Cyber-terrorism at year end?greenspun.com : LUSENET : TimeBomb 2000 (Y2000) : One Thread
Wow. So even if we treated Y2K as an important issue early on there would still be computer problems.
Gee. And if we didn't treat it as an important issue and there was going to be problems no one would know for sure if it was inaction on our part or the "Cyber-Terrorists".
So, perhaps we should pass laws restricting the internet and requiring users to be registered so that we can catch "Cyber-Terrorists". After all, look at the damage they are about to do.
To put it bluntly, I don't see squat to indicate that there's going to be any "cyber-blitz" on roll over. I only hear it from the government. Does anyone know of any information to the contrary? Or is this the most vigorous dog wagging yet?
Seems that having cyber-terrorists gives an excuse for failures despite "completeing work by December '99" AND justifies new special powers for law enforcment agencies.
Too damn convenient.
Not too jaded, am I.
-- eyes_open (firstname.lastname@example.org), July 12, 1999
It's not a fair question. We don't have intelligence reports of threats to evaluate. If I were a terrorist planning a cyber-attack (and we've seen hacking at several government sites lately), I think I'd wait for y2k to provide cover.
Doesn't mean it's true, but it doesn't mean this is a cover story either.
-- Dog Gone (email@example.com), July 12, 1999.
Not a cover story. Real. Believe it or not as you wish. Not speaking here as a doomer but as a citizen.
-- BigDog (BigDog@duffer.com), July 12, 1999.
What's the logic of planning a "cyber" attact during a time when possibly both phones and the internet will be broken? I have read many reports, including our prezedent giving a speech to the Annapolis Grad Class of '98 say that "We need to prepare for both cyber-terrorism and germ warfare." (happens to be one of the reasons for marshal law) The powers that wish to be. . .do like to plan in advance.
It makes more sense to develop propaganda to cover the real mistakes. Terrorism goes on on a daily basis (go to http://www.emergency.com/ennday.htm regularly and you will see that it happens all the time). Propaganda starts before the problem so people accept the false idea.
I am not saying that there will not be so called cyberattacts, I am just pointing out that there is more logic to computer failures causing the problems. In other words, why bother if you were a terrorist? You'd never ge
-- dw (firstname.lastname@example.org), July 12, 1999.
...you'd never get credit.
-- dw (email@example.com), July 12, 1999.
12 July, 1999
Former hacker warns of Y2K work rip-offs
By Paul Brislen
AUCKLAND - How well do you know the contractor who went through your system line by line looking for year 2000 problems? Do you know which coders worked on your system in particular?
Mathew Bevan is a 24-year-old Welshman who hacked into NASA, NATO and US Air Force systems before he turned 20 and was described as "more dangerous than the KGB" by one US official. Now, he advises companies on the best ways to avoid industrial espionage and he has a sobering message for companies that have recently had year 2000 work done.
"Do you know these guys or were you just pleased to get someone to do the work?" asks Bevan. "Is it going to be an entrapment situation - at midnight will you have some guys siphoning off some information from your system, or worse?"
Bevan says the first line of defence for any company that is concerned about security is to draw up a security policy and enforce it. "This isn't going to be a single-page document. This has to cover everything from hiring staff or contractors through to system security to physical or environmental security and you have to follow it through," he said.
Bevan points to recent FBI figures on theft of proprietary information, which is on the rise and amounted to over $US42 million spread out over 61 companies. "That comes to nearly $US700,000 each. How much can you afford to lose?" he asked.
The most accessible part of any system, says Bevan, is the information stored on notebooks or in physical form. It is sometimes easier to steal a disk or printout than it is to steal the information from a system.
"Do you have any information on your laptop you would rather others didn't see? Have you ever left it alone in a hotel room when you're travelling?" he asked. Bevan says companies should have a strict policy that limits the information carried on portable devices because even if the device isn't stolen, users can't be sure it hasn't been imaged and the information itself copied.
That raises another problem for companies that may have been hacked into or have had data stolen -- how do you protect the chain of evidence?
