excerpt from the book I'm writing on technology, terrorism, and
time at DHS, tentatively titled "Skating on Stilts." (If you want to
read the excerpts in a more coherent fashion, try the categories on the
right labeled "Excerpts from the book." I'm afraid I can't fix the bug
in TypePad that prevents me from putting them in the category in
reverse-chronological order, but I have started putting chapters up in
pdf form from time to time.) Comments and factual quibbles
are welcome, either in the comments section or by email:
email@example.com. If you're dying to order the book, send
mail to the same address. I'm still looking for an agent and a
publisher, so feel free to make recommendations on that score too.
Maybe you’re not ready to agree with me. Maybe you’re worried that these security alarms are a little too convenient – perhaps just an excuse for the government to spy on Americans and interfere with the economic engine of Silicon Valley. Surely, you think, there are still a few good defenses left.
Well, let’s take a look at some of the top reasons that people think computer security risks can be managed successfully.
It’s a Microsoft Problem. I know plenty of people who still believe that Microsoft’s products are uniquely insecure, and that all we need to do is get Microsoft to clean up its act or take our business elsewhere. For some, the security of Linux was an article of faith; its source code is open to inspection by anyone, so it is protected from exploit by all those watching eyes. And Apple, which didn’t even offer an antivirus program for decades, was protected by, well, by Steve Jobs’s sheer animal magnetism.
The last few years have been hard on those illusions. As Apple gained market share, malware authors began writing for its operating system, and they didn’t have any trouble finding holes. It turns out that, according to a 2009 Blackhat talk, even Apple’s keyboards can be hacked to reveal all the user’s keystrokes. Apple now recommends that its users run multiple antivirus programs.
And all those eyes on Linux’s code? In August of 2009, they discovered a bug in the central core of Linux; it would allow an attacker to acquire complete administrative control of any machine he could touch. You might call that a success for open source, except that the bug had been hiding in plain sight for at least eight years.
Turns out the reason there is so much malware running on Windows is the same reason there are so many other applications running on Windows. That’s how to reach the largest number of users.
It’s a Password Problem. I used to take a lot of comfort from the fact that I didn’t use just passwords for the things I most wanted to keep secure. I used a token. Every 30 seconds it displayed a different security code, known only to me and my home server. Even if a hacker could compromise my machine and record all my keystrokes, he couldn’t know what the token was going to say next.
But this is the age of Twitter – and real-time hacking. For at least the last couple of years, criminals have been able to beat these token systems. Now, when the owner of a compromised machine starts typing in his temporary code, the malware phones home immediately. As the owner types, each digit is sent to the hacker, who simply logs in with him.
Really Important Transactions Can Be Confirmed Offline. If you’re really worried, you may have locked down your financial accounts, so no money can leave the institution without a call to verify the transaction. In fact, even if you haven’t locked everything down, you may get a call. Like the credit card companies, mutual funds and financial institutions have stopped trusting their customers’ computers. For risky transactions, they insist on offline, or out-of-band, confirmation.
Out-of-band communication is today’s most common failsafe solution for computer compromises. To restore control of his Facebook account, for example, Bryan Rutberg had to send Facebook a separate, out-of-band message from a separate account.
But using another line of communication won’t solve the problem for long. Hackers have already begun to build blocking programs into their malware. The programs prevent users from getting to websites that might detect and cure their infections. In the future, these programs may be able to thwart other efforts to cure an attack – diverting emails, for example, or corrupting the user’s attempts to log on to hijacked sites.
The banks’ offline solution is also at risk. Finding a truly offline method of communication is going to get harder. Businesses and consumers are switching in large numbers to “voice over IP,” or VOIP, telephony. They cannot resist the allure of bringing to voice communications the cheap, flexible features of Internet communications. They cannot resist going just a little faster on the bike.
But the switch means that they are also bringing to voice communications all the insecurity that plagues other Internet communications. This raises the prospect of a whole new set of attacks, from “voice spam” and fraudulent telephone calls to the theft of incoming and outgoing phone calls. If an attacker who has compromised your computer’s online bank account is also able to appropriate your Internet telephone, then it will be easy for the attacker to answer the phone when the bank calls – and to confirm that you really do want to transfer your life savings to Spain or Nigeria. At that point, it will be cold comfort that switching to VOIP cut your monthly phone bill from $40 to $10 or even to $0.
