that successful Law Enforcement and Intelligence Services is something we all would like to have – we want them to protect us. But what are we willing to pay? How far are we letting them invade our privacy? This is the key question and something there is no one answer for.

If you look at this article US spy chief puts security over privacy compared to the comment I made in 2-year old terrorist, it really scares me. I see the dilemma we are in – no doubt. And to be completely honest: I am not sure how far I want to let my privacy go for the sake of my security. I am living in a very safe and secure country – in Switzerland. However I know that the National Police has to work hard to keep it that way. So probably it is as always: As long as nothing happens to me personally, I fight for Privacy. As soon as something happens, I want as much Security as possible.

A problem we all know, don't we: Nobody wants to pay for security but as soon as something happens…

Your view?

Roger

2-year old terrorist

rhalbh — Wed, 16 Jan 2008 10:43:15 GMT

Well, this is not new: Government agencies with insecure websites. Actually I did not want to blog on this (you find the article about an insecure TSA-website here) but then I drilled into the comments and there is one that actually shocked me (well, no, this is wrong it did not even surprise me but it shows the success of the fight against terror of the US):

My two-year-old is on the list (this is the no-fly-list we are talking of here). After I found that out on a family trip, I lost the last ounce of faith I had in the system. The ticketing agent said he will always be on the list and will always be flagged for secondary screening for the rest of his life. I just laughed since I am pretty sure this security won't last too long.

It is amazing: DHS is able to tell that you are becoming a terrorist even at the age of 2!

Roger

Fight against Terror and how it can be abused

rhalbh — Tue, 06 Nov 2007 22:14:00 GMT

I am not completely clear how much a lot of the measures we see (like the fluid restrictions on planes, the forced violation of privacy laws by airlines by having to transmit PII to the US, ...) really bring.

On the other hand we definitely see some pretty weird things happening as any suspicion seems to lead to serious consequences. Read this article I found today: Man angry with son-in-law fingers him as terrorist to FBI

Roger

Rumors about Cyber-Terror Attack, November 11th

rhalbh — Thu, 01 Nov 2007 12:50:11 GMT

This is an interesting phenomenon on the Internet: There is one source publishing the statement that they picked up an Internet announcement by Al Qaeda that they will start a cyber attack on November 11^th: DEBKAfile Exclusive: Al Qaeda declares Cyber Jihad on the West. From there on the blogsphere went ballistic (the article was published October 30^th). If you search for it, you will find quite a lot of articles and blog posts referring to the DEBKAfile site. Nobody actually really questions the source. I am definitely not in a position the quality and depth of this information as I do not have enough experience with DEBKAfile at all. It is just interesting to see how information spreads without really thinking twice about the trustworthiness of the source.

As you know, I wrote already several times about Cyberterrorism and there is definitely a certain probability that something like that might happen and that it might even happen on November 11^th. However, I think that a certain level of skepticism is always good to have unless the information is proven by a second on third source.

Roger

Analysis of the cyber-capabilities of AlQaeda

rhalbh — Mon, 01 Oct 2007 22:55:41 GMT

I blogged already several times about Cyber-Terrorism. I think it is important to try to keep the pulse of these developments and to understand what the terrorists are capable of doing. There is an article about a recent event, where somebody tried to gain information about certain devices that ware critical for the critical infrastructure and the possible consequences: Cyber-Attacks by Al Qaeda Feared – pretty scary, I tell you.

But much more interesting is the analysis based on different interviews on the capabilities and about what the counter-terrorists found on the notebook of terrorist. This is pretty interesting to read: What are AlQaeda's Capabilities?

Just a few quotes:

Richard Clarke (former Whitehouse Cybersecurity Advisor): We, as a country, have put all of our eggs in one basket. The reason that we're successfully dominating the world economically and militarily is because of systems that we have designed, and rely upon, which are cyber-based. It's our Achilles heel. It's an overused phrase, but it's absolutely true.
It could be that, in the future, people will look back on the American empire, the economic empire and the military empire, and say, "They didn't realize that they were building their whole empire on a fragile base. They had changed that base from brick and mortar to bits and bytes, and they never fortified it. Therefore, some enemy some day was able to come around and knock the whole empire over." That's the fear.
John Arquilla (Associate Professor of Defense Analysis at the Naval Postgraduate School): What bothers me more than anything else, as I look at the data each year coming out of the various computer emergency response teams, is that hackers could do a tremendous amount more damage than they choose to do. This says to me the threat is real. We need to get our arms around it before people do get serious about making costly, costly disruptions a way of life. ...
John Hamre (Former US Deputy Secretary of Defense): Terrorists are after the shock effect of their actions, and it's very hard to see the shock effect when you can't get your ATM machine to give you $20. When we had this last worm or whatever it was, I went down to the bank, tried to get money out of the ATM machine, and I couldn't get any money out. Well, it was frustrating to me personally, but it doesn't translate in the same way that flying an airplane into a building does. So I don't think that it has the essential quality that terrorists are looking for, which is this startling impact on society.
Now if it's possible, for example, to have rolling blackouts in entire cities, that, of course, does have more potential implications. That was much more likely four and five years ago. But in all honesty, I think we've done a lot to warn ourselves about this. In almost every one of these people that run big utilities, there's always some guy in the back that knows how to turn off the computer and turn on the electricity again.
So I personally think that it's not likely to be a cyber terrorist event in the near term. But it's still a serious problem.

So, how real is it really?

Roger