"If your site has been hacked into and changed you should have a policy in place that outlines how you deal with it. Do you call the management first, then police, then IT staff, or what?" he asked. Bevan says companies often don't preserve the evidence when a site is hacked and that makes it hard to prosecute, even when there are laws that cover computer crimes. As for claims that ex-hackers are still criminals and shouldn't be classified as "security consultants", Bevan says it's better the enemy you know than the one you don't. "I'm up front about my past, about my history and if you don't want to hire me, that's fine. But what do you know about the people working on your system?"
[Copyright ComputerWorld. All rights reserved]
-- Gayla (firstname.lastname@example.org), July 12, 1999.
But what an excellent time for enemies to poison our water, damage our grid etc.Much confusion.
-- citizen (email@example.com), July 12, 1999.
Would that be internal or external?
-- Michael (firstname.lastname@example.org), July 13, 1999.
The matter of cyber-terrorism is not a red herring at all. It is going on right now! Here is an account of an attack that took place yesterday. I have removed information that would identify the ISP. The account is otherwise quite genuine.
8:30pm this evening we began experiencing problems accessing outside sites. It has been determined to be 1 or 2 bad circuits that are part of our DS3 circuit bundles to MCI (Cable and Wireless) somewhere between [LOCATION] and [LOCATION]. Normally if we lose one of our circuits our secondary circuits kick in to compensate. Unfortunately, the bad circuit did not go completely down but became riddled with line errors (CRCs) that would occur in short bursts. By the time we had discovered which circuit and the nature of the problem at least an hour and a half had passed. Now that we know which is the 'sick' circuit we have it turned off and MCI is currently doing testing on it to find the exact location of the failure. Our UUNET circuits are now handling the traffic..as they have in the past. This unfortunately is a weakness in the multi-provider protocol that we use called BGP (Border Gateway Protocol : which is the only one really in use today on the Internet). BGP redirects traffic down another circuit when the primary goes down; however our primary did not go down..it just began experiencing intermittent bursts of errors..which had a cascading effect of throttling the routers. (Not, by the way, a problem we had ever seen before) We also were unable to turn the circuit down after we discovered the problem as MCI was commencing a series of tests and they had to complete before we shut the circuit down. We apologize for the inconvenience, it is regrettable that these things have to happen at Sunday night at 8pm (busiest time of the week) since it gives us very little time to react due to the immense customer demands and the overriding priority to get traffic flowing again at all costs not to mention that the large providers have reduced staff on weekends which further delays the response time. Last Sunday we experienced an attack (investigation pending ) which resulted in similar symptoms; however tonight's problem was clearly due to some malfunction in a telephone circuit whose location has yet to be determined; however for the record we have on the books only 2 other major events such as tonight's this year with a total outage duration time for the year of less than 6 hours. That's 6 hours downtime and 5040 hours uptime since Jan 1, 1999 which calculates to 99.88% percent uptim [sic]. Unfortantely [sic] most of those 6 hours were during peak time (6pm-10pm)
MCI is in the middle of a 2-3 hour circuit test that when complete will indicate the location of the failure. At that time they will have to dispatch field crew to the area where there appears to be some malfunctioning equipment. In the meantime our UUNET circuits are handling traffic; however they are not as big as our MCI links (frac/DS3) and therefore browsing will be slower until the primary circuits are restored. Again we apologize for the problems and we hope you understand that we have taken every precaution to prevent such outages; however in this case there was simply no way to track down the cause any faster and the nature of the problem rendered our redundancy quite useless.
11:47 PM Update: MCI has verified 2 bad circuits in the [LOCATION] area and they are dispatching a crew at this very moment. The traffic backlog is also affecting our mail servers so we are throttling them down just a bit to compensate. So mail service 'may' be slower.
