This article, based on a recent webinar I undertook with IHS Janes, explores the technology behind cyberterrorism and, in particular, the use of modern technologies to spread propaganda in support of cyberterror. It then moves on to the process of improving the resilience of computer systems to resist attack, in particular control systems that have recently been exposed as being extremely vulnerable. It then concludes with some practical steps you can take to help prevent your business or organisation becoming a victim of cyber terrorism.
The Internet and Jihadists
The internet and worldwide web is a fantastic, capable business tool but this capability is being harnessed to meet the objectives of terrorists and malevolent groups alike. Back in 2005 a web forum for Muslim extremists called on its members to organise an Islamist hackers' army to carry out internet attacks against the U.S. government. The site posted hints and tips, software and links to other resources to help potential hacktivists.
Called al-Farooq, the forum "represents a how-to manual for the disruption and/or destruction of enemy electronic resources, including e-mail, web sites and computer hardware." according to The Jamestown Foundation, a US-based research group. One member of the forum called for the creation of an Islamist organisation, which he dubbed "Jaish al-Hacker al-Islami," or the Islamic Hacker's Army.
Reportedly, there was a set of tools maintained in a "hackers library" on the al-Farooq site, offering a range of malware designed tosteal passwords, anonomise web surfing and otherwise mess with a targeted computer system.
There is no doubt that the internet is an important tool for various political groups wishing to spread their propaganda, share new ideas, recruit new members and develop tools and techniques for attacking targets.
Common mainstream social media and file sharing sites, such as YouTube and Facebook, are used as ways of demonstrating terrorist acts or spreading propaganda to an audience they may otherwise not be able to reach, simply due to the massive adoption of these sites by so many people. Facebook today has over 500 million users, presenting a rich hunting ground for all types of hacktivist groups, all of whom can sidestep conventional ways to prevent them spewing propaganda (such as website take downs) and go direct to a readymade and often receptive user base. After all, the use of these sites by corporations as part of their outbound marketing mix gives credence to the effectiveness of this approach!
Mobile Phone Jihadists
In October 2009 the Arabic "al-Ansar al-Mujahideen Forum" offered a special data-package designed for mobile phones. Published by a newly created "Mobile Detachment" the contents are aimed at sympathizers and adherents of jihadist principles. Provided with a special software the mobile users can access the documents or watch videos on their portable device while being able to send out these highly indoctrinating and radicalising sources via Bluetooth to other, unwary, Bluetooth enabled devices. The data offered in these conveniently administrated packages provides nearly everything of the grand-genre of jihadist materials.
Open Source Intelligence Gathering (OSINT)
One significant use of the internet has to be the gathering of information and intelligence in preparation for criminal activities - terrorist or otherwise. The current culture of information sharing, most notably by those who are not quite middle-aged, provides a wealth of data that can be harvested by criminals and terrorists.
Quite frankly, everything and anything about some people's lives is now published for all and sundry to see. In fact I would suggest that it is harder to find someone that doesn't have a profile rather than one that does... Open source intelligence has now become a specialist art (or science), assisted in the main by many people's stupidity.
The Please Rob Me website extracted users' profile and location information and highlighted when they were not at home - mostly as they "Tweeted" that they were elsewhere. This level of open source intelligence gathering has been extended by others into a mapping service so that when users Tweet and their GPS logs their position, this data is sent to a mapping site and their location displayed for all to see.
The huge number of webcams available across the internet enables target reconnaissance to be carried out from the comfort of home. Admittedly a lot of official "traffic cams" have built in delays of a few minutes, undoubtedly to reduce their real time usefulness to criminals and enable the authorities to cut the feed if needed, but there is a vast number of other webcams available for viewing. Many of these are intentionally webcasting for marketing purposes in hotels, restaurants and tourist areas but others are local security cameras that have not been secured and can be used by anyone. Of course, if these existing cameras fail to provide appropriate target coverage it is trivial for many groups to set up their own facilities for target reconnaissance or even in support of an action.
Attacks on computer systems
There are a variety of ways in which websites and public-facing computer systems can be attacked by hacktivists and attacks on websites continues to be a popular form of political demonstration.
