[Timesink]

This is a Washington Post article, click here to read it in full.

Warning: It's VERY long.

[Timesink]

Can moderators fix the "Author" field in article postings? I screwed this one up. Author is one Barton Gellman.

Thanks!

[Timesink]

Thurs., 11 a.m. EDT: Washington Post reporter Barton Gellman will be online to discuss this story.

[old-ager]

Because the digital controls were not designed with public access in mind, they typically lack even rudimentary security, with fewer safeguards than the purchase of flowers online

I have a marketing idea for the credit card companies. Facilitate putting security on such systems by wrapping them in a plain old e-commerce web front end. Then allow operators to log in using their credit cards. Charge the card, say, a nickel for each access. This way, all access is tracked by the credit card infrastructure. For discussion.

[sheik yerbouty]

If rthe jihadists are first destroyed, they can't carry out there nefarious plans! wake up America!

[Lockbox]

Counterterrorist analysts have known for years that al Qaeda prepares for attacks with elaborate "targeting packages" of photographs and notes.

We keep reading about 'visitors' seen taking photos of water installations, etc. Yet nothing is do since they are on 'vacation'.

Time to shoot first and ask questions later.

[Cachelot]

Timely, very timely. What can be done in this way is sort of mindboggling, if you pay some attention.

Goes far beyond the article and what they refer the intruders having looked at.

[dr_who]

Some people here must get an orgasmic high out of being afraid of claptrap that shows up in newspapers. Maybe if they're lucky, there'll be another asteroid on a collision course with Earth when CNN comes to terms with the arrival of another hot, dull August.

[daviddennis]

Fascinating article; thanks for posting it.

Seems to me we have to take these devices off the Internet without further delay. Either that or use iron-clad authentication protocols.

The use of cryptographic certificates for control of devices would probably solve this problem at reasonable cost.

D

[Prodigal Son]

I've been very puzzled why the terrorists haven't striven to do this type of thing. The only explanation I can come up with is they're idiots with a wanton lust for blood and killing. As the Devil's Advocate for a moment, sure, spectacular attacks on citizenry, military, and property look pretty impressive on television and I suppose if I were waging a terroristic war against an entire culture I would include them in my plans. But, really, these type (bloody) attacks serve to unite and strengthen the resolve of the people you attack and in that sense they are counterproductive.

A long, drawn out guerrilla war where the attacks were targeted at the infrastructure of the culture would be much more effective even if they weren't "sexy" to potential recruits. Just slowly bleed the culture's economy to death- this so called 'death from a thousand cuts'. Some items I would try to accomplish if I were in their shoes:

• Once a week phoney airline bomb threats that caused the evacuation of a different airport every time- this would cost the airline industry a hell of a lot of money
• Cyber attacks on important websites (sites with a lot of traffic)
• I would spread rumors that my org (again I'm playing the Devil's Advocate here) was going to start killing children's pets in quiet neighborhoods. I would make sure that children learned of these rumors (leave graffiti/anonymous notes at school yards) and then even go on a pet killing spree in at least one neighborhood to help fan the rumor. This would serve to spread a general feeling of unease among the population and perhaps cause children to be afraid to sleep or do poorly in school because of worry.
• I would try to link up with an enviro terrorist network and give them the know how to attack power plants and urge them to do so.
• Constant false alarms caused by leaving suspicious packages or dummy missiles near or in airports, train stations, public buildings and near schools- wearing down emergency response personnel and causing fear and unease
• I would blow up Mosques (even assuming I was Muslim) to cause a backlash against what the media would portray as "Racial Hate" from the Right- this would serve to divert the resources of the FBI as they investigated false leads.
• Cut power and telephone lines in remote areas where there was less chance of being caught- also, attack water mains and sewer systems.
• Pull up sections of train track in remote areas. Dynamite craters into roads connecting communities in remote areas.

These things and many more I would've expected the terrorists to do. Just general disruption of our way of life. It would be very costly monetarily- for the victim and would be generally low risks for the organization carrying these things out. I mean you could do a lot of damage to a smaller community by simply setting the local factory or mill on fire- putting a major employer out of action. There's no way a nation's security apparutus could successfully defend every single target in addition to guarding nuke plants, airports, water supplies etc etc. Maybe they are just stupid and stuck in a Middle Ages type mentality. But if you successfully attack and disrupt an enemies supply/support lines- you will eventually defeat him and I suppose I'm glad they have this mentality.

[lelio]

Instead of going for a direct attack, the terrorists could do something like find a hacker with a bunch of credit card numbers (like that one that supposedly had 300k of them from CD Universe) and publish them on the web. Pretty soon every krad d00d and his brother will try and use them, clogging up Visa's and MC's computers with bogus entries. Merchants will be leary of accepting any credit card. yada yada yada

[Dog Gone]

I haven't read the full article yet, although I will shortly. My initial reaction is that al-Qaida isn't this sophisticated.