12:37 AM Update: Our secondary UUNET circuits have now gone down which means no outside access at this time. We are awaiting notification from MCI, but we can only assume as all [LOCATION] circuits head to [LOCATION] that they are replacing equipment that all our circuits pass through. Unlike [LOCATION] or [LOCATION] or larger cities, we only really have one path out of the [LOCATION] area and that is through [LOCATION]. Traceroutes will not show this but all data communications in the [LOCATION] area hit a SONET fiber network that has a termination point in [LOCATION]. In larger cities we would have the option of purchasing circuits originating on different physical fiber networks that head in different directions. Thus, despite our redundancy the very nature of the [LOCATION] telephone network makes [LOCATION] a single point of failure at the physical level. That's why major fiber cuts in [LOCATION] last year affected [LOCATION] long distance and cellular service since all roads lead to [LOCATION].
01:20 AM Update: To add insult to injury we have just discovered that a customer ip address was also under a UDP attack while this was going on and with the help of UUNET security we were able to locate and have UUNET filter it. This is what was caused the strange problems with the UUNET circuit and we can only assume it was only aggravating the problem with MCI circuits. The moment they blocked it..we no longer saw the problem. The attacker was sending UDP fragments thus our counters were not registering them as full packets. The UUNET circuit is back up to full capacity and the MCI circuits are being repaired at this moment.
02:45 AM Update: MCI Circuits are back up but attacks are now re-routing themselves down MCI links causing the circuits to flap up and down. MCI Security is now placing filters on those links. While the circuits flap up and down...browsing access will be intermittent while the routes are continously rebuilding (route rebuild takes 5 minutes each time a circuit flaps). For those who are curious as to what an attack looks like go here (this was another link to the attack log).
03:10 AM Update: MCI has blocked the attack now on their side. We should be back at 100% except for UDP traffic which MCI has blocked until their security department can create a more specific filter. Here is the last few moments of the attack as shown in our logs (see log following) as soon as MCI brought the circuit back up. Keep in mind that we have it blocked on our side; however it does no good as it has already traversed the distance and even though we block it ..we still have to process it. MCI can douse it at the source entry point thus preventing their routers or ours from being overloaded.
03:19 AM Editorial on Denial of Service Attacks: A frequently asked question is: Does [ISP NAME] get more than their share of attacks? Answer: No.. except we are one of the few providers that openly admit it. Everyone has been attacked, from Microsoft to the Defense Department and even our most esteemed local competitors. Most appear to want to hide it from their users/customers. Our policy is to announce it loud and clear. The more providers make noise about the total lack of law enforcement on the Internet today; perhaps the more action will be taken. As it is now, virtually no cooperation or effort is put forth by law enforcement agencies when these incidents are reported unless its a high profile case. A common misconception is that the victim's security isn't strong enough. Well that's like a cop saying to a businessman he can't prosecute the kid who just through a brick through his display window because he just needs to get thicker glass. We pay our fair share of taxes that go towards law enforcement, however; when our business storefront receives the equivalent of a cyber-brick through our glass .. its our fault.
We'll we just don't agree. DOS (Denial of Service Attacks) have taken down many companies . These are different than hacker attacks. Hacker attacks are when they bypass the security of one's system to gain sensitive information. What we just experienced tonight and last Sunday was a denial of service attack which is bent on saturating our routers to the point that they can no longer effectively process our customer's packets. It takes very little knowledge, equipment, intelligence or morals to execute such an attack and without serious cooperation from multiple providers and law enforcement agencies, tracking down the culprit is virtually impossible. So every attacker knows the chances of him or her being caught are slim to none so he has little to lose and if he succeeds in putting a company out of business well I guess he has gained something ..who knows what?
Now for those providers that are saying .."we have special magical technology and unparalleled skills with which we can defend ourselves against any type or level of DoS attack"; I challenge them to put a note on their page challenging hackers/attackers to try to bring their service down with a DoS attack. I doubt they will step up to the challenge since as they know, although they would never admit, they are just as vulnerable as the rest of us who are providing access to the Internet.
