Cyber-terror: How real is the threat? Squirrels are more of a danger The UK Chancellor George Osborne last week announced that the British government plans to double cybersecurity spending and establish a single National Cyber Centre. Cybersecurity spending will rise to £1.9bn ($2.87bn) at a time of budget cuts to police and other government departments. More details are expected to come in the …
"I prefer the substitution of "spider" for "cyber" in any and all documents"
My council IT dept. was called out for months when the security system in the server room tripped. It turned out to be a beetle (not a Beatle) making it's home in the warm sensor.
The West more likely to shoot own feet off by outsourcing IT that should be core part of business. e.g. RBS?
Or paying Google / Amazon / MS etc to host stuff instead of co-lo servers in different datacentres owned by different companies.
We are doomed not by terrorists (clue in name) but by our own stupidity,
Take a leaf out of the CIAs handbook. You need a cat, a piece of string, a rag soaked in a mix of volatile and less volatile hydrocarbons, a match and a tinder dry forest.
Tie the rag to the cats tail with a piece of string, set light to the rag with the match and watch that cat run through that tinder dry forest.
A few cat arsonists running around on a dry summers day in say California would cause the local firefighters to empty the local water reservoirs a lot more quickly than any potential cyber attack on the dam sluice gates.
It is just another attempt (probably a successful one at that) to enslave us with more draconian cyber laws that will remove that last vestiges of privacy from our lives.
You would be better with a rag dangling drone or some other device that could be human steered.
Behaviour of a cat with something fiery attached to it is likely to be a tad unpredicatble (typo intentional), though a high probability it will go exactly where you do not want it to go.
@tiggity
"You would be better with a rag dangling drone or some other device that could be human steered."
I don't think so. The cat runs as fast as it can away from the fire. A cat will cover a considerable distance before it either tires or the rag burns out. A cat cannot be hacked into nor disabled in the same way a drone can. A cat can run through a forest much faster than anyone can fly a drone through a forest. You would be unlikely to be able to trace the person who set fire to the cat in the same way you could gather data on the person controlling the drone. A cat runs on the ground thereby maximising the contact between rag and the ground. Finally, a cat is much cheaper than a drone and can be acquired without leaving a trail of evidence (financial transactions etc).
I'd like to know exactly what the government plans to spend this money on. It isn't like they manage the power networks is it? Are they planning to give it to the companies involved in critical services?
I have ears on the ground and whilst there are plans afoot to improve security in certain areas, the amount the penny-pinching is beyond belief, and the amounts in question are the tiniest drop in the ocean compared to the figures the gov. is bandying about.
So where is the money actually going to go?
I can only conclude from my own personal experience that any budget is going on a new CYBER division staffed by CYBER SPECIALISTS who have proven ability in CYBER turning on a windows machine and doing CYBER things with it, and for added CYBER effect we're not even talking wearing giant penis costumes in second life.
People are prepared to do almost anything to get into the CYBER teams because they think it's some kind of magic bullet against the beancounters axe, when in fact its completely the opposite inside the department concerned, the cost cutting is shocking.
Meanwhile some 12 year old will be p0wning their network because he knows more about sqli than was glossed over in some crappy powerpoint training course that all the poor cannon fodder who were cheapest to recruit got so they could be declared "trained". And stiff emails might have to be written. Oh the horrors of it!
Meanwhile, ISIS-kinda-sorta-supporter Turkey engages NATO because Russia is blowing up Turkmen in Syria on behalf of Assad. It's getting fucked-upper.
Oh, I forgot:
None of these attacked industrial control systems. The only example of a software nasty deliberately wrecking equipment that we all know about is the infamous Stuxnet worm
You forgot about: Hackers pop German steel mill, wreck furnace, an attack with clear intent - and success.
Although if you read the article the attack was as a result of a successful phishing attempt not a brute force attack on the company's firewall. That the company had not air-gapped the network controlling production machines is an example of bad practice which made the situation worse.
Start by getting a CISP certification. See if you can get interviewed by a TV station "man in the street" camera, and say "I think our leaders are misunderstood and are really just trying to protect us from pedophiles and terrorists." Visibly have a copy of the Daily Mail tucked under your arm during the interview. Once your soul is effectively sold, then send your resume in to the GCHQ.
I came to say exactly the same thing; Die Hard 4 isn't even a good example of a functional story/movie, never mind research on OpSec.
