Ö÷²¥´óÐã

Experts may exaggerate the degree of threat!?!

Careful Rory!

If we continued with this independent thinking where would it end?

We may even conclude that climate scientists advising the government may have something to gain from over-stating the dangers of global warming.

C.

Remember the Y2K bug that was going to devastate computer systems when 1999 became 2000?

Yes, and I remember the massive efforts that went into finding and fixing or retiring broken code. Y2K wasn't a disaster for the same reason that polio isn't much of a threat in the UK - a lot of successful preventative work.

Disable JavaScript in your browser and you’ll eliminate a huge portion of treat. Of course you’ll also cripple your online experience as most big websites require this to run. But as mentioned, no one has interest is blocking the hole, the big websites want it for user experience reasons and the private cyber security companies have no interest in plugging a hole that provides so much money.

This is a problem that really only governments can solve and probably together in partnership with web browser providers. A simple positive filter would solve the problem, any site not on the list and the user is told the site is un-vetted but can proceed at their own risk.

Agree with the skepticism re CyberWars.

Disagree with the Y2K analogy. Y2K was a threat to a huge range of businesses and public services. If it had not been addressed, we could have seen widespread failures and disruption that would have taken weeks or months to fix. Y2K bugs may have been over-hyped, but the threat was very real. Difficult to prove a negative, though.

I think they're trying to soften us up for a cyberwar on terror as an excuse to censor the internet.

Critical infrastructure should not be on the internet anyway. Stuxnet was introduced by removable media.

"are we now in danger of overhyping all of this?"

Impecable timing as ever Rory - Just as Anonymous Group target Egypt and Yemen!

Moreover, I doubt the CIO of Lush.co.uk thinks the risks are anywhere near overhyped.

I must declare a vested interest as I am an IT Security consultant to both the public and private sector in the UK.

I can not see Cyber-warfare happening soon. By warefare people tend to mean nation states conducting all out assaults on multiple targets with the aim of gaining some kind of advantage. The systems used by the various components of critical national infrastructure are diverse and there is no silver bullet which can bring them all down.

What is happening now though is twofold:

1. Cyber-espionage. There are cases of communication interception all the time designed to provide intelligence to gain competetive advantage of one kind or another. This has always happened - but the fact of the internet, the sheer volumes of information flowing and the ability to process it make it more prevalent. Consider it all a kind of cyber cold war.

2. Private cyber-armies. The most well known of these is the group known as Anonymous. In the past people associating themselves with this group have targetted groups like Scientologists. In the last few months they have targetted people perceived as anti-Wikileaks. Such private armies are likely to grow and become more prevalent - but I consider it unlikely they will have the means to conduct anything more than guerilla skirmishes in the short term.

***"Terrorists got more publicity from a car bomb than from taking down a computer network, which was a complex operation to mount."***

Given that a bunch of inept script-kiddies brought down Visa, the "complexity" aspect is vastly overstated.

_Ewan_ wrote:

Remember the Y2K bug that was going to devastate computer systems when 1999 became 2000?

Yes, and I remember the massive efforts that went into finding and fixing or retiring broken code. Y2K wasn't a disaster for the same reason that polio isn't much of a threat in the UK - a lot of successful preventative work.

###########

Well said!

People forget, or just ignore, the hours and hours of work that went on. I remember one friend basically working a solid year before the event with his colleagues trying to get it all sorted.

He has been constantly annoyed by ignorant journalists assuming the entire thing was some kind of hoax. Just because some idiotic papers shouted the sky would fall doesn't mean that there wasn't a problem.

@8 True, but all the majority of those inept kids did was download a program which did all the actual "attacking" for them. Not exactly technical know how needed there, but so far that is the biggest problem of websites being shut down for a few hours.

When that happens to the army and their communications can't get through and that leads to actual loss of life, then REAL cyber warfare is here. But that won't happen any time soon, seeing as they have quite a few back ups, and rarely use the actual internet for any important communications.

James Rigby wrote:

"2. Private cyber-armies. The most well known of these is the group known as Anonymous...."


Although I agree that they are probably not about to take over the nuclear control system, groups like this can be a constant irritant that slows every thing down and can get a lot of press coverage.

