The Internet is a mine of useful information, a repository of knowledge that makes the Library of Alexandria look like a leaflet. So naturally, we're using all that information to try and kill ourselves – and to kill others. The thought of would-be terrorists downloading the explosive equivalents of a Haynes manual is pretty scary, but do such things exist? And are would-be bombers really using the Internet to download the recipe for ricin and peruse the pages of the Anarchist Cookbook?
Factor in the eBooks and sites that tell you how to make bombs, booby-traps or botnets, the ease with which you can track and trace individuals, and all the other dubious joys of the information revolution, and we face an obvious question: is there such a thing as too much information?
Since January, Japan has seen more than 40 suicides linked to websites that explain how to make poisonous hydrogen sulphide gas from bath salts and detergent. Police have asked ISP's to block access to such sites – but when one site is blocked, another springs up in its place.
In April 2008, 19-year-old Bristolian Andrew Ibrahim was charged under the Terrorism Act after police found the explosive hexamethylene triperoxide diamine (HTMD) in his house. You can make HTMD in the bath from common household chemicals.
In 2007, the FBI foiled a plot to explode gas pipelines at John F Kennedy Airport. The charge sheet notes that one of the accused, Abdul Kadir, repeatedly urged his co-conspirators to use Google Earth's satellite imagery ofthe airport to identify "the fuel tank locations and air traffic control tower… [and] the distance between the street and the fuel tanks." In the same year, The Times reported that Iraqi insurgents also used Google Earth toplan their attacks on British bases in Basra.
Jeremy Binnie is News and Analysis Editor at Jane's Terrorism and Insurgency Centre. He notes that the most easily found ricin recipe is useless and that many terror manuals have a tenuous grasp of reality. "We've reviewed Arabic-language manuals available on jihadist websites, and they are often vague, if not technically inaccurate," he says. "Much of the information is derived from the Anarchist Cookbook and its imitators, or US survivalist manuals, and are really of little use as online tutorials – the ricin recipe being an excellent example. The threat from this poison was massively over‑hyped by the media. This also applies to manuals on making chemical, biological and radiological weapons."
The Anarchist Cookbook is famously flawed – it contains instructions on isolating the non-existent drug Bananadine from banana skins – and contains a number of serious and potentially dangerous or even deadly errors. As the Anarchist Cookbook FAQ notes: "People strongly advise you to stay away from [the book] if you enjoy having your limbs." And that's assuming you've actually found the right book, because over the years all kinds of nonsense has been labelled as the Anarchist Cookbook and circulated online.
Even when the online information is accurate, that doesn't necessarily mean that it's useful. Recipes for TATP (Acetone Peroxide), a favourite of would‑be bombers and apparently used in the 7/7 London bombings, are widely available – but you've got to be mad to make it, because it's exceptionally unstable. As one website puts it, TATP "makes nitro-glycerine look safe."
Getting key ingredients could be difficult too. In 2006, the Fertiliser Industry Assurance Scheme was launched to ensure that ammonium nitrate-based fertiliser – a key component of explosives and a key ingredient in many online bomb-making recipes – was only sold to established account holders or people who could prove their identities. The National Counter-Terrorism Security Office (NaCTSO) publishes guidelines for farmers and tours trade shows to encourage legitimate users to keep their supplies secure.
Of course, it's possible to make explosives from all kinds of things, including everyday chemicals. However, the manufacturing process can be extremely risky and even if you get it right, the explosive might not work. The2007 London bombings killed 52 people, but the intended follow-up on 21/7 failed. It's possible that the unsuccessful bombs were made from the same chemicals as the 7/7 bombs, but that the explosives had degraded and become useless; however, according to newspaper reports the culprit may have been simple incompetence: the detonators fired but the bombs didn't go off.
It seems, then, that online terror manuals could even thwart the criminal – either by blowing terrorists up in the privacy of their own homes or by creating useless explosives that enable the police to catch the creators.
"Even in terms of putting together improvised explosive devices, the manuals are no substitute for hands-on training with experienced instructors," Binnie says. "I would say the utility of Internet training manuals remains limited – although it will probably improve over time."
Terror by Denial of Service
Forget explosives. As anyone who's seen Die Hard 4.0 knows, you can do much more damage by hacking into the power network and bringing down an entire country. But is it a credible threat? Could terrorists use Distributed Denial of Service attacks?
