Entries Tagged "infrastructure"

Page 9 of 12

Pirate Terrorists in Chesapeake Bay

This is a great movie-plot threat:

Pirates could soon find their way to the waters of the Chesapeake Bay. That’s assuming that a liquefied natural gas terminal gets built at Sparrows Point.

The folks over at the LNG Opposition Team have long said that building an LNG plant on the shores of the bay would surely invite terrorists to attack. They say a recent increase in piracy off the Somali coast is fodder for their argument.

Remember—if you don’t like something, claim that it will enable, embolden, or entice terrorists. Works every time.

Posted on May 18, 2009 at 1:38 PMView Comments

Attacking the Food Supply

Terrorists attacking our food supply is a nightmare scenario that has been given new life during the recent swine flu outbreak. Although it seems easy to do, understanding why it hasn’t happened is important. G.R. Dalziel, at the Nanyang Technological University in Singapore, has written a report chronicling every confirmed case of malicious food contamination in the world since 1950: 365 cases in all, plus 126 additional unconfirmed cases. What he found demonstrates the reality of terrorist food attacks.

It turns out 72% of the food poisonings occurred at the end of the food supply chain—at home—typically by a friend, relative, neighbour, or co-worker trying to kill or injure a specific person. A characteristic example is Heather Mook of York, who in 2007 tried to kill her husband by putting rat poison in his spaghetti.

Most of these cases resulted in fewer than five casualties—Mook only injured her husband in this incident—although 16% resulted in five or more. Of the 19 cases that claimed 10 or more lives, four involved serial killers operating over several years.

Another 23% of cases occurred at the retail or food service level. A 1998 incident in Japan, where someone put arsenic in a curry sold at a summer festival, killing four and hospitalising 63, is a typical example. Only 11% of these incidents resulted in 100 or more casualties, while 44% resulted in none.

There are very few incidents of people contaminating the actual food supply. People deliberately contaminated a water supply seven times, resulting in three deaths. There is only one example of someone deliberately contaminating a crop before harvest—in Australia in 2006—and the crops were recalled before they could be sold. And in the three cases of someone deliberately contaminating food during packaging and distribution, including a 2005 case in the UK where glass and needles were baked into loaves of bread, no one died or was injured.

This isn’t the stuff of bioterrorism. The closest example occurred in 1984 in the US, where members of a religious group known as the Rajneeshees contaminated several restaurant salad bars with salmonella enterica typhimurium, sickening 751, hospitalising 45, but killing no one. In fact, no one knew this was malicious until a year later, when one of the perpetrators admitted it.

Almost all of the food contaminations used conventional poisons such as cyanide, drain cleaner, mercury, or weed killer. There were nine incidents of biological agents, including salmon­ella, ricin, and faecal matter, and eight cases of radiological matter. The 2006 London poisoning of the former KGB agent Alexander Litvinenko with polonium-210 in his tea is an example of the latter.

And that assassination illustrates the real risk of malicious food poisonings. What is discussed in terrorist training manuals, and what the CIA is worried about, is the use of contaminated food in targeted assassinations. The quantities involved for mass poisonings are too great, the nature of the food supply too vast and the details of any plot too complicated and unpredictable to be a real threat. That becomes crystal clear as you read the details of the different incidents: it’s hard to kill one person, and very hard to kill dozens. Hundreds, thousands: it’s just not going to happen any time soon. The fear of bioterror is much greater, and the panic from any bioterror scare will injure more people, than bioterrorism itself.

Far more dangerous are accidental contaminations due to negligent industry practices, such as the 2006 spinach E coli and, more recently, peanut salmonella contaminations in the US, the 2008 milk contaminations in China, and the BSE-infected beef from earlier this decade. And the systems we have in place to deal with these accidental contaminations also work to mitigate any intentional ones.

In 2004, the then US secretary of health and human services, Tommy Thompson, said on Fox News: “I cannot understand why terrorists have not attacked our food supply. Because it is so easy to do.”