The sad thing is that they are such a misguided bunch. They object to Egyptian authorities trying to stop access to websites, but then they react by trying to stop access to government websites. Very democratic.

They promote complete web freedom and no censorship, then censor companies that wont support their heroes by attacking their websites and trying to stop them from operating.

The internet is always going to be a potential security breach - in the end the best defence is nailing up the doors to reduce the chance of someone breaking in.

Rory is a technology journalist and like his industry colleague, Tony Collins, previously at Computer Weekly, has probably written up many Government funded 'computer systems disaster' articles and consequently is right to be wary of this particular bandwagon.

Nevertheless, information in the public domain points to the extreme vulnerability of certain control systems for electricity, gas and water grids, as these systems were never designed with security in mind.

Stuxnet has merely demonstrated that this security issue has to be urgently addressed and will need significant resources.

Furthermore, there are suspicions that large multi-national corporates, particularly in the financial sector, including Stock Exchanges, may already have suffered due to malicious activity.

Systems engineers such as myself have been aware of these security issues for some considerable time but only now, as our world becomes ever more closely interconnected, have cyberspace and related systems security issues come to the fore.

We led the world once in security with Chain Ö÷²¥´óÐã, which actually saved us and we now need to do it all over again.

Cyber warfare probably isn't a threat, but cyber espionage probably is. Computers were born in an age of cyber espionage - only we didn't call it that, back then: we called it Bletchley Park.

As with the point of most espionage, the aim of cyber spying is to gather as much data on the enemy's movements and intentions as possible, without them realising it: where sabotage is done, to do it subtly, so that they will waste months wondering why they can't get the best centrifuges they could afford running right.

The best response to cyber espionage, then, is to avoid over relying on your systems too much, never expose what should not be exposed, and never assume you are impregnable.

It was the German belief in the invulnerability of the Lorenz cipher, that made the effort of Bletchley Park worthwhile. We perhaps forget the message of the Lorenz cipher, because we were on the winning side of it, but the telling fact is, that even when they started losing U-boats in attacks that would suggest divine intervention, still the German navy continued to relay their positions and numbers to each other in intimate detail. It is placing too much faith in your systems, that is the danger, not having weak or strong systems.

And herein lies the problem. Many of the people who want to implement the solutions to this perceived threat, are deeply stupid people, who do not grasp that message. They want to harden the perimeter, when the problems are structural, human ones, within the heart of the system itself. Look at their existing systems - slapdash, half-baked networks, where an individual marine specialist, sitting at a workstation in Baghdad, can listen in on, and gather, just about the entire diplomatic and intelligence traffic of the United States government.

The telling thing, from the Bradley Manning affair, is not the quality of the data released, but how easily it could be obtained - the sight of entire US intelligence and diplomatic system, exhibiting the collective discretion of a bunch of drunken Facebook users at an especially rowdy party.

Wrapping another wall around the outside of that will achieve nothing, because it was an inside job. Why try to protect yourself from your enemies when you don't do enough about how your own people behave?

Too many of those who want to protect us from the threat of 'cyber warfare' want to buy a Perfect Lorenz cipher (and too many of the people they talk to just-so-happen to have one to sell).

Hexham_Dan @ 13

The US DoD 'Orange book' specified who can have what level of access to various grades of information i.e. it is always appropriate access.

But as the post-9/11 trauma set in, the US Government seems to have decided that that was part of the problem i.e. if certain information had been shared out more between the various agencies, then somebody would have joined the dots.

So, it seems that they decided to create a database of material, including diplomatic information, that all *interested parties* could access, so that highly sensitive material then became available to low level operatives such as Manning, with a very predictable outcome - the material leaked.

Nevertheless, as you state, in the security world, the human is the weakest link, where even 'trust but verify' is inadequate.

When that happens to the army and their communications can't get through and that leads to actual loss of life, then REAL cyber warfare is here

Oh sod it: I'm just going to throw the cat amongst the pigeons and suggest the government secretly switch to Macs. LOL.

This blogger has not worked on military systems for a couple of decades but todays software driven military systems environment offers all sorts of possibilities for mischief.

For example, weapons being turned back onto their operators or appearing to be fully functional until they need to actually be used in ernest whereupon they mysteriously malfunction.