Graham Cluley is Senior Technology Consultant with Sophos. "Usually DDoS attacks appear to have been done for purposes of blackmail or mischief rather than terror or warfare, although there have been claims (without published evidence to confirm) that the governments of overseas countries have targeted systems of their rivals in the past," he says. "Although critical parts of the national infrastructure do not presently rely on an online presence to survive, disruption is still possible in some areas if a botnet bombarded sites with a prolonged and sustained attack. Even non-targeted systems can be hit with 'collateral damage' – for instance, a very large botnet could overwhelm some Internet service providers by generating vast amounts of data traffic."
Online banking is an obvious target for Denial of Service attacks. A high profile attack could potentially cause a Northern Rock-style run on the bank, and it's possible that a simultaneous attack on all the online banks could cause economic chaos. However, to date at least, DDoS attacks have been an irritant rather than a disaster for the banks that have been targeted.
What about the Die Hard scenario, where terrorists take down essential utilities? "Newspaper headlines in the past have raised the spectre of terrorists hacking into nuclear power plants or water works in order to endanger the lives of citizens. This threat has been largely over hyped," Cluley says. "After all, is it really likely that the critical systems managing a nuclear reactor need to be connected directly to the public Internet?"
It's not likely, but it happens. In May, the US House Subcommittee on Emerging Threats, Cyber security and Science and Technology blasted the organisation in charge of North America's electrical grid. The North American Electric Reliability Corporation (NERC) needs to "start getting serious about national security", Chairman James Langevin said.
Langevin and his fellow Representatives are worried about the Aurora vulnerability, where a concerted electronic attack could shut down electricity generators and other key equipment. Aurora exploits Supervisory Control and Data Acquisition Systems (SCADA), which enable power companies to operate equipment remotely via the Internet.
Some two years after the Aurora vulnerability was identified, it seems that SCADA systems are still a mess. According to the Government Accountability Office (GAO), which investigated security at the country's largest power company, "the corporate network was interconnected with control systems networks… thereby increasing the risk that security weaknesses on the corporate network could affect those control systems networks."
And that's not all. In security terms, the control networks had more holes than a tramp's vest. The GAO found that firewalls weren't properly configured or had been switched off, passwords were implemented ineffectively, servers and workstations didn't have security software and hadn't been updated with security patches, and the main corporate network had an intrusion detection system with "significant limitations". According to the GAO report, the power firm "risks a disruption of its operations as the result of a cyber incident."
IT security consultant Rich Mogull has written extensively about SCADA risks on his security blog Securosis, and highlights two key trends: SCADA systems running Windows, "the same software all the little script kiddies can slice through"; and convergence. SCADA systems are connected to normal networks by "far more companies than you probably think. We're now running everything on standard platforms, on standard networks, with bored engineers surfing porn and reading junk email on the overnight shift."
"This isn't fantasy," Mogull says. "During the Slammer virus a safety system at a nuclear power plant went down. Trains in Sydney stopped running due to the Sasser virus. Blaster was a contributing factor to the big Northeast power outage a few years ago because it bogged down the systems the engineers used to communicate with each other and monitor systems (rumour has it). I once had a private meeting in a foreign country that admitted hackers had gained access to the train control system on multiple occasions and could control the trains."
He continues: "We are definitely vulnerable to just the right kind of attack, but it's a problem we can get our arms around and solve with a little investment and common sense. Not everything is vulnerable yet, and we're early enough on the convergence trend that we can still stop and put the right security precautions in place… unless the bad guys just get jobs at the power plants and flip switches during the midnight shift."
Taking down a hospital
During 2006, 20-year-old Christopher Maxwell was prosecuted after installing malware on hospital computers in Seattle. The software caused thousands of pounds of damage, shut down PCs in the intensive care unit and crippled the hospital's pager system. It's an isolated event, but it shows that the more reliant on technology we become, the more damage an outage can cause.
As Graham Cluley points out, "there is also a risk that government websites designed to share information withthe public on health issues could be affected by a distributed denial of service attack. Again, it's important that fall back systems are in place should a website fall foul of a DDoS assault."
ENISA, the EU Agency for Network Information and Security, issued dire threats in June about the possibility of a "digital 9/11" if European countries didn't get more serious about Internet security. Executive director Andrea Pirotti urged the EU to "introduce mandatory reporting on security breaches and incidents for business, just as the US has already done" and argues that there should be"more cross‑border cooperation".
