return to ICG Spaces home    ICG Risk Blog    discussions    newsletters    login    

ICG Risk Blog - [ Domestic Digital Pearl Harbor driven by offshore criminal and terrorist agents ]

Domestic Digital Pearl Harbor driven by offshore criminal and terrorist agents


While I had previously noted that, "Malware (malicious software), phishing, cracking, and social engineering, individually and in concert, increasingly point to the goal of criminal profit," it is increasingly apparent that while US residents remain the most attractive target (due I believe to our volume of ecommerce, the availability of broadband bot targets, and far too many dumb users unable to protect their PCs), the perps are Eastern European gangs. (US organized crime has been slow in comparison in its embrace of cybercrime.) While the US has the largest absolute number of fraudulent transactions:

countries such as the former Yugoslav republic of Macedonia, the African countries of Nigeria and Ghana, and Vietnam are homes of a higher percentage of fraud. [VeriSign] labels any credit card transaction from an IP address sourced in Macedonia as "risky," and more than 85 percent of such transactions from the other three countries are not be trusted.

It is worth remembering that while Dick Clarke was too "often dismissed as a Cassandra while cybersecurity czar," and thus the six trends he identified in October 2003 were received with what I would call polite inattention by IT and government (See Revisiting Clarke's six bleak IT trends from October 2003), all that he forecast has come to pass. Clarke said all six would increase, but the one that would go through the roof was 'Rising identity theft.' Not only has it gone through the roof but it is being used in combination with at least four others: Rising vulnerabilities, Rising patches, Falling "time to exploit," Rising rate of propagation, and Rising cost of cleanup.

Phishing (enticing users are to surrender financial data and passwords to fake Web sites) is being carried out "on a massive scale [such that the] price of a credit card number is dropping into the pennies now." Offshore perps are infecting US PCs with Trojans and worms, turning them into bots and bot nets, which then launch an interstate attack masking the attacker's origin.

One supposes better late than never, but it is still stunning to see the FBI just now publicly begin to say:

Tools and methods used by these increasingly skilled hackers could be employed to cripple our economy and attack our critical infrastructure as part of a terrorist plot. People had to assume that terrorists would seek to hire hackers to "raise money, aid command and control, spread terrorist propaganda and recruit more into their ranks and, lastly and most ominously, attack at little risk.

The Internet could allow attackers to remain anonymous, to strike at multiple targets from a distance and escape detection. Critical infrastructure such as water, power and transportation systems remained vulnerable. In the future, cyberterrorism may become a viable option to traditional physical acts of violence. Terrorists have figured out that we have a technological soft underbelly.

Back in Black hat meets white hat in the Idaho desert, I noted that:

Many "many once-isolated systems used to run railroads, pipelines and utilities are now also accessible via the Internet and thus susceptible to sabotage," as "More and more of these things are being connected to the Internet, so they can be monitored at corporate headquarters. It is generally accepted that the August blackout last year could have been caused by that kind of activity."

The Control Systems Center being built at DOE's INEEL by DHS and CERT is intent on addressing five areas: awareness, incident management, standards collaboration, strategic direction and testing. INEEL's head of national security programs is already on record as saying, "I am confident that there is no system connected to the Internet, either by modem or fixed connection, that can't be hacked into."

Given the disarray at DHS, one hopes that they talk to the bureau.

In Clarke's vision of securing the net, I said that at least a small "p" digital Pearl Harbor was possible, in part, due to the 2003 Federal Computer Security Report Card scored the critical 24 federal agencies into an overall D grade [and] that those still getting an F are the departments of Homeland Security, Energy, State, Justice, Health And Human Services, Interior, Agriculture, and Housing And Urban Development.  (Defense got itself into the D category along with Transportation, GSA, Treasury, OPM, and NASA.)

Many private industry sectors are no better even as they possess the Supervisory Control and Data Acquisition (SCADA) systems that are the C2 for critical infrastructure including electric, gas and oil distribution systems, water and sewer systems, and various manufacturing processes.

It is painful to think of phishing attacks merely being a money-spinning prelude to an infrastructure attack. We've passed the small 'p' and are now on the way to a medium 'p.'

FBI: Hidden threat inside cybercrime
November 10, 2004, 3:54 PM PT

Report: Crooks behind more Net attacks
By Robert Lemos
CNET November 16, 2004, 2:17 PM PT

Gordon Housworth

Cybersecurity Public  InfoT Public  Risk Containment and Pricing Public  Strategic Risk Public  


  discuss this article

<<  |  May 2020  |  >>
view our rss feed