In December 2010, around 36 Pakistani government websites were hacked by an online hacker group called the Indian Cyber Army. All hosted on the same server, the sites that were hacked included the Pakistan Army, the Ministry of Foreign Affairs, Ministry of Education and the Ministry of Finance. The attacks consisted of messages and graphics inserted into the web pages with political messages, some of which related to the attacks in Mumbai.
Also in December 2010 a number of financial payment websites were subject to denial of service attacks by hacktivists disgruntled at these companies no longer processing payments to the WikiLeaks website.
For commercial websites that trade across the internet, this can be catastrophic and is the equivalent of having all their real-life stores closed down in one go. Denial of service attacks can range in their level of sophistication from destruction of physical internet connection points through to the flooding of websites with extraneous data that overwhelms web servers, forcing them to close down. This is similar to blocking the switchboard of a business with lots of phone calls that are terminated as soon as they are picked up, but uses the TCP/IP protocol that runs the internet to flood servers with bogus messages. These attacks can be coordinated using hijacked networks of computers, called botnets, which, in turn, are forced to send high levels of spurious data to target websites. There are steps that designers can take to mitigate such attacks but, in reality, a significant attack can be difficult to manage, and often the best course of action is to take down the servers and hope the attackers go away.
Improving the resilience of cyber control systems
I recently saw an advert in a professional publication asking for retired computer engineers or those with knowledge of computer systems from the 1970s to come and work for a very significant player in the power generation market in the UK. They were specifically looking for skills around maintenance and support as it appears that these systems need to be nursed along in their dotage. Are these systems more or less secure than more modern systems? Maybe they are more secure as fewer people seem to have the understanding of how they work!
Some cyber control systems are now starting to use standard and freely available operating systems and networking components as they are relatively cheap and there are lots of engineers that have been trained and understand those platforms. What these engineers fail to see are the security implications of their work. They simply don't think about bad people doing bad things in the way that us security people do.
So my advice to secure these systems is this:
- By all means use commoditised operating systems and hardware, but think long and hard about the security implications of what you are doing. It may not be easy for you to think about bad people but it needs to be done.
- Consider why a cyber control system is being connected to a network - can it really be justified or can the system be unplugged for most of the time?
- Limit access to the hardware as best as you can. Stuxnet was believed to have been propagated by a USB drive, and the hardware I am talking about is just as susceptible to this type of attack.
By taking these simple steps a lot (but not all) of your control system problems can be addressed.
Are you a Target?
It could be argued that, in the great scheme of things, most businesses and organisations will never appear on a cyberterrorist's radar, as the type of work they do is not one that attracts attention from such people. On the other hand it could be argued that every person and organisation is a target for cybercriminals, so a reasoned, objective risk assessment should always be undertaken to gauge a likely risk profile. This must include all aspects of a business, including the supply chain, employee travel, executive profiles, nature of the business and, of course, the ever-changing worldwide geopolitical situation.
This risk assessment needs to be continuous and fully integrated into the decision-making process of the leadership team. Informing this risk assessment must be intelligence gained and shared with colleagues, industry communities and the authorities ensuring a two-way flow of up-to-date, actionable and relevant information. Polices and procedures need to be built that encompass this risk assessment and it is vital that a converged approach is taken, such that information security experts work with physical security experts to develop plans and skills to manage a cyberterrorist attack. These attacks will rarely come from nowhere and the sharing of skills and information is vital.
Employees are often in the front line against cyberterrorists, as their day-to-day activities are often subject to reconnaissance and investigation from potential attackers. Phishing emails, social engineering phone calls and strange conversations are just some of the indicators that an organisation is being scoped for attack. These users must be educated about the importance of both physical and information security, supporting a converged approach, in their day-to-day jobs and have a means to raise their concerns in an open way that supports these reports and avoids any embarrassment if a genuine report is false.
We have seen that the internet is awash with threats to organisations and individuals, but it is also an amazing force for good in the world supporting commerce and the freer flow of information. Inevitably, criminals, rogue states and terrorists will see the internet as an ideal tool in their armoury but by taking some reasonable precautionary steps many of these threats can be significantly reduced.