Guess what? It’s not at all easy to do.

This essay previously appeared in The Guardian.

Posted on May 14, 2009 at 6:24 AMView Comments

Yet Another New York Times Cyberwar Article

It’s the season, I guess:

The United States has no clear military policy about how the nation might respond to a cyberattack on its communications, financial or power networks, a panel of scientists and policy advisers warned Wednesday, and the country needs to clarify both its offensive capabilities and how it would respond to such attacks.

The report, based on a three-year study by a panel assembled by the National Academy of Sciences, is the first major effort to look at the military use of computer technologies as weapons. The potential use of such technologies offensively has been widely discussed in recent years, and disruptions of communications systems and Web sites have become a standard occurrence in both political and military conflicts since 2000.

Here’s the report summary, which I have not read yet.

I was particularly disturbed by the last paragraph of the newspaper article:

Introducing the possibility of a nuclear response to a catastrophic cyberattack would be expected to serve the same purpose.

Nuclear war is not a suitable response to a cyberattack.

Posted on May 1, 2009 at 10:46 AMView Comments

Hacking U.S. Military Satellites

The problem is more widespread than you might think:

First lofted into orbit in the 1970s, the FLTSATCOM bird was at the time a major advance in military communications. Their 23 channels were used by every branch of the U.S. armed forces and the White House for encrypted data and voice, typically from portable ground units that could be quickly unpacked and put to use on the battlefield.

As the original FLTSAT constellation of four satellites fell out of service, the Navy launched a more advanced UFO satellite (for Ultra High Frequency Follow-On) to replace them. Today, there are two FLTSAT and eight UFO birds in geosynchronous orbit. Navy contractors are working on a next-generation system called Mobile User Objective System beginning in September 2009.

Until then, the military is still using aging FLTSAT and UFO satellites—and so are a lot of Brazilians. While the technology on the transponders still dates from the 1970s, radio sets back on Earth have only improved and plummeted in cost—opening a cheap, efficient and illegal backdoor.

To use the satellite, pirates typically take an ordinary ham radio transmitter, which operates in the 144- to 148-MHZ range, and add a frequency doubler cobbled from coils and a varactor diode. That lets the radio stretch into the lower end of FLTSATCOM’s 292- to 317-MHz uplink range. All the gear can be bought near any truck stop for less than $500. Ads on specialized websites offer to perform the conversion for less than $100. Taught the ropes, even rough electricians can make Bolinha-ware.

Posted on April 23, 2009 at 12:30 PMView Comments

U.S. Power Grid Hacked, Everyone Panic!

Yesterday I talked to at least a dozen reporters about this breathless Wall Street Journal story:

Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.

The spies came from China, Russia and other countries, these officials said, and were believed to be on a mission to navigate the U.S. electrical system and its controls. The intruders haven’t sought to damage the power grid or other key infrastructure, but officials warned they could try during a crisis or war.

“The Chinese have attempted to map our infrastructure, such as the electrical grid,” said a senior intelligence official. “So have the Russians.”

[…]

Authorities investigating the intrusions have found software tools left behind that could be used to destroy infrastructure components, the senior intelligence official said. He added, “If we go to war with them, they will try to turn them on.”

Officials said water, sewage and other infrastructure systems also were at risk.

“Over the past several years, we have seen cyberattacks against critical infrastructures abroad, and many of our own infrastructures are as vulnerable as their foreign counterparts,” Director of National Intelligence Dennis Blair recently told lawmakers. “A number of nations, including Russia and China, can disrupt elements of the U.S. information infrastructure.”

Read the whole story; there aren’t really any facts in it. I don’t know what’s going on; maybe it’s just budget season and someone is jockeying for a bigger slice.

Honestly, I am much more worried about random errors and undirected worms in the computers running our infrastructure than I am about the Chinese military. I am much more worried about criminal hackers than I am about government hackers. I wrote about the risks to our infrastructure here, and about Chinese hacking here.