They certainly didn't include computer courses at their training camps in Afghanistan. That's not to say that we aren't vulnerable at these spots or that terrorists won't eventually develop the expertise to attack us using cyberwarfare.

But this enemy hasn't proven themselves to be terribly sophisticated yet. They are bold, and imaginative. They are cruel and evil. But brainiacs? I don't think so.

[snopercod]

I'm sorry, in my opinion as an engineer this is just baseless hysteria on the part of the WP. Purely the kind of crap that sells papers and nothing else.

[concerned about politics]

They keep letting these people in on student visas to learn all about America and how it's systems work.
Who's in charge of this country, anyway?
Makes me wonder whether they really want to stop the terrorist. They don't seem to be trying very hard at all. They just keep opening the door for them.
I don't understand the logic.

[Bush2000]

By disabling or taking command of floodgates in a dam, for example, or of substations handling 300,000 volts of electric power

Any idiot who hooks up either of those vital systems to any other system connected to the Internet deserves to be shot.

[Cindy]

What we are doing to overcome our fears and taking charge of the terrorist situation is the BIG story!

[snippy_about_it]

Wow. That was long but worth the read. Scary, very scary.

[eno_]

This is baloney. Communication networks do have flaws, and the flaws can be exploited. But communication networks are not monolithic: different vendors' equipment have different flaws. It would be devilishly hard to mount an attack on a sufficient number of vulnerabilities at the same time. Our NSA might be able to bring down communications in, say, Iraq. But Al Quaida has no practical chance of causing more than one or two U.S. networks to have a temporary outage. Europe's Internet certainly did not fail when KPNQuest was unplugged. If we can survive Bernie Ebbers, Al Quaida hAx0rz have no chance.

What this is is a distraction from serious vulnerabilities like a bioweapon attack or a SAM attack on airliners.

[eno_]

Oh, and the thing about ASN.1 is just plain laughable and shows what fools the reporters are for letting themselves get spun that way. You could no more bring down a network with ASN.1 than you could a UNIX system with a bootleg copy of yacc.

[TheEngineer]

Just a few things to share with this thread, since it seems relevant...

My company manufactures control/telemetry equipment for municipal utilities, and we also author a great deal of firmware/software for this equipment. We have been very tuned into the security aspects of these control systems for years now. As you can imagine, we are focused upon this more now than ever.

Have suspicious arabs shown an interest in these systems? Yes. Homeland Security had heard of some inquiries, and they sent us a fax this past winter to be on guard. Also, our company was approached once. A few years ago, a saudi requested detailed information on our control system via email; and we responded with the standard brochures (nothing sensitive). Didn't think much about it at the time, and deleted the email long ago. Also, he didn't like my "foreign business policy"... foreigners pay in advance :-)

This summer, we also observed a man making inquiries to an internet programmers newsgroup targeted toward web server programmers/administrators on Windows platforms. All of his requests focused on finding ways to break into web servers such as Apache, IIS, and Netscape. It became very apparant when looking at all of his posts as a whole. We found that his ip address is in the united arab emirates, and then we notified the FBI with the info. (don't know if they pursued it further.)

Do I think they will hit our water and power supplies? Not really. I have yet to see them take any action which is not based upon killing a lot of people.

Shutting down computerized water pumping stations will not even run people out of water. First, most water systems have a large amount of pressurized storage (water up in the water towers). Second, every piece of industrial equipment that I have ever seen always has "manual" controls in addition to the computers. Could they poison a water supply? Does anyone know how much poison it would take to overcome the dillution of 10's of millions of gallons in a water system? Not likely to happen. Anthrax in the water? The chlorine would kill it. Worst case scenario with water: some people get sick, no deaths. Best case scenario: alqaeda gets shot by the neighbor who lives next to the water tower.

Dam control system disruptions? The filling/emptying of a dam is a VERY slow control processes. "Manual" override would be instituted far in advance of any repercussions.

Power? Power is a lot more vulnerable, because there is no "storage" within the system (as with water). Even a short disruption would be noticed. And power is everything. Actually the best way to shut down a water system is to shut down its power. And why attack the power grid control computers, when much more lasting damage can be done through a physical attack? (Look at what we did to the power system in Yugoslavia). However, although a power shutdown would be pretty darned inconvenient, I still don't see how it is going to kill Americans.

In summary... I don't see alqaeda pursuing this computer hacking angle, because it doesn't kill anybody. These guys are all about killing.

ps. This is just my educated opinion. I'm sure there are smart people who would disagree.... and sorry about the long post. Usually I specialize in short, smartass comments. :-)

[Timesink]

late night bump and adding to bump lists