Other possibilities include military comms and databases being hijacked and used to spread misinformation.

It seems to me that the cold war has been surreptitiously replaced by cyberwarfare, such that now even the actual enemy is anonymous.

My servers were under more intense attack a few years ago than they are now - I've just looked through the logs to see. Most attacks still seem to be originating from China and look automated and experimental - trying to give the attacker root privileges - this has always been both detected and failed (so far!) No attempted attack has got into the internal network (yet) and vital data is not physically able to be accessed from the internet ever - as it is on machines that are not connected.

However - the biggest risk is personal data accessible in clear on internet connected PCs. I personally like use once pad encryption with a very large pad as well as employing systems that ensure passwords are changed regularly and the no two password protected data are the same and all passwords are as strong as possible. I'm not overly keen on relying of technology however as the people based social cracking is only too easy. But hardware encrypted hard discs and even the humble encrypted zip files carefully used work well as does stenographic data storage systems - tried, and use them all.

The risks of denial of service attacks are quite large as is the ability to close down the whole internet - but this is generally done by states themselves such as Egypt and Iran at present to their own people's internet access - I wonder if this itself constitutes terrorism and cyberwarfare against others by depriving your own people of access to information and thus the ability to protest about what the state is doing?

It is tempting to suggest that just perhaps this wonderful age of super-dooper, ever-so-cool, internet technology that we are spending such a huge amount of money on (both as countries and as individuals), just might fit rather neatly into a sentence containing the words "Pandora's Box" and "opened."

I remember the days when shutting my front door meant shutting the world out. Seems like some distant utopian dream now ....

'Remember the Y2K bug that was going to devastate computer systems when 1999 became 2000?'

Yes I do. For months I worked on fixing date routines in computer systems that would have failed after 1999.

Rory, will you please acknowledge that you have no idea what you are talking about regarding the Y2K bug. I was there, you weren't.

'20. At 06:20am on 05 Feb 2011, RedLinuxHacker wrote:
I was there, you weren't.'

Fair comment on most 'reporting' on tricky issues these days, that mostly seems unqualified opinion masquerading as fact

But it must be noted that 'being there' is helpful but not the be all.

What we're getting as 'news' from half the Ö÷²¥´óÐã not at Davos on hotel balconies in Egypt being evidence of that.

I agree with the posters on this thread who complain that Rory is underplaying the Y2K issue and the fact that the actual disruption was relatively minor is testament to all those people who worked very hard to sort out any potential problems.

At that time, I was involved in a project to Y2K proof a billing system (billing, I discovered, is a huge industry in its own right) and without a shadow of doubt, it would have failed completely without the work being performed.

For insiders, will the end of the epoch be an issue?

Probably not, after all it is still a couple of decades away and anything could happen between now and then and it certainly won't be my problem as I shall have 'moved on'.

"Remember the Y2K bug that was going to devastate computer systems when 1999 became 2000? "

/facepalm

As others pointed out already, the Y2k bug would have had some pretty bad consequences if it hadn't been dealt with. It was caused by programmers in the 1980s (or thereabouts) assuming that NO ONE would still be using their code in 10 / 20 years time, and so it'd be no big deal if they only had 2 digits for the year - it'd save system resources if they did it like that. Unfortunatly, people tend not to replace software that works well, and so the bug was born.

Still, the NHS one got much too expensive and could've mostly been done for free by an undergrad as their coursework assignment. "ie final year project: patients database" The cost of replacing the computers will be unavailable in the long run anyway. The only difficult/expensive bits would be the networking of the machines, and security. Still not quite sure how they got it so wrong!

The National ID card was a stupid idea from start to finish. The only "experts" who thought THAT was a good idea, even in principle, were those bidding for the contracts to build a system no-one expected to work.

With that in mind, yes we should be wary of our (taxpayers) money going down a blackhole. But, this is certainly a very real threat, as it could be used to cripple economies - imagine if telephone networks or power supplies could be switched off all across the nation, at the whim of someone half-way across the globe. Imagine the chaos that'd cause, and you'll start to see why they're so worried about it.

I'm not overly keen on relying of technology however as the people based social cracking is only too easy But hardware encrypted hard discs and even the humble encrypted zip files carefully used work well as does stenographic data storage systems - tried, and use them all.