Cyberterrorism: threat or hype?
There have been many warnings about the threat of cyberterrorism, especially in the wake of the September 11 attacks. Do you believe this to be a serious threat, or just hype?
I think some of it is hype. I think a lot of what is going on in terms of the increased numbers is just via natural growth and a natural progression. I don't believe that there are huge plots going on left and right. I think a lot of it is the little guys, the individuals, that we have to watch out for, rather than the organisations. If you have one bad apple out there...well there are a lot of stinking apples out there, individuals, and it's amazing--the power of one. The power of one has a different meaning on the Internet; you know one person that can take down an eBay, one person that can take down a Bank of America.
And that 'one' seems to be becoming increasingly younger.
That's right, you are much safer with a person with grey hair (she says laughing).
In terms of these attacks, and others where the perpetrator has been caught, do you think that the penalties have been appropriate?
It's been a mixed bag as to how the US is handling it. It's like one of those things where we are just at the beginning of it, so we don't have all our laws set to handle it. I don't think that the legislature, or judicial system is really set for what we've got.
Our justice department isn't savvy enough, our jury isn't savvy enough and we're not handling out appropriate penalties in all cases. So we have definite issues in the Justice Department and these big, high profile cases really bring out, even further, what some of our weaknesses are.
Is another by-product of these cases the panic and fear they instill in the average Internet user?
It's a huge fear. I mean, my mother will not charge anything on the Internet [to her credit card]. She's read all the stories, all the horror stories of everything going on.
Is the IT industry in a position to combat this fear? How can it achieve a level of consumer-understanding that will allay fears and promote usage?
I think it's education, education, education. If we can put some things in perspective, like out of the Internet transactions, how many of those are actually bogus transactions or illegal transactions? People have a tendency to sensationalise one instance, but let's look at overall. It's incredible the amount of traffic that goes through the Internet, and the amount of transactions.
Have you noticed a trend towards an increase in attacks, or cybercrime activity?
CERT [Computer Emergency Response Team] shows the number of incidents reported to CERT have more than doubled from 21,756 in 2000 to 52,658 in 2001. More than doubled in just one year!
Could you offer any explanations for this increase? Could it be attributed to the education of the masses in both practicing and identifying cybercrime?
Unfortunately, you can't take that number by itself, because you don't know how the Internet has grown in comparison, how many people have that level of knowledge and have learned to hack.
But the number of emergency calls has not increased.
Any reason for that?
It could be because more people know where to go, and how to react--where to go for the information. Instead of calling CERT, they know to go immediately to the vendors and find out how to fix the problem. It might be that certain vendors have done a better job educating people on where to go when the real problems crop up.
Do you think vendors are playing an important role in education of security issues and vulnerabilities?
No. I think they're terrible. I think there are vendors out there who don't care that they have vulnerabilities. I think there are vendors out there that, if you tell them what the vulnerability is, they'll just shove it under the rug and hope it doesn't get spread around. It's only publicity that brings them to the point of fixing the problem.
Does that include Microsoft, even though it has recently highlighted a new security strategy?
If Microsoft does take the role where it says it is not going to release a product until it's secure...it will be interesting to see what the timeline is for development.
What they ought to do is just hire some of these really strong hackers, and bring them into the testing loop. Say, "we get usability tested so we know our users like that button looking green. Next week, we'll have a security test."
Because the majority of the security community does that anyway?
They do. Microsoft is just a huge target, it's just walking around with a huge target on it all the time.
Laura Chappell is presenting a series of cybercrime workshops in Australia in 2002. For more information, visit www.frontend.com.au.
WHAT A LOAD OF CRAP
I would like to see a technical explanation of how this lady brings down 25 machines with one packet after 'unloading the LAN driver'.
Far from shattering the 'hacker myth' you are contributing to it with these ill-informed self proclaimed experts. Get some of the real 'professional hacker' types to write you an article instead of these clueless wannabes.