And I wrote about last year’s reports of international hacking of our SCADA control systems here.

Posted on April 9, 2009 at 12:02 PMView Comments

Stealing Commodities

Before his arrest, Tom Berge stole lead roof tiles from several buildings in south-east England, including the Honeywood Museum in Carshalton, the Croydon parish church, and the Sutton high school for girls. He then sold those tiles to scrap metal dealers.

As a security expert, I find this story interesting for two reasons. First, amongst increasingly ridiculous attempts to ban, or at least censor, Google Earth, lest it help the terrorists, here is an actual crime that relied on the service: Berge needed Google Earth for reconnaissance.

But more interesting is the discrepancy between the value of the lead tiles to the original owner and to the thief. The Sutton school had to spend £10,000 to buy new lead tiles; the Croydon Church had to repair extensive water damage after the theft. But Berge only received £700 a ton from London scrap metal dealers.

This isn’t an isolated story; the same dynamic is in play with other commodities as well.

There is an epidemic of copper wiring thefts worldwide; copper is being stolen out of telephone and power stations—and off poles in the streets—and thieves have killed themselves because they didn’t understand the dangers of high voltage. Homeowners are returning from holiday to find the copper pipes stolen from their houses. In 2001, scrap copper was worth 70 cents per pound. In April 2008, it was worth $4.

Gasoline siphoning became more common as pump prices rose. And used restaurant grease, formerly either given away or sold for pennies to farmers, is being stolen from restaurant parking lots and turned into biofuels. Newspapers and other recyclables are stolen from curbs, and trees are stolen and resold as Christmas trees.

Iron fences have been stolen from buildings and houses, manhole covers have been stolen from the middle of streets, and aluminum guard rails have been stolen from roadways. Steel is being stolen for scrap, too. In 2004 in Ukraine, thieves stole an entire steel bridge.

These crimes are particularly expensive to society because the replacement cost is much higher than the thief’s profit. A manhole cover is worth $5–$10 as scrap, but it costs $500 to replace, including labor. A thief may take $20 worth of copper from a construction site, but do $10,000 in damage in the process. And even if the thieves don’t get to the copper or steel, the increased threat means more money being spent on security to protect those commodities in the first place.

Security can be viewed as a tax on the honest, and these thefts demonstrate that our taxes are going up. And unlike many taxes, we don’t benefit from their collection. The cost to society of retrofitting manhole covers with locks, or replacing them with less resalable alternatives, is high; but there is no benefit other than reducing theft.

These crimes are a harbinger of the future: evolutionary pressure on our society, if you will. Criminals are often referred to as social parasites; they leech off society but provide no useful benefit. But they are an early warning system of societal changes. Unfettered by laws or moral restrictions, they can be the first to respond to changes that the rest of society will be slower to pick up on. In fact, currently there’s a reprieve. Scrap metal prices are all down from last year’s—copper is currently $1.62 per pound, and lead is half what Berge got—and thefts are down along with them.

We’ve designed much of our infrastructure around the assumptions that commodities are cheap and theft is rare. We don’t protect transmission lines, manhole covers, iron fences, or lead flashing on roofs. But if commodity prices really are headed for new higher stable points, society will eventually react and find alternatives for these items—or find ways to protect them. Criminals were the first to point this out, and will continue to exploit the system until it restabilizes.

A version of this essay originally appeared in The Guardian.

Posted on April 3, 2009 at 5:25 AMView Comments

A Solar Plasma Movie-Plot Threat

This is impressive:

It is midnight on 22 September 2012 and the skies above Manhattan are filled with a flickering curtain of colourful light. Few New Yorkers have seen the aurora this far south but their fascination is short-lived. Within a few seconds, electric bulbs dim and flicker, then become unusually bright for a fleeting moment. Then all the lights in the state go out. Within 90 seconds, the entire eastern half of the US is without power.

