Of course, it's possible to make explosives from all kinds of things, including everyday chemicals. However, the manufacturing process can be extremely risky and even if you get it right, the explosive might not work. The2007 London bombings killed 52 people, but the intended follow-up on 21/7 failed. It's possible that the unsuccessful bombs were made from the same chemicals as the 7/7 bombs, but that the explosives had degraded and become useless; however, according to newspaper reports the culprit may have been simple incompetence: the detonators fired but the bombs didn't go off.
It seems, then, that online terror manuals could even thwart the criminal – either by blowing terrorists up in the privacy of their own homes or by creating useless explosives that enable the police to catch the creators.
"Even in terms of putting together improvised explosive devices, the manuals are no substitute for hands-on training with experienced instructors," Binnie says. "I would say the utility of Internet training manuals remains limited – although it will probably improve over time."
Terror by Denial of Service
Forget explosives. As anyone who's seen Die Hard 4.0 knows, you can do much more damage by hacking into the power network and bringing down an entire country. But is it a credible threat? Could terrorists use Distributed Denial of Service attacks?
Graham Cluley is Senior Technology Consultant with Sophos. "Usually DDoS attacks appear to have been done for purposes of blackmail or mischief rather than terror or warfare, although there have been claims (without published evidence to confirm) that the governments of overseas countries have targeted systems of their rivals in the past," he says. "Although critical parts of the national infrastructure do not presently rely on an online presence to survive, disruption is still possible in some areas if a botnet bombarded sites with a prolonged and sustained attack. Even non-targeted systems can be hit with 'collateral damage' – for instance, a very large botnet could overwhelm some Internet service providers by generating vast amounts of data traffic."
Online banking is an obvious target for Denial of Service attacks. A high profile attack could potentially cause a Northern Rock-style run on the bank, and it's possible that a simultaneous attack on all the online banks could cause economic chaos. However, to date at least, DDoS attacks have been an irritant rather than a disaster for the banks that have been targeted.
What about the Die Hard scenario, where terrorists take down essential utilities? "Newspaper headlines in the past have raised the spectre of terrorists hacking into nuclear power plants or water works in order to endanger the lives of citizens. This threat has been largely over hyped," Cluley says. "After all, is it really likely that the critical systems managing a nuclear reactor need to be connected directly to the public Internet?"
It's not likely, but it happens. In May, the US House Subcommittee on Emerging Threats, Cyber security and Science and Technology blasted the organisation in charge of North America's electrical grid. The North American Electric Reliability Corporation (NERC) needs to "start getting serious about national security", Chairman James Langevin said.
Langevin and his fellow Representatives are worried about the Aurora vulnerability, where a concerted electronic attack could shut down electricity generators and other key equipment. Aurora exploits Supervisory Control and Data Acquisition Systems (SCADA), which enable power companies to operate equipment remotely via the Internet.
Some two years after the Aurora vulnerability was identified, it seems that SCADA systems are still a mess. According to the Government Accountability Office (GAO), which investigated security at the country's largest power company, "the corporate network was interconnected with control systems networks… thereby increasing the risk that security weaknesses on the corporate network could affect those control systems networks."