BitDefender, consider yourself removed from any future consideration of any security software, period. If you can't even keep a leash on your PR people from ridiculing yourself, I dread to think how you keep on top of the herd of cats that would be your dev/research teams.
And instead of spunking billions on 'cyber security' (for fucks sake, cyber-anything sounds like a joke - try using your grown up words, ministers) how about instead just making outrageous security snafus like Superfish and eDell criminal offences backed up with nine-figure fines per month the devices are on sale. After all, it's not like Dell have huge contracts in the civil service and military where having your secure connections utterly pwned might be considered problematic or owt, you know.
That way you can *make* billions when the ODM/OEMs fuck their security up so badly that it enables that kind of attack, which is where the problem really lies.
Steven R
This must have been the 2014 Darwin Award Nominee:
(19 May 2014, Arizona) The mummified remains of a man discovered in a Tucson manhole tell their own poignant story. In May the manhole was opened to investigate a fluctuation in electrical power. According to records kept by Tucson Electric Power the manhole had not been opened in the past five years, so the team that entered the underground high-voltage vault was quite surprised to find the dessicated remains of a man slumped near cut copper wires. In his shriveled hand was -- can you guess? -- a bolt cutter. An autopsy confirmed the obvious conclusion that electrocution was the likely cause of death. The date of death was set at somewhere between one and two years previous to the discovery.
Cable theft is a huge problem in South Africa. Thieves steal any and all copper wiring and piping they can lay hands on, which costs the economy billions, disrupts business and communications, and also leaves us with some delightful internet images of careless thieves (usually unidentifiable).
"Neither Russian nor China (the UK’s most capable cyber-espionage adversaries) " - So the USA isn't an adversary, or isn't capable? The fact that GCHQ gives the USA sensitive intelligence doesn't make them any less likely to act against UK interests. .... Allan George Dyer
If GCHQ feeds them the right smarter sort of sensitive intelligence, does the USA and any puppet executive administration acting as if a nation, becomes the UK's bitch, or really just GCHQ's. Is that a sensitive Gareth Williams North Face holdall type secret uncovered and discovered made readily available in the wild to any Tom, Dick or Harry, friendly renegade and independently minded rogue?
Such a lesson and fact is surely not entirely unknown to more than just wannabe super efficient boffin types batting and battling for an Almighty Masters and Blighty, but whether they be top tier premier league Great Game players or not, is invariably to be highly classified [Cosmic Top Secret Secure Compartmented Information] and that which rates and defines their success in the virtual terrain team field managing failures seeded to earthed systems with SCADA command and control levers. ‽
IT's a Mad, Mad, Mad, Mad World but not at all Crazy with AI in Leading Crafts and Virgin Flight Vessels.
The real vulnerability over here is not taking some SCADA but there are many transmission lines and substations out in the boonies. If there is any security beyond a fence (mostly to keep finger gepokers out) it would be a camera feeding back to a control station may be an hour or so away. Take a few these out and watch the chaos. Some dynamite or C4 would do the job quite well.
This was an NCIS episode plot a few years ago, so it's all planned out for Daesh, including some of the things to avoid.
I can't say I fully believe the premise that taking out a few towers could wreak enough damage to bring the US to its knees, though. The last one I experienced was the Northeast US (and Canada) blackout of 14-15 August, 2003, apparently triggered by dodgy control software and sloppy tree pruning near Cleveland at a time of high demand. In Cleveland the lights went out about 1610, I shut down the whimpering servers, and caught a bus to my son's apartment (he had a gas stove). We watched the stars that night, and our power came back on about Noon the following day. That evening I went back and started the computers so the customer department could work their scheduled Saturday O/T. We had an extra paid day off that year, but no obvious long term damage.
Terrorists might be able to do worse, but I doubt it would not be recoverable in a week or so.
It really depends on how many sites are taken out and how easy they are to repair as to how long a blackout would last. From what I hear, replacing a SCADA system might be easier and faster than some of the transformers in some substations. I see people quote a lead time of about 18 - 24 months for transformer delivery - I do not know if the sources knew what they were talking about.
If they are so worried about power stations etc. being hacked, why the hell aren't they enforcing a 6 monthly or yearly audit on them?
On top of that, make it law that CEO's and other upper managers are heavily fined if an incident does occur. Hit the people in the hip pocket that deserve it, not the poor sods that keep getting their budget's cut or told security isn't important.