UDP ATTACK LOG TRACE 7/12/99:
As you can see the UDP ports being attacked vary from 0 to 45k .. The intensity of the attacks are actually much more severe than what we see on our side. MCI/UUNET saw nearly 10 times the traffic ; however we would only see the few that made it through the links. The udp packets basically come in and hit at such a rate that the routers have to begin buffering the requests into queues.. eventually the queues fill up and cause packet drops and the line protocol on the interface to drop.
03:01:36: %SEC-6-IPACCESSLOGP: list 174 denied udp XXX.xxx.0.34(1223) (Hssi2/0 *HDLC*) -> YYY.yyy.zzz.xxx(51769), 1 packet
03:01:37: %SEC-6-IPACCESSLOGP: list 174 denied udp XXX.xxx.0.34(1967) (Hssi2/0 *HDLC*) -> YYY.yyy.zzz.xxx(2762), 1 packet
03:01:38: %SEC-6-IPACCESSLOGP: list 174 denied udp XXX.xxx.0.34(1624) (Hssi2/0 *HDLC*) -> YYY.yyy.zzz.xxx(8877), 1 packet
03:01:39: %SEC-6-IPACCESSLOGP: list 174 denied udp XXX.xxx.0.34(1544) (Hssi2/0 *HDLC*) -> YYY.yyy.zzz.xxx(51427), 1 packet
03:01:40: %SEC-6-IPACCESSLOGP: list 174 denied udp XXX.xxx.0.34(yyy4) (Hssi2/0 *HDLC*) -> YYY.yyy.zzz.xxx(48413), 1 packet
03:01:41: %SEC-6-IPACCESSLOGP: list 174 denied udp XXX.xxx.0.34(1068) (Hssi2/0 *HDLC*) -> YYY.yyy.zzz.xxx(20153), 1 packet
03:01:42: %SEC-6-IPACCESSLOGP: list 174 denied udp XXX.xxx.0.34(1777) (Hssi2/0 *HDLC*) -> YYY.yyy.zzz.xxx(15243), 1 packet
03:01:43: %SEC-6-IPACCESSLOGP: list 174 denied udp XXX.xxx.0.34(1240) (Hssi2/0 *HDLC*) -> YYY.yyy.zzz.xxx(30981), 1 packet
03:01:44: %SEC-6-IPACCESSLOGP: list 174 denied udp XXX.xxx.0.34(1963) (Hssi2/0 *HDLC*) -> YYY.yyy.zzz.xxx(9741), 1 packet
03:01:45: %SEC-6-IPACCESSLOGP: list 174 denied udp XXX.xxx.0.34(1649) (Hssi2/0 *HDLC*) -> YYY.yyy.zzz.xxx(31933), 1 packet
03:01:46: %SEC-6-IPACCESSLOGP: list 174 denied udp XXX.xxx.0.34(1454) (Hssi2/0 *HDLC*) -> YYY.yyy.zzz.xxx(39338), 1 packet
03:01:47: %SEC-6-IPACCESSLOGP: list 174 denied udp XXX.xxx.0.34(1157) (Hssi2/0 *HDLC*) -> YYY.yyy.zzz.xxx(5227), 1 packet
03:01:48: %SEC-6-IPACCESSLOGP: list 174 denied udp XXX.xxx.0.34(1979) (Hssi2/0 *HDLC*) -> YYY.yyy.zzz.xxx(17276), 1 packet
03:01:49: %SEC-6-IPACCESSLOGP: list 174 denied udp XXX.xxx.0.34(1119) (Hssi2/0 *HDLC*) -> YYY.yyy.zzz.xxx(XXX28), 1 packet
03:01:50: %SEC-6-IPACCESSLOGP: list 174 denied udp XXX.xxx.0.34(1909) (Hssi2/0 *HDLC*) -> YYY.yyy.zzz.xxx(39702), 1 packet
03:01:51: %SEC-6-IPACCESSLOGP: list 174 denied udp XXX.xxx.0.34(1657) (Hssi2/0 *HDLC*) -> YYY.yyy.zzz.xxx(25050), 1 packet
03:01:52: %SEC-6-IPACCESSLOGP: list 174 denied udp XXX.xxx.0.34(1371) (Hssi2/0 *HDLC*) -> YYY.yyy.zzz.xxx(17362), 1 packet
03:01:53: %SEC-6-IPACCESSLOGP: list 174 denied udp XXX.xxx.0.34(1142) (Hssi2/0 *HDLC*) -> YYY.yyy.zzz.xxx(24031), 1 packet
03:01:54: %SEC-6-IPACCESSLOGP: list 174 denied udp XXX.xxx.0.34(1976) (Hssi2/0 *HDLC*) -> YYY.yyy.zzz.xxx(5626), 1 packet
03:01:55: %SEC-6-IPACCESSLOGP: list 174 denied udp XXX.xxx.0.34(1740) (Hssi2/0 *HDLC*) -> YYY.yyy.zzz.xxx(52135), 1 packet
03:01:56: %SEC-6-IPACCESSLOGP: list 174 denied udp XXX.xxx.0.34(1508) (Hssi2/0 *HDLC*) -> YYY.yyy.zzz.xxx(45145), 1 packet
-- Hardliner (email@example.com), July 13, 1999.
