feature

Margaret Wertheim, author of The PearlyGates of Cyberspace

1points out that while

cyberspace is a technological by-productof physics, it is not subject to, or boundby, the laws of physics. When one enterscyberspace to surf the Web, the laws ofNewton and Einstein are left behind. Soalso, are many of the civil laws of decency,honesty, privacy and fair play.

Simson Garfinkel describes two scenar-ios in the Boston Globe (March 1995).

Some ideasThe first one is called the ManchurianPrinter and anyone with a whit of ITexperience can see that this scenario couldvery easily become a reality.

The printer

The Manchurian printer is a low-cost,high-quality laser printer. It has a secret,built-in, self-destruct sequence (logicbomb), which will lay dormant until aspecific event occurs. The event could bethe sending of a special coded message inthe form of a long sequence of words thatwould never normally be printed togeth-er. This would result in the printer lock-ing its motors, overheating and burstinginto flames. Imagine a large companywith lots of these printers networkedaround the building.

Simultaneous self-combustion of theprinters would, at the very least, causesome economic damage. Fire starting inso many places would probably meanevacuating the building, and substantialdamage would ensue before the firebrigade would arrive.

Such an act could even result in tempo-rary closure of the company.

Word processing

The second scenario involves a softwarecompany that is determined to make itsnew word processor a hit. Instead of sell-ing the program, they give away free eval-uation copies that can be used for onemonth. But this seemingly innocuousword processor has an extra agenda ofwhich the users are totally ignorant.

While they are using their evaluationcopies the program is simultaneouslysniffing out and booby-trapping everycopy of Microsoft Word and WordPerfect that it finds on their systems. Atthe end of the month, all word processorsstop working and instead of allowing youto edit, they print out ransom notes.Garfinkel makes the point that it isalmost impossible to know beforehandwhether a booby-trap is present or not,and that no practical way has yet beendevised to test for them.

The fact is that our reliance on infor-mation technology has grown much faster

than our ability to understand the vulner-abilities inherent in networks and theWorld Wide Web in general.

What if?Potential scenarios that cause deeper con-cern involve global and national informa-tion infrastructures. Could our wiredworld be dangling at the edge of aprecipice?

Hacking into, and commandeering anair traffic control system could have asimilar result to the events of 11September without having to enlist abunch of suicide pilots.

Telecommunications systems, rail sys-tems, power grids, all made more vulnera-ble due to privatization with its resultingcompetition, could equally be comman-deered to the detriment of a nation.

Recent viruses like Code Red andNimda could be altered and sent into thewild to wreak global havoc on networkswith serious economic consequences.Think of all the networked computer sys-tems containing medical, legal and finan-cial information, retrospective and current.

Could medication instructions be alteredto kill or disable high profile patients?Could evidence be tampered with to com-promise the course of justice? Could illicitfunds be moved illegally? And what aboutthe use of computerized voting systems, canthey be trusted in the light of so many pub-licised system vulnerabilities? There is plen-ty of literature and evidence, anecdotal,theoretical and real to convince us that theanswer to all three questions is yes.

SpecificsNot only is the World Wide Web a bot-tomless pit of hacker tools, but it is alsoan excellent source of computer securityeducation. The crazy thing is, it containsall the information necessary to herald itsown demise. So, not only are global andnational infrastructures at risk, but thevery Internet itself could be a target.

The World Wide Web has particularvulnerabilities that even a modest usercan take advantage of. The weaknesses lie

12

Cyber-terrorism — Virtualfor Who?Berni Dwan

Cyber terrorism can be described as the use of computer resources for the purposesof intimidating, coercing, harming, or propagating misinformation that decidedlyaids these nefarious deeds. Or, the general destruction of critical computer systemsthat are vital to the smooth running of a country. These critical systems includeInformation and communications, electric power generation, transmission, and dis-tribution, oil and gas production and distribution, banking and finance, transporta-tion, water supply, and emergency government services. It can range from thegeneral to the particular, the global to the local, affecting the great unwashed to theunfortunate individual. Its goal can be mass destruction or personal downfall, prop-agation of hate, lies or downright dangerous information to everyone, or to selectgroups who will use it cleverly.

feature

in File Transfer Protocol (FTP),Hypertext Transfer Protocol (HTTP),Simple Mail Transfer Protocol (SMTP)and TCP/IP.

FTP allows anonymous or guest logins,which gives the attackers limited access tofacilities.

Non-secure HTTP modes accept activecontent (executable JavaScript orActiveX), which can be used maliciously.With SMTP, email servers must be con-figured to accept connection from any-where on the Internet in order to receiveemail, one of the biggest risks being thatyour server will function as an open relay.

SMTP has no authentication of addressheaders and sources. This can result inspoofing email messages with false ‘from’headers, unauthorized re-routing of mailor flooding of a system with mail to denyservice.

