Explaining Computer Security Through the Lens of Boston

Events surrounding the attack at the Boston Marathon, and the subsequent manhunt, are on-going as this is being drafted. Details may change, but the conclusions should not.

This is by no means an effort to equate terrorism and its horrible aftermath to an intrusion or data breach (which is trivial by comparison), merely an attempt to use current events in the physical world – which people tend to understand more readily – to help make sense of computer security – a complicated and multi-faceted problem few understand well.

  1. You are vulnerable to attack at any time. From an attacker’s perspective the Boston Marathon is a great opportunity (lots of people close together), but a rare one (only happens once a year). Your business on-line however, is an opportunity that presents itself 24/7. You can no more protect your enterprise against attack than the marathon could have been run inside of a giant blast-proof Habitrail. Anyone who tells you different is asking you to buy the digital equivalent of a Habitrail.
  2. It doesn’t take much to cause damage. In cyberspace everyone is atwitter about “advanced” threats, but most of the techniques that cause problems online are not advanced. Why would you expose your best weapons when simple ones will do? In the physical world there is a complicating factor of the difficulty of getting engineered weapons to places that are not war zones, but like the improved explosives used in Boston, digital weapons are easy to obtain or, if you’re clever enough, build yourself.
  3. Don’t hold out hope for closure. Unless what happens to you online is worthy of a multi-jurisdictional – even international – law enforcement effort, forget about trying to find someone to pay for what happened to you. If they’re careful, the people who attack you will never be caught. Crimes in the real world have evidence that can be analyzed; digital attacks might leave evidence behind, but you can’t always count on that. As I put fingers to keyboard one suspect behind the Boston bombing is dead and the other the subject of a massive manhunt, but that wouldn’t have happened if the suspects had not made some kind of mistake(s). Robbing 7-11s, shooting cops and throwing explosives from a moving vehicle are not the marks of professionals. Who gets convicted of computer crimes? The greedy and the careless.

The response to the bombings in Boston reflect an exposure – directly or indirectly – to 10+ years of war. If this had happened in 2001 there probably would have been more fatalities. That’s a lesson system owners (who are perpetually under digital fire) should take to heart: pay attention to what works – rapid response mechanisms, democratizing capabilities, resilience – and invest your precious security dollars accordingly.

Irrational

Desperately short of soldiers who speak Arabic and understand Islam, the U.S. military is quietly courting American Muslims. But they show little enthusiasm for an institution many say is prejudiced against them.

At the peak of violence in the Balkans no one thought that the PFC named Milosevic in our unit, with his Serb nationalist t-shirts and bluster about ETSing and going back home to join the freedom fighters, was anything but a 19-year-old blowing smoke. He was a bit of a freak, but not because we thought he was down with cleansing an ethnic population. No one questioned his loyalty or capability to do the job he was assigned. Same goes for all those in the unit we didn’t ask (we didn’t really have to) and who themselves didn’t tell. There was no purge of latinos (hispanics?) in the IC after Ana Montes was sent up the river. In the military its capability, not ethnocentricity, that counts. That has to be communicated to the target population, along with hard numbers about who is really abused because of their religion in this country. If the foiled kidnap plot against a Muslim soldier in the UK is any indication, eligible and willing Muslims are probably better off joining the fight than sticking with their ostensible friends.

FID: Fear, Incompetence & Doubt

Dr. Stephen
Haag spends upwards of 80 hours each week on his computer, mapping out
terrorist attacks.

Haag, an expert in emerging technologies, believes the next attack on the U.S. will come not in the form of bombings or military movements, but from terrorists armed with computer keyboards, credit cards and Social Security numbers.

A calculated cyber identity strike could erase or manipulate the identities of millions of Americans, effectively closing the financial markets and crippling the economy. ATMs would fail, airports would shut down, banks would close–all transactions would cease, says Haag, 45, an associate dean at the Daniels College of Business at the University of Denver. […]

Read the rest if you must but the gist is this: terrorists buy stolen personal
identifying information (from, say someone who steals a Department of Veteran’s
Affairs laptop); they craft some code that would render your personal
information unrecognizable to computer systems; so now your credit cards don’t
work, you driver’s license comes up invalid, etc.; and the end result is that
everything shuts down because “the system” thinks you don’t exist.

I honestly
thought we had past the point where wackiness like this was even on the table.
I mean, how many ways can we tweak “weapons of…” to fit someone’s money-making
scheme?

Some
reality:

 

  • The
    average American has multiple credit cards that are processed by a variety of different
    card processors (not many, but several)
  • There
    are 50 different DMVs
  •  There
    is the Department of State (passport)
  •  There
    are umpteen institutions of higher learning that all issue their own IDs
  •  Etc.,
    etc., etc. . . .

This is my wheelhouse. Terrorists haven’t moved past the defacing web pages stage of
technical threat and suddenly they’re going to be producing uber-code that in
one fell swoop zaps you from virtual existence? The airports will shut down
because 1 in 10 IDs are invalid? Last time I checked the rent-a-cop looks at
your picture, the name on the license, the name on the boarding pass and if
they match off you go. 

If you’ve
got the skill to zap multiple, complex systems – whether it is with insiders or
from afar – you’re not going to waste your time targeting Johnny Citizen; it’s
called “the war on terror” not “the war on inconvenience.”

9/11 Redux

A nice analysis of the airborne terror threat then and now by Shane Harris in National Journal. The broad point to take away is the value of defense-in-depth, or layers of security that (hopefully) are designed to catch those bits that fall through the cracks. For you INFOSEC folks this is nothing new, but all too often on the physical side it is hard but brittle shell covering a soft and mushy inside. There are plenty of gaps in each existing layer, but making the most of these gaps all at once should be readily detected (one would think).