The Military Has Solved the Problem With Classified Networks. The government used to have its own illusions about security. Maybe our unclassified networks are compromised, Defense Department officials used to say, but the classified networks are still bombproof. They can’t be compromised by all this malware floating around the Internet. Because they aren’t connected to the Internet. There’s an “air gap” between the two.
That assumes of course that network security decrees are perfectly enforced – and that the most important secrets are only discussed on classified networks -- notions that contradict everything we know about human nature.
But never mind, because the air gap illusion too has fallen prey to the exponential empowerment of hackers that we’ve seen in recent years.
The French navy’s Rafale Marine jets train out of Villacoublay air base, in the southwest suburbs of Paris. These fighters are state of the art, packed with stealth and electronic warfare capabilities and capable of landing on carriers. But to do that, they first have to take off. And for two days in January, the jets couldn’t take off. They’d been grounded by a hacker.
The “Conficker” computer worm had been exploiting vulnerabilities in Windows servers for months. It was the most ambitious computer infection in years. At the time it had infiltrated as many as 15 million machines around the world. One of the ways it spreads is by infecting the USB thumb drives that carry data from one machine to the next. Even classified or isolated networks could be captured if a bad thumb drive was used to transfer data to a machine on a secured network.
That’s what grounded the French fighters. Before the navy even knew it was under attack, the worm was coursing through its internal network. Rushing to contain the damage, the navy told its staff not to turn on their machines, and its systems administrators began quarantining parts of the network. Too late for Villacoublay. Its systems were already hosed.
The Rafale fighter downloads its flight plans, a far more efficient process than paper-based systems. But once the contagion had spread to Villacoublay no flight plans could be downloaded. Until an alternative method of delivering the flight plans could be cobbled together, the Rafales were no more useful than scrap iron.
The French press reported the embarrassment in detail. Perhaps as consolation, it was careful to note that things could have been worse – and were, in Great Britain. There, the press said, 24 RAF bases and three-quarters of the Royal Navy Fleet had succumbed to Conficker.
The British and French navies may have been unintended victims of a worm designed for criminal ends. But after Conficker, no one can believe that an air gap is a security fail-safe.
They’re Not Looking for Me. The last of the illusions, or at least the last of mine, is that I’m just not that interesting. Other people have more money. Other people have more valuable secrets. Who’s going to come looking for me?
That’s the last hope of every herd animal. The predators can’t eat everyone. If you lay low and blend in, they won’t pick you.
Wrong on two counts, I’m afraid. First, take this test. Add up your savings, car value, house equity, and investments. Is the total over $65,000? If so, you’ve got a lot of company on the globe. Probably ten percent of the world’s 6.8 billion people have assets exceeding that amount – say 700 million in all. Being one in 700 million sounds like pretty good herd-animal odds until you realize that, for every person with more than $65,000, there are nine people with less.
As computers become exponentially cheaper, most of those nine people will be able to get on line. Then there will be nine people looking for ways to take money from you. And another nine for your spouse, nine for your neighbor, and nine for each of your business partners. Maybe nine each for every person you know.
So they can eat everyone.
There are already Nigerian hip-hop anthems and videos celebrating the rolling-in-money “Yahoozees” who fleece Americans like Howard Crank. The world is already full of scam artists willing to work for less than minimum wage. Most of them know English and have access to the Internet.
The relentless march of empowerment will soon give the Yahoozees of the third world new tools for finding you. In a way, that’s what a Spanish lottery email does. Most of us delete lottery spam. But if one in ten thousand responds, even with great caution, that person has selected himself for fleecing, and the pitch can then be tailored precisely to his failings. So what if that part of the scam is a bit labor intensive? There are nine people with nothing better to do than sit around trying to get into the mark’s head.
Remember that real-time password-stealing program? Well, the thieves don’t have to go looking for rich people to infect. Instead, they infect everyone, and let the malware find the rich ones. The password-stealing program consumes an infinitesimal part of a modern chip’s processing power to run quietly in the background, watching and waiting until its victim logs on to one of about 1500 predetermined financial sites. Anyone logging in to one of those sites, the authors figure, probably has enough money to be worth cleaning out. So when an infected computer sets itself apart from the crowd by logging on to a financial site, the malware alerts its author, who can now focus on taking money from that computer’s owner.
Moore’s Law has taken a lot of the work out of the hunt. And, thanks to the empowerment of information technology, it will keep making the job exponentially easier, year in and year out.
Until the predators find you, too.