If they arc up about it not being fair, a few well placed stories in the tabloids about fat cats risking the security of the nations power grid should sort them out quick smart.
That third-party hackers might help them in accomplishing their goals is also a stretch.
If the estimates from the US special forces raid which terminated their head of oil production and pinched all of his hard drives last year are correct, they have more than enough money to purchase the best attack kit money can buy from Russia, Ukraine or somewhere else in the ex-CIS.
What is more worrying is that they will continue having the money. Turkey put into a dispute state (which means that deliveries will stop) their Gasprom agreement last month (long before the shoot-down incident). That is 25% of their energy production. What people do not realize is that they are a major manufacturing site today. They build everything from Bosh (and under license) chainsaws to Transit vans and Renault Clios. The energy for that has to come from somewhere and the money they pay for the oil burned to attain it will be more than enough for the recipient to purchase an attack kit.
The evidence was Russian language used in the binaries.
If we consider for the moment the amount of foreigners which the Turks have assisted in supplying to Daesh, Al Nusra other groups which all differ only in the shade of black they use for their flags, that starts to look extremely circumstantial and flimsy. With 16K+ foreigners being allowed to move freely up to last year into Syria the attackers could have used any language. French (with or without Belgian accent), Dutch, English - you name it. If they had previous cyber-criminal history, that language most likely would have been Russian.
Similarly, with all oil sold by the same groups back through Turkey on the world market they have more than enough money to buy a kit off the dark net. That generally comes with a choice of Russian or Russian for the code origin. English is only the "Export Documentation".
In any case, the threat of cyber-terror is very real, but still remote. It will stop being remote after smart meters are deployed. I love the smell of grid failsafes kicking in early in the morning. All you need to do is to program the meters to flip the switch on-off at the same time in a sufficiently big areas and you get a lovely Boom.
Right.
Except the most effective "cyber attack" seems to have been a joint US/Israeli attack on a nation they neither (AFAIK) is officially at war with.
As for this "Worst case" AKA Die Hard 4.0 scenario BS.
That would take a large group of simultaneously cretinous managers to f**k up their backup plans, probably with physical visits.
<profanity filter off>
This is BULLSHIT
</profanity filter off>
BTW The cute Red squirrel in the picture is an endangered species in the UK.
It's being out bred by the fatter, hornier North American Grey squirrel, which carries but is also immune to "Squirrel pox" which has been killing the Red.
So if you want to defend your infrastructure against a real threat.
Trap the Greys.
the rodents have being responsible for 505 such operations. Birds have reached 141, and raccoons 31
My budgie damaged two buttons on my original Harmony One remote ('ingress of bodily excretions') and pulled a key off my laptop keyboard ('sheer bloody mindedness').
I was able to replace the key but sadly it proved impossible to clean the Harmony One. The cheeky little chappy has been dead for over two years now but has left me having to put up with a late generation Harmony One which is not as good as the original version. So that's one more count of long-lasting damage to IT infrastructure.
I do still miss the little sod though :)
How have we ended up in the position where we pay politicians getting on for 3 times the national average wage (74k vs 26.5k) and we still have idiots at the wheel that can't see past the blinken lights? Fortunately the only people stupider (and with less imagination) than the politicians are the terrorists and so by a luck we manage to stay half a step ahead most of the time. FSM help us if a terrorist with half a brain ever gets into a leadership position.
If you were Timmy Terrorist you wouldn't go for a cyber attack because it's just not scary. Yes it would be very inconvenient if the power went off for a few days but I'm hardly going to be quaking in my boots because my ice cream melted!
Having said all that all this money might pay for my next job so in the interests of self interest, keep up the good work George.
If the power went off to the whole country overnight, you would wake up to a police state and a shoot-to-kill order for looters.
This country would tear itself apart. I wouldn't be worried about my ice-cream either - the freezer should stay fairly cold for a day or two if you don't keep opening the door.
"Yes it would be very inconvenient if the power went off for a few days but I'm hardly going to be quaking in my boots because my ice cream melted!"
Your ice cream melting is not as inconvenient as the water pumping system shutting down, food shops closing when tills and refrigeration stop working, financial and delivery systems halting, or the panic caused by lack of phone or internet communication. To paraphrase the popular saying, society is only three meals away from chaos.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