There was an article discussed here a while back which described an exercise by the eNesSAy where they had their own hackkers hack into the computer system controlling the electricity grid. Apparently they got themselves far enough to be able to shut the whole thing down.
Terrorists might want to do this, even if y2k would steal their credit, well, because they WANT to f#*k things up. USA's been making itself a lot of enemies of late.
-- number six (Iam_not_a_number@hotmail.com), July 13, 1999.
the grid will come back up , the telephones also But if there is an attack it will take a lot longer and the damage inflicted will rise logaritmicaly not linear with time.
-- justme (firstname.lastname@example.org), July 13, 1999.
"Wow. So even if we treated Y2K as an important issue early on there would still be computer problems.
Gee. And if we didn't treat it as an important issue and there was going to be problems no one would know for sure if it was inaction on our part or the "Cyber-Terrorists".
If we had attacked the y2k problem in time to finish it off, then we would be in better shape to protect against hackers. This is no different from depleting our military so that we leave ourselves vulnerable. So, indirectly our inability to solve y2k contributes to this problem.
-- de (delewis@Xinetone.net), July 13, 1999.
Yes, it's not a fair question. There is no way for us to know unless someone risks jail suppling us with classified information.
I know hackers are out there. I deal with them as part of my job. It's this whole cyber-blitz story. Taken in the context of the calibur of president and justice department we now have, it just stinks.
Oh well. I'll probably never know for sure.
Watch six and keep your...
-- eyes_open (email@example.com), July 13, 1999.
Thanks for the update. It's all "critical infrastructure" and as such falls under the Presidential E.O.'s to protect, when necessary.
Think it's all going to get weirder, rather than calmer.
-- Diane J. Squire (firstname.lastname@example.org), July 13, 1999.
And to top it all off, if you handle money and don't wash your hands, you might die, according to a piece on one of the TV magazine shows. Let's face it, everything around us is scream, "Danger, danger." There is only so much that we as organisms can deal with. My cutoff points are worrying about cyberterrorism and nuclear meltdowns. THere's nothing I can do about these personally. I am preparing for Y2K and washing my hands. I also want to enjoy the rest of my life-- even if it's only a few more months. I hope you all do, too--very sincerely.
-- Mara Wayne (MaraWAyne@aol.com), July 13, 1999.
Gayla, Hardliner, that's amazing! You have just scared the beejees out of me. Actually, I don't believe there is anything safe on this planet, espcially when it comes to computers and weather. Does this mean I never have to worry about Income Tax and bad hair days again.
Seriously, this why I come to this forum. These two posts, those threads on pipeline explosions, and other news that never seems to make it to the main stream media, can be found here.
My apologies to main stream networks and John Gibson. I realize that rehashing Jon Benet Ramsey, and Bill, and Hilary, and the *running of the turkeys* for president keeps you much too busy to report anything of interest to the ordinary mortals outside the beltway.
-- gilda (email@example.com), July 13, 1999.