Finally, the TCP/IP vulnerability lies ininsecure and unauthenticated transmis-sion of IP addresses.

EncryptionIn 1996 the Afghan headquarters ofOsama bin Laden was furnished withcomputers and communications equip-ment, on which a network was estab-lished that utilised the Web, email andelectronic bulletin boards. Hamasactivists then proceeded to use chat roomsand email to plan operations and co-ordi-nate activities, thus bypassing the abilityof Israeli security officials to intercept anddecode their messages.2

On the virtuous side, human rightsworkers are increasingly using theInternet to organize action against repres-sive governments, encryption playing avital role for obvious reasons.

Guatemalan activists, for example, havecredited their use of the Pretty GoodPrivacy program with saving the lives ofwitnesses to military abuses — a goodreason for many governments to outlawthe use of encryption, perhaps?

Ultimate jihad challenge

But then, the ugly side of utilising encryp-tion has been highlighted in several reports

since 11 September. Brian McWilliamsand Ned Stafford of Newsbytes3 recentlywrote that the website belonging to SakinaSecurity Services Ltd., which advertised afirearms training course called ‘TheUltimate Jihad Challenge’, was apparentlyshut down by British law enforcement offi-cials. The site provided a Pretty GoodPrivacy encryption key to visitors wantingto conceal their communications with thecompany, and prior to going offline, thesite, located at www.sakina.fsbusiness.co.uk, also contained an appealfor donations to a Palestinian liberationmovement known as the ‘Al AqsaLiberation Fund’. Interestingly, Freeserve,the Internet service provider that hostedthe site, declined to say whether they haddisabled it at the request of law enforce-ment officials.

McWilliams and Stafford also refer intheir article to a London EveningStandard report that detectives detainedSulayman Zain-ul-Abidin for question-ing. Believed to be an instructor at SakinaSecurity as well as a suspected fund-raiserfor terrorists, Newsbytes downloaded apublic PGP key from the Contact sectionof the Sakina site and showed it was creat-ed on 24 February 2000, in Zain-ul-Abidin’s name.

A Washington (Reuters) report inFebruary of this year4 reported on Muslimextremists, including Osama bin Laden,posting encrypted or scrambled pho-tographs and messages on popular web-sites and using them to plan attacksagainst the United States and its allies.Quoting from USA TODAY it said,extremists using free encryption programs“were using -mail, computerised files, andencryption to hide maps and photographsof their targets, and instructions for carry-ing out attacks, on sports chat rooms,pornographic bulletin boards and otherwebsites.”

The report said bin Laden began usingencryption five years ago, but increasedits use after US officials revealed theywere tapping his satellite telephone callsin Afghanistan. Most ominously, the arti-cle cites a quote from Sheik AhmedYassin, founder of the militant Muslimgroup Hamas. “We will use whatever

tools we can — emails, the Internet — tofacilitate jihad against the [Israeli] occu-piers and their supporters. We have thebest minds working with us.’’

Brains v brawnAlthough in the case of cyber-terrorism, itmay not be the best minds that arerequired. With over 30 000 hacker-orient-ed sites on the Internet, you no longerneed the knowledge, you just need thetime and a ‘cause’ to download the toolsand the programs, all readily available andeasy to use. It’s the brains that are requiredon the potential receiving ends, bizarre as itmay seem, to prevent the offending pay-loads. A sinister twist, as it were, in thebrains against brawn scenario.

The question is, could a bunch of scriptkiddies bring down the GlobalInformation Infrastructure, or a NationalInformation Infrastructure? As John S.Tritak, Director Critical InfrastructureAssurance Office said in a statement tothe Senate Committee on GovernmentalAffairs on 4 October: “The cyber toolsneeded to cause significant disruption toinfrastructure operations are readily avail-able. Within the last three years alonethere has been a dramatic expansion ofaccessibility to the tools and techniquesthat can cause harm to critical infrastruc-tures by electronic means. One does nothave to be a ‘cyber terrorist’ or an ‘infor-mation warrior’ to obtain and use thesenew weapons of mass disruption.

Those who can use these tools and tech-niques range from the recreational hackerto the terrorist to the nation state ,intent onobtaining strategic advantage. From theperspective of individual enterprises, theconsequences of an attack can be the same,regardless of who the attacker is.”

Hacker = terrorist?Perhaps the move to classify hacking as aterrorist offence may scare most of them off.Do we want to wait and see, or would werather learn from the recent past that majorterrorist events or tragedies usually result ina spate of undesirable cyber activity?

