http://news.zdnet.co.uk/security/0,1000000189,39292357,00.htm
By Tom Espiner
ZDNet.co.uk
23 Jan 2008
The security expert has warned of an increase in cyber-extortion, but
added there is no need for panic about attacks on critical national
infrastructures
Security expert Bruce Schneier has warned that cyber-extortion is on the
rise, but gave the caveat that it mainly affects "fringe" industries,
such as online gambling, rather than critical national infrastructure
organisations.
Schneier wrote in a blog post on Tuesday that the security company he
founded, Counterpane, has seen proof of attack capability followed by
extortion demands but said the attacks he had seen had not been against
power companies. He wrote the blog post in response to a CIA statement,
reported by security training body the Sans Institute, that a
cyberattack had caused a power blackout in multiple cities in a country
outside the US. The CIA also said it had evidence of blackmail demands
following demonstrations of successful "intrusions through the
internet".
"Cyber-extortion is certainly on the rise; we see it at Counterpane,"
Schneier wrote. "Primarily it's against fringe industries online
gambling, online gaming, online porn operating offshore in countries
like Bermuda and the Cayman Islands. [Cyber-extortion] is going
mainstream, but this is the first I've heard of it targeting power
companies."
Schneier counselled calm, saying that it was not known whether
supervisory control and data acquisition (Scada) arrays, which many
critical national infrastructure organisations use to control and
measure systems, had been compromised.
"This CIA titbit tells us nothing about how the attacks happened,"
Schneier wrote. "Were they against Scada systems? Were they against
general-purpose [computers] maybe Windows machines? Insiders may have
been involved, so was this a computer security vulnerability at all? We
have no idea. I'd like a little bit more information before I start
panicking."
Alan Paller, director of research for the Sans Institute, told
ZDNet.co.uk on Tuesday that Tom Donahue the CIA analyst who reported the
attack to a Sans Institute conference a week ago had not divulged the
countries involved, nor the method of attack, nor when the attacks had
occurred. However, Paller confirmed that US power companies had not been
involved.
"All we know from Tom [Donahue] is that it was not US companies [that
were attacked]," Paller wrote in an email exchange with ZDNet.co.uk.
"The CIA is involved because Tom [Donahue] is the person responsible for
the US cyberthreat analysis, and he and his management chain must have
felt the risk to US companies was elevated because it had happened for
real in other countries, and because the quality of security in many US
utilities needs immediate and substantial improvement."
Received on Fri Jan 25 00:27:35 2008