It's all sensible stuff, but if you look beyond the sensationalist headlines, you'll see that the biggest electronic threats identified by ENISA aren't terrorism or electronic terrorism; they're our old friends, spam and fraud. ENISA also notes that while there were just eight EU countries running "digital fire brigades" to deal with electronic attacks and botnets in 2005, the number has now increased to 14, with a further 10 planned to become operational in the next two years. ENISA has also launched a three-year programme to improve the security and resilience of public communications networks across the EU and address any imbalances between member states.
"The Internet is much more useful for jihadists as a propaganda, radicalisation and communication tool,"Jeremy Binnie says. "As with so many other minority interest activities, it allows like-minded but geographically dispersed individuals to form their own little online society where they can share information and re-enforce each other's extreme beliefs. Networks and cells can also use it as a relatively secure means to communicate operational instructions, as we have seen in several cases."
Planning attacks with Google
Could apparently inoffensive information become a terrorist tool? It seems so. The abortive 2007 attack on JFK airport made extensive use of Google Maps and Google Earth, and insurgents in Iraq have used the same software to plan attacks on British forces. "A good example of jihadist use of Google Earth was the attack on foreign oil contractors in Algeria on 10 December 2006," Jeremy Binnie says. "The local
Al-Qaeda branch (AQ in the Land of the Islamic Maghreb, or GSPC as it was called at the time of the attack) subsequently put out a sophisticated video that featured operatives using Google Earth to plan the attack. This could have been staged for propaganda purposes, but I don't doubt that Google Earth would be an extremely useful operational planning tool, especially for complex multi-mode and indirect fire attacks."
As Binnie points out, the software "would save the attackers time developing accurate maps and models so that different units know where they are supposed to be and where everyone else is. While the publicly available imagery is out of date, and therefore of little short-term intelligence value, it would also be useful for ranging mortars and rockets against long-standing facilities."
The US military clearly agrees – in March 2008, the Pentagon asked Google to remove a number of military bases from its database – but it seems the UK military and security services are more relaxed, with Google Maps providing detailed satellite imagery of installations including GCHQ, submarine bases, armaments depots and chemical warfare research centres.
Somebody's watching me
Mapping software has another potential downside: it's a superb tool for stalkers, particularly when you combine it with other sources of information found online, such as the electoral roll – or even profiles on social networking sites. You can go as far as tracking people's movements through their mobile phone, although such services do send occasional text messages to remind the phone user that they're being monitored.
That's not always the case, though: in May it emerged that a number of shopping centres were tracking the movements of shoppers without their knowledge or consent. The Times reported: "The technology can tell when people enter a shopping centre, what stores they visit, how long they remain there, and what route they take as they walked around."
The tracking technology, FootPath, is supplied by Path Intelligence Ltd, who says that "there's absolutely nothing personal in the data." The tracking uses mobile phones' IMEI serial numbers, which only the phone networks can correlate with individuals' details.
However, as Spy blog points out, "if you read the last section of the list of claimed benefits for the FootPath product, they admit that it's capable of identifying individuals." These benefits include identifying "unauthorised individuals in 'no go' areas" and identifying "suspicious 'left' luggage." Spyblog asks: "How is it possible to do this with truly anonymous data?"
Should we worry? "If you are exceptionally paranoid then you should probably never use the net and not carry a mobile phone," says Graham Cluley. "However, if you're working at that level of paranoia then it would probably make sense never to walk the streets at all in case a CCTV camera catches you on film.
The advantages of the net and mobile communications in my mind far outweigh the dangers. That doesn't mean that people shouldn't be careful – but they need to keep the relative dangers in proportion." As Cluley notes, for most of us the biggest risk online isn't cyber stalking: it's exposing ourselves to identity theft.
So is technology making the world a more dangerous place? "Probably," says Binnie – but not for the reasons you might think. "It brings like-minded people together, whether they are jihadist, identity fraudsters or paedophiles. However, we have yet to see clear evidence of effective terrorist weapons being developed only with information from the Internet."
As Binnie points out, there's an important flip side. "From a law enforcement point of view, downloaded information has become increasingly important in the prosecution of terrorists in the UK. The Internet has also become an invaluable intelligence tool. Independent organisations such as Jane's now have the ability to pool large amounts of open-source information, conduct research on jihadist websites and use satellite imagery to understand and explain any given situation to our subscribers. The Internet has empowered terrorism analysis as well as the terrorists."
Graham Cluley agrees. "Whilst the Internet has introduced some new dangers and challenges, it has also made the world a better place to live," he says. "We need to learn how to live safely in the online world, and how to best reduce the risks of coming to harm."