A year later and millions of Americans are dead and the nation’s infrastructure lies in tatters. The World Bank declares America a developing nation. Europe, Scandinavia, China and Japan are also struggling to recover from the same fateful event—a violent storm, 150 million kilometres away on the surface of the sun.

[…]

It is hard to conceive of the sun wiping out a large amount of our hard-earned progress. Nevertheless, it is possible. The surface of the sun is a roiling mass of plasma—charged high-energy particles—some of which escape the surface and travel through space as the solar wind. From time to time, that wind carries a billion-tonne glob of plasma, a fireball known as a coronal mass ejection (see “When hell comes to Earth“). If one should hit the Earth’s magnetic shield, the result could be truly devastating.

The incursion of the plasma into our atmosphere causes rapid changes in the configuration of Earth’s magnetic field which, in turn, induce currents in the long wires of the power grids. The grids were not built to handle this sort of direct current electricity. The greatest danger is at the step-up and step-down transformers used to convert power from its transport voltage to domestically useful voltage. The increased DC current creates strong magnetic fields that saturate a transformer’s magnetic core. The result is runaway current in the transformer’s copper wiring, which rapidly heats up and melts. This is exactly what happened in the Canadian province of Quebec in March 1989, and six million people spent 9 hours without electricity. But things could get much, much worse than that.

Posted on March 26, 2009 at 12:44 PMView Comments

Helping the Terrorists

It regularly comes as a surprise to people that our own infrastructure can be used against us. And in the wake of terrorist attacks or plots, there are fear-induced calls to ban, disrupt or control that infrastructure. According to officials investigating the Mumbai attacks, the terrorists used images from Google Earth to help learn their way around. This isn’t the first time Google Earth has been charged with helping terrorists: in 2007, Google Earth images of British military bases were found in the homes of Iraqi insurgents. Incidents such as these have led many governments to demand that Google remove or blur images of sensitive locations: military bases, nuclear reactors, government buildings, and so on. An Indian court has been asked to ban Google Earth entirely.

This isn’t the only way our information technology helps terrorists. Last year, a US army intelligence report worried that terrorists could plan their attacks using Twitter, and there are unconfirmed reports that the Mumbai terrorists read the Twitter feeds about their attacks to get real-time information they could use. British intelligence is worried that terrorists might use voice over IP services such as Skype to communicate. Terrorists may train on Second Life and World of Warcraft. We already know they use websites to spread their message and possibly even to recruit.

Of course, all of this is exacerbated by open-wireless access, which has been repeatedly labelled a terrorist tool and which has been the object of attempted bans.

Mobile phone networks help terrorists, too. The Mumbai terrorists used them to communicate with each other. This has led some cities, including New York and London, to propose turning off mobile phone coverage in the event of a terrorist attack.

Let’s all stop and take a deep breath. By its very nature, communications infrastructure is general. It can be used to plan both legal and illegal activities, and it’s generally impossible to tell which is which. When I send and receive email, it looks exactly the same as a terrorist doing the same thing. To the mobile phone network, a call from one terrorist to another looks exactly the same as a mobile phone call from one victim to another. Any attempt to ban or limit infrastructure affects everybody. If India bans Google Earth, a future terrorist won’t be able to use it to plan; nor will anybody else. Open Wi-Fi networks are useful for many reasons, the large majority of them positive, and closing them down affects all those reasons. Terrorist attacks are very rare, and it is almost always a bad trade-off to deny society the benefits of a communications technology just because the bad guys might use it too.

Communications infrastructure is especially valuable during a terrorist attack. Twitter was the best way for people to get real-time information about the attacks in Mumbai. If the Indian government shut Twitter down – or London blocked mobile phone coverage – during a terrorist attack, the lack of communications for everyone, not just the terrorists, would increase the level of terror and could even increase the body count. Information lessens fear and makes people safer.

