With a publicly available search engine, a few well-chosen e-mail addresses, and off-the-shelf viral code, anyone can commit an act of cyberterrorism--or so says Roelof Temmingh, technical director of SensePost, a South African computer security company.
The current methods of assailing computer networks inconvenience too few people.
|  |
|
Speaking at the recent
Black Hat Briefings and
Defcon 11 conferences, Temmingh explained that the current methods of assailing computer networks--denial-of-service attacks (DoS) or remote break-ins--inconvenience too few people to really affect a nation's information infrastructure. The sort of exploit that could really hurt a country, Temmingh suggests, would more likely be based on e-mail viruses, a concept he outlined in a recent paper. (
Click here for the PDF version.)
Based on experience
Hopefully, learning about how the unthinkable could happen can help us prepare for and minimize the damage from such an event should it ever occur.
Temmingh and his associates got a chance to investigate his theory while working with a South African bank. They decided to see how easy it would be to infect a bank's computer systems, which presumably are pretty secure, with an e-mail-borne virus.
Since e-mail attachments are relatively easy for IT departments to detect, they started by embedding in an e-mail message a link to a Web site that could have contained malicious code (but didn't, because the team didn't want to actually infect the bank's computers). Of the 13 IT people working at the bank, 8 downloaded the executable file the e-mail message linked to, and 5 actually executed the code on their desktop systems. This means, had the virus been real, the bank's entire network could have been infected.
Targeting e-mail
From this experiment, Temmingh extrapolated that a cyberterrorist could effectively deliver malicious code to any organization, anywhere in the world. If that individual sent the infected e-mail simultaneously to individuals in government agencies and the military, it could have devastating effects on a country's ability to communicate, carry out business, and defend itself.
|
The key to this attack is finding real e-mail addresses to target.
| |
|
The key to this attack is finding real e-mail addresses to target. For this, Temmingh wrote a few scripts that use Google to search for public references to e-mail addresses on the Web. The scripts allow him to search for e-mail addresses from a given country and to hunt in particular for individuals working for telecommunication and financial companies, energy providers, governmental departments, the military, the media, prominent local businesses, and hospitals.
There are plenty of addresses available, especially on bulletin boards and in discussion forums. If a malicious user could infect just one government system (even if it's the desktop machine of a low-ranking official), he could, in theory, infect larger government computer systems as well.
Black Hat demo
Within minutes of running the scripts at the Black Hat conference, hundreds of e-mail addresses belonging to U.S. military and government employees showed up on Temmingh's presentation screen. Judging from the collective gasp from the audience (composed mainly of U.S. government, military, and private computer-security experts), Temmingh made his point.
Some may not agree with me, but I don't think talking and writing about this sort of attack is a blueprint for disaster. Rather, becoming informed about how cyberterrorists could hurt us helps our security community learn how to protect us from these threats.
The U.S. government has long worried that a cyberattack could cripple our nation's infrastructure. Before September 11, it was one of the White House's key security concerns. But we were betting that cyberterrorists would have to be very clever to pull something like this off. It turns out that's not true. Now that we're aware of how easy it could be to carry out such an attack, we must turn our attention to making sure we're prepared for it.
What do you think? Do theories such as Temmingh's serve a constructive purpose in computer security, or do they just give hackers more ideas about how to carry out malicious acts? TalkBack to me.
