Cyber warfare doesn’t have capacity to cause global shock

19 Jan 2011

The recent Stuxnet attack which originated in Israel and succeeded in disabling and damaging Iran’s nuclear programme indicates that cyber warfare is already upon us.

However, according to an OECD/Symantec report on cyber warfare by independent experts Dr Peter Sommer from the London School of Economics and Dr Ian Brown from Oxford University, few cyber-related events have the capacity to cause a global shock.

Nevertheless, governments need to have detailed plans in place to withstand and recover from unwanted cyber events.

The Symantec report urges that national cyber security policies encompass the needs of all citizens and not just central government facilities. It also calls for widespread ratification and use of the CyberCrime Convention.

The impact of cyber attacks

Nations will need to have plans to recover from unwanted cyber attacks – whether accidental or deliberate – to prevent growing risks of localised misery and loss as a result of the compromise of computer and telecoms services.

Catastrophic single cyber-related events could include a successful attack on one of the underlying technical protocols upon which the internet depends, such as the Border Gateway Protocol which determines routing between internet service providers and a large-scale solar flare which physically destroys key communications components, such as satellites, cellular base stations and switches.

The remainder of likely breaches of cyber security, such as malware, distributed denial of service, espionage and the actions of criminals, recreational hackers and hacktivists, will be both relatively localised and short-term in impact.

Successful prolonged cyber attacks need to combine attack vectors which are not already known to the information security community and thus not reflected in available preventative and detective technologies, so-called zero-day exploits; careful research of the intended targets; methods of concealment both of the attack method and the perpetrators; the ability to produce new attack vectors over a period as current ones are reverse-engineered and thwarted.

The recent Stuxnet attack apparently against Iranian nuclear facilities points to the future but also the difficulties. In the case of criminally motivated attacks, a method of collecting cash without being detected.

The vast majority of attacks about which concern has been expressed apply only to internet-connected computers. As a result, systems which are standalone or communicate over proprietary networks or are air-gapped from the internet are safe from these. However, these systems are still vulnerable to management carelessness and insider threats.

Proliferation of exploit toolkits

Speaking with earlier this week, Patrick Fitzgerald from Symantec in Ireland said research shows the greater threats are coming from ordinary internet users getting their hands on exploit toolkits. “These don’t require much sophistication from an end-user point of view. The fact is exploit toolkits are proliferating at an alarming pace.”

According to Fitzgerald, exploit toolkits can be acquired and configured to the needs of a hacker. Often these exploit kits would trick users into visiting a website and then infecting their computer.

“The levels of sophistication vary widely,” he explained. “At the top level are the creators of the exploit toolkits who monetise their skills without taking part in the actual attacks or exploits.

“Hackers will always look for the low-hanging fruit. The point here is you don’t have to be a sophisticated hacker to unleash a botnet attack in a kit, you just have to be aware and have a modicum of technology to use them.

“Social networks are the favourite attack vectors for these people. Sixty-five per cent of people compromised are people searching for video. They’ll see something that sounds interesting, try to download it and when told they need to run a codec to view the video they get stung. These are effective social-engineering tactics.”

Another typical scam would be the sale of fake anti-virus toolkits where users are told they have so many infections and they need to pay to have them removed. “These scams are typically being pushed by these toolkits.”

I ask Fitzgerald if criminal gangs are becoming more and more au fait with hacking tools and exploit toolkits. “Criminal gangs have been involved for quite a while now. There’s definitely an underground economy driving all of this. It is possible that underground gangs are driving the creation of these toolkits to use for monetary gain.

“The danger is they prey on people who don’t have the experience to spot these scams. The key to defence is education and making sure people are aware of the various types of scams going on. For businesses and state organisations, it is vital from an enterprise level to the board and cabinet that there are plans in place,” Fitzgerald said.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years