13

feature

The most recent example before 11September followed the collision between aChinese jet fighter and a US surveillanceplane in April, when there were thousandsof defacements of US websites. But, meredefacement pales into insignificance whencompared to the Dutch hackers who stoleinformation about US troop movementsfrom US Defense Department computersduring the Gulf War. When they tried tosell this information to the Iraqis, theyrefused it, thinking it was a hoax. Theseguys did not have the readymade tools avail-able today, so if they are still around, whoknows what they are now capable of? Thefact that the Bush administration hasappointed Richard Clarke to focus solely oncyber-security efforts is telling.

There is no doubting that the attacks onthe World Trade Center and the Pentagonhave rekindled the encryption debate.While the FBI never stated publiclywhether the hijackers used encryption tomask their communications, John Schwartzin a New York Times piece reports that PhilipZimmermann, PGP’s creator said that hewould be surprised if they hadn’t. Quoted inthe article, Zimmermann said, “I have noregrets. I did this for human rights ten yearsago, and today every human rights groupuses it.” This leaves products like PGP inthe unenviable position of being an ally tosome and an enemy to others in equalquantities. It also places decision-makersbetween a rock and a hard place, tighteningthe reigns of control having a negativeimpact on civil liberties.

Making decisionsThe fact is, an oppressive regime’s under-standing of the word terrorism is quitedifferent from a democratic government’sunderstanding of the word.

Philip Zimmermann cites the use ofPretty Good Privacy by human rightsgroups to protect them from what wewould perceive as the real yoke of terror-ism they live under. None of us living inour comfortable democracies could denythem this level of protection in their fightfor justice.

Our own democratic understanding ofthe word terrorism is generally bestowed

upon purveyors of human carnage, usual-ly in the name of an extremist or funda-mentalist cause.

The vitriolic content of the radio broad-casts of William Joyce (aka Lord Haw Haw)during World War ll would, I am sure, havemade a classic hate and propaganda websitetoday. While his speeches were regarded as apublic service in Nazi Germany, theirintended audience regarded them as quitethe opposite. There are so many similarexamples throughout history.

The tradition continues, always usingthe latest and most efficient method ofdissemination.

HoaxesJust as virus hoaxes stimulate unnecessaryanxieties, so too do online hoaxes follow-ing major tragedies. These are merelyother aspects of cyber-terrorism andshould be dismissed as vehemently aswebsite defacements and cyber-terrorismin its more accepted form.

People who never heard ofNostradamus before 11 September, arenow frantically studying his writings forother ‘signs’, while those sympathetic tothe more fundamentalist side ofChristianity must be alarmed by claimsthat Satan’s face was visible in a photo ofthe burning Twin Towers.

The Computer Incident AdvisoryCapability (www.ciac.org) has a securityalert that reads: “With respect to the cur-rent tragedy, users are being cautioned tobe aware of fraudulent messages and web-sites purporting to be collection sites forrelief donations. Also, caution is urgednot to double click on email attachmentsthat appear to be related to a currentevent or to helping others (examples:WTC.EXE, WTC.TXT.VBS, or RED-CROSS.DOC.VBS).”

ProtectionComputing professionals all over theworld now need to be aware, more thanever before, of the whole gamut of vulner-abilities providing open doors or backdoors to cyber terrorism. This increased

awareness is necessary in order to betterprotect the world’s computer systems andpossibly help put an end to terrorist activ-ity by killing this particular lifeline.Vulnerability scanners will, I thinkbecome more widespread, as systemadministrators will no longer feel com-fortable with never having the full pictureregarding network security holes.

In larger enterprises, more computersecurity staff will probably be required tofully configure, implement and managethe increasingly complex suite of securityproducts necessary to protect systems.

There is no getting away from the diffi-culties of protecting globally disparateenterprises, although the de-centraliza-tion of systems will perhaps make themless vulnerable to outright destructionthen their centralised predecessors.

All computer security products willbecome smarter, with ease of use and lowmaintenance more of a priority, especiallyfor small business and home users. Whilecombating cyber-terrorism has been anongoing challenge for some considerabletime, the gauntlet has been thrown down ina most horrific manner and the computingprofession must respond post haste.

The perpetration of cyber terrorismmay be a virtual experience for its perpe-trators, but the payload for those on thereceiving end is shockingly real, whetherit be bankruptcy, loss of life, miscarriageof justice or general mayhem resultingfrom the outage of critical systems.

References1 The Pearly Gates of Cyberspace — a his-

tory of space from Dante to the Internet, ,Margaret Wertheim, Virago, 2000

2 “Activism, Hactivism, and Cyber-terrorism: The Internet as a Tool forInfluencing Foreign Policy”, DorothyDenning,.

3 “Nixed ‘Holy War’ Web Site OfferedPGP Encryption Key”, BrianMcWilliams and Ned Stafford,Newsbytes, London, 04 October 2001

4 “Extremists Said to Be ScramblingMessages on Web”, www.infowar.com,06 February 01

14