None of this is new. Criminals have used telephones and mobile phones since they were invented. Drug smugglers use airplanes and boats, radios and satellite phones. Bank robbers have long used cars and motorcycles as getaway vehicles, and horses before then. I haven’t seen it talked about yet, but the Mumbai terrorists used boats as well. They also wore boots. They ate lunch at restaurants, drank bottled water, and breathed the air. Society survives all of this because the good uses of infrastructure far outweigh the bad uses, even though the good uses are – by and large – small and pedestrian and the bad uses are rare and spectacular. And while terrorism turns society’s very infrastructure against itself, we only harm ourselves by dismantling that infrastructure in response – just as we would if we banned cars because bank robbers used them too.

This essay originally appeared in The Guardian.

EDITED TO ADD (1/29): Other ways we help the terrorists: we put computers in our libraries, we allow anonymous chat rooms, we permit commercial databases and we engage in biomedical research. Grocery stores, too, sell food to just anyone who walks in.

EDITED TO ADD (2/3): Washington DC wants to jam cell phones too.

EDITED TO ADD (2/9): Another thing that will help the terrorists: in-flight Internet.

Posted on January 29, 2009 at 6:00 AMView Comments

Mumbai Terrorists Used Google Earth, Boats, Food

The Mumbai terrorists used Google Earth to help plan their attacks. This is bothering some people:

Google Earth has previously come in for criticism in India, including from the country’s former president, A.P.J. Abdul Kalam.

Kalam warned in a 2005 lecture that the easy availability online of detailed maps of countries from services such as Google Earth could be misused by terrorists.

Of course the terrorists used Google Earth. They also used boats, and ate at restaurants. Don’t even get me started about the fact that they breathed air and drank water.

A Google spokeswoman said in an e-mail today that Google Earth’s imagery is available through commercial and public sources. Google Earth has also been used by aid agencies for relief operations, which outweighs abusive uses, she said.

That’s true for all aspects of human infrastructure. Yes, the bad guys use it: bank robbers use cars to get away, drug smugglers use radios to communicate, child pornographers use e-mail. But the good guys use it, too, and the good uses far outweigh the bad uses.

Posted on December 8, 2008 at 2:20 PMView Comments

Communications During Terrorist Attacks are Not Bad

Twitter was a vital source of information in Mumbai:

News on the Bombay attacks is breaking fast on Twitter with hundreds of people using the site to update others with first-hand accounts of the carnage.

The website has a stream of comments on the attacks which is being updated by the second, often by eye-witnesses and people in the city. Although the chatter cannot be verified immediately and often reflects the chaos on the streets, it is becoming the fastest source of information for those seeking unfiltered news from the scene.

But we simply have to be smarter than this:

In the past hour, people using Twitter reported that bombings and attacks were continuing, but none of these could be confirmed. Others gave details on different locations in which hostages were being held.

And this morning, Twitter users said that Indian authorities was asking users to stop updating the site for security reasons.

One person wrote: “Police reckon tweeters giving away strategic info to terrorists via Twitter”.

Another link:

I can’t stress enough: people can and will use these devices and apps in a terrorist attack, so it is imperative that officials start telling us what kind of information would be relevant from Twitter, Flickr, etc. (and, BTW, what shouldn’t be spread: one Twitter user in Mumbai tweeted me that people were sending the exact location of people still in the hotels, and could tip off the terrorists) and that they begin to monitor these networks in disasters, terrorist attacks, etc.

This fear is exactly backwards. During a terrorist attack—during any crisis situation, actually—the one thing people can do is exchange information. It helps people, calms people, and actually reduces the thing the terrorists are trying to achieve: terror. Yes, there are specific movie-plot scenarios where certain public pronouncements might help the terrorists, but those are rare. I would much rather err on the side of more information, more openness, and more communication.

Posted on December 1, 2008 at 12:02 PMView Comments

1 7 8 9 10 11 12

Sidebar photo of Bruce Schneier by Joe MacInnis.