Friday, November 28, 2008

Cloud Wars, Russia/China v. DoD, Digital Pearl Harbor's and other things that don't keep me up at night

Elasticvapor is hyperventilating about the latest cyberattacks (what is it about the term "cyber" that makes me bilious)
This current attack on the DoD is a relatively minor diversion in comparison to what a full out, planned network centric attack could actually do. Think about the potential fall out if the US electrical grid, cell / phone network and financial infrastructure was to be attacked in unison and taken offline all at once. Combine that with if it were to happen during the midst of an actual "crisis" such as what we're currently seeing in India this week. The turmoil would be unprecedented.

Nod. Been there done that, why nail assets from other critical infrastructure sectors (air, rail, chemical, various pipeline) while you are at it? A threat-modeler's wet-dream.

Yep, the more things change the more they stay the same -- like Richard Clarke's Digital Pearl Harbor (yeah you read that right, that is from 2000)
On coming to office, the next president will find that several nations have created information-warfare units, Clarke said.

"These organizations are creating technology to bring down computer networks. Some are doing reconnaissance today on our networks, mapping them," he said.
The horror, the horror andt here is some other good stuff from pre-9/11 days when (if you believe Vmyths) there was too much focus on Cyber and not enough on physical.
Another way to improve security throughout the Internet is to create secure lines of communication between the technology industry and the government, Clarke said. That way, they could share information about hackers and viruses without worrying about the public learning about it.

Others at the conference expressed the same notion. Harris Miller, president of the Information Technology Association of America, said that a nonprofit organization of 18 companies would be created early next year to share information.
That wouldn't be the genesis for those pesky little ISACs we keep hearing about.

Speaking of public information if you look at the latest press on the attacks against DoD. you'll see the typical meaningless say-nothing article (with a few juicy-sounding leaks from DoD employees) that undermine the credibility of the whole story and reinforce how little is known in the open press. Channeling Rumsfeld (are these known unknowns or unknown knowns?), here are all things that are not known by defense officials:

From LA Times
The defense official said the military also had not learned whether the software's designers may have been specifically targeting computers used by troops in Afghanistan and Iraq.

Military electronics experts have not pinpointed the source or motive of the attack and could not say whether the destructive program was created by an individual hacker or whether the Russian government may have had some involvement. Defense experts may never be able to answer such questions, officials said.

Officials would not describe the exact threat from agent.btz, or say whether it could shut down computers or steal information. Some computer experts have reported that agent.btz can allow an attacker to take control of a computer remotely and to take files and other information from it.

Or maybe, despite the headlines, it is not a cyberattack at all?

So, to distill what is available in public news sources:
  • It might (or might not) be W32/Agent.BTZ (hence, the USB angle) which has been around for months
  • Central Command networks have been infected and perhaps others, possibly to gather information about logistical systems
  • Both China and Russia are mentioned with no direct evidence of their involvement
  • Portable storage devices were banned on 17 Novemeber
Yeah I'm a hell of a lot more worried about the link between breastfeeding and peanut allergies that any of this stuff. Note to self: don't accidentally give the peanut butter-filled Nilla wafers your 5 your old didn't eat to your 11 month old.

Update: Dave Lewis also mentions the article, so it must be serious ;)


Dave Lewis said...

Ouch, I do believe that I was just zinged. ;)

Matt Franz said...

All in good fun!

- mdf