What many consider a 'standard' Verton piece, basically no substance, no new material and little proof. Consider that a year later, Verton changes his stance on cyberwar , calling it 'hyperbole'.



November 13, 2000

As hacker groups in the Middle East threaten to launch a "cyber-Jihad," or electronic holy war, against companies with ties to Israel, security experts said Internet security at most U.S. companies remains woefully inadequate to defend against such attacks.

Pro-Palestinian hacker groups, some of which have links to international terrorist Osama bin Laden and anti-U.S. terrorist organizations, have vowed to launch a new round of cyberattacks as part of an ongoing wave of violence that began this fall between Israelis and Palestinians. As of last week, pro-Palestinian hackers had attacked as many as 40 Web sites around the world, and pro-Israeli groups had hit more than 15.

To date, both sides have managed to penetrate Web servers and deface Web pages as part of a sustained disinformation campaign, and they have also been successful in keeping major service providers off-line through various denial-of-service techniques.

Just last week, hackers attacked Lucent Technologies Inc. However, a spokesperson for the Murray Hill, N.J.-based company said that no damage was done and that it was "business as usual" for the site.

Saying Pro-Palestinian hacker groups, and not naming them or referencing their connections to bin Laden is sensationalist. Saying they attacked '40 Web sites around the world' and immediately go into "hackers" attacking Lucent and not having success, tries to elevate the level of attack and put a big name to the attack, when it has nothing to do with it. Verton doesn't even qualify if it was "Pro-Palestinian" hackers that attacked Lucent or not.

A spokesman for the FBI confirmed that the attacks "have moved beyond what we've seen in the past in terms of sophistication." In fact, some hackers have been sharing information on specific port vulnerabilities on individual systems, the spokesman said.

This is just about the most generic and silly statement you could get from the FBI. To deface a web server requires exploiting a "specific port vulnerability on an individual system". How is that "moving beyond what we've seen .. in terms of sophistication"?


In another case, a member of the Xegypt hacker group who goes by the name ReALiST posted a message on an Arab hacker bulletin board asking for help to do just that.

"I'm thinking of installing [Tribal Flood Network 3000] servers and doing the CNN.com and Yahoo.com thing again any one in, mail me quick [sic]," the message stated.

Really? This is somehow validation of anything other than a moron that just read about a piece of software and is thinking of installing it?

Pro-Palestinian hackers have also deployed a FloodNet-type tool known as "defend," and are currently using it to attack at least seven targets, according to iDefense.

Defend requests nonexistent pages on targeted sites by calling for Web site addresses based on the current date to defeat Web-cache-related security mechanisms, which in the past have prevented hacker penetrations.

Verton mixes terminology again; a denial of service attack based on flooding a server has nothing to do with a 'penetration'. "Web-cache-related" security mechanisms that look for requests based on date do not stop 'penetrations'.

Unheeded Warning

The FBI and security vendors have been issuing warnings about such attacks, but most U.S. companies nonetheless remain unprepared for them, experts said.

One recent audit showed that 97% of U.S. firms are vulnerable to the tactics being used by pro-Palestinian hackers, according to Peggy Wiegle, CEO of Sanctum Inc., a Santa Clara, Calif.-based company that has helped defend Israeli government Web sites.

For example, Wiegle said, most sites don't have security software installed that is capable of blocking hackers who break into back-end systems through vulnerable Web browser applications such as shopping carts.

Perhaps Peggy Wiegle could tell us what magic software a company can install to protect against web application attacks? History has shown us that no combination of security mechanisms can stop all attacks, that it requires secure application coding more than anything. Any claims in 2000 that some mechanism could protect web applications was marketing hype at best.


main page ATTRITION feedback