This
is
another
excerpt from the book I'm writing on technology, terrorism, and
my
time at DHS, tentatively titled "Skating on Stilts." (If you want to
read the excerpts in a more coherent fashion, try the categories on the
right labeled "Excerpts from the book." I'm afraid I can't fix the bug
in TypePad that prevents me from putting them in the category in
reverse-chronological order, but I have started putting chapters up in
pdf form from time to time.) Comments and factual quibbles
are welcome, either in the comments section or by email:
[email protected]. If you're dying to order the book, send
mail to the same address. I'm still looking for an agent and a
publisher, so feel free to make recommendations on that score too.
--Stewart Baker
Maybe you’re not ready to agree with me. Maybe you’re worried that these security
alarms are a little too convenient – perhaps just an excuse for the government
to spy on Americans and interfere with the economic engine of Silicon Valley.
Surely, you think, there are still a few good defenses left.
Well,
let’s take a look at some of the top reasons that people think computer
security risks can be managed successfully.
It’s a Microsoft
Problem. I
know plenty of people who still believe that Microsoft’s products are uniquely
insecure, and that all we need to do is get Microsoft to clean up its act or
take our business elsewhere. For some, the security of Linux was an article of
faith; its source code is open to inspection by anyone, so it is protected from
exploit by all those watching eyes. And Apple, which didn’t even offer an
antivirus program for decades, was protected by, well, by Steve Jobs’s sheer
animal magnetism.
The
last few years have been hard on those illusions. As Apple gained market share,
malware authors began writing for its operating system, and they didn’t have
any trouble finding holes. It turns out that, according to a 2009 Blackhat
talk, even Apple’s keyboards can be hacked to reveal all the user’s keystrokes.
Apple now recommends that its users run multiple antivirus programs.
And
all those eyes on Linux’s code? In
August of 2009, they discovered a bug in the central core of Linux; it would
allow an attacker to acquire complete administrative control of any machine he
could touch. You might call that a success for open source, except that the bug
had been hiding in plain sight for at least eight years.
Turns
out the reason there is so much malware running on Windows is the same reason
there are so many other applications running on Windows. That’s how to reach
the largest number of users.
It’s a Password Problem.
I used
to take a lot of comfort from the fact that I didn’t use just passwords for the
things I most wanted to keep secure. I used a token. Every 30 seconds it
displayed a different security code, known only to me and my home server. Even
if a hacker could compromise my machine and record all my keystrokes, he
couldn’t know what the token was going to say next.
But
this is the age of Twitter – and real-time hacking. For at least the last
couple of years, criminals have been able to beat these token systems. Now,
when the owner of a compromised machine starts typing in his temporary code,
the malware phones home immediately. As the owner types, each digit is sent to
the hacker, who simply logs in with him.
Really Important
Transactions Can Be Confirmed Offline. If you’re really worried, you may have locked
down your financial accounts, so no money can leave the institution without a call
to verify the transaction. In fact, even if you haven’t locked everything down,
you may get a call. Like the credit card companies, mutual funds and financial
institutions have stopped trusting their customers’ computers. For risky transactions, they insist on offline, or out-of-band, confirmation.
Out-of-band communication is today’s most common failsafe solution
for computer compromises. To restore control of his Facebook account, for
example, Bryan Rutberg had to send Facebook a separate, out-of-band message
from a separate account.
But using another line of communication won’t solve the problem
for long. Hackers have already begun to build blocking programs into their
malware. The programs prevent users from getting to websites that might detect
and cure their infections. In the future, these programs may be able to thwart
other efforts to cure an attack – diverting emails, for example, or
corrupting the user’s attempts to log on
to hijacked sites.
The banks’ offline solution is also at risk. Finding a truly
offline method of communication is going to get harder. Businesses and
consumers are switching in large numbers to “voice over IP,” or VOIP,
telephony. They cannot resist the allure of bringing to voice communications
the cheap, flexible features of Internet communications. They cannot resist
going just a little faster on the bike.
But the switch means that they are also bringing to voice
communications all the insecurity that plagues other Internet communications.
This raises the prospect of a whole new set of attacks, from “voice spam” and
fraudulent telephone calls to the theft of incoming and outgoing phone calls.
If an attacker who has compromised your computer’s online bank account is also
able to appropriate your Internet telephone, then it will be easy for the
attacker to answer the phone when the bank calls – and to confirm that you
really do want to transfer your life savings to Spain or Nigeria. At that
point, it will be cold comfort that switching to VOIP cut your monthly phone
bill from $40 to $10 or even to $0.
The Military Has Solved
the Problem With Classified Networks. The government used to have its own illusions
about security. Maybe our unclassified networks are compromised, Defense
Department officials used to say, but the classified
networks are still bombproof. They can’t be compromised by all this malware
floating around the Internet. Because they aren’t connected to the Internet.
There’s an “air gap” between the two.
That
assumes of course that network security decrees are perfectly enforced – and
that the most important secrets are only discussed on classified networks --
notions that contradict everything we know about human nature.
But
never mind, because the air gap illusion too has fallen prey to the exponential
empowerment of hackers that we’ve seen in recent years.
The French navy’s Rafale Marine jets train out of Villacoublay
air base,
in the southwest suburbs of Paris. These fighters are state of the art, packed
with stealth and electronic warfare capabilities and capable of landing on
carriers. But to do that, they first have to take off. And for two days in
January, the jets couldn’t take off. They’d been grounded by a hacker.
The
“Conficker” computer worm had been exploiting vulnerabilities in Windows
servers for months. It was the most ambitious computer infection in years. At
the time it had infiltrated as many as 15 million machines around the world.
One of the ways it spreads is by infecting the USB thumb drives that carry data
from one machine to the next. Even classified or isolated networks could be
captured if a bad thumb drive was used to transfer data to a machine on a
secured network.
That’s
what grounded the French fighters. Before the navy even knew it was under
attack, the worm was coursing through its internal network. Rushing to contain
the damage, the navy told its staff not to turn on their machines, and its
systems administrators began quarantining parts of the network. Too late for
Villacoublay. Its systems were already hosed.
The
Rafale fighter downloads its flight plans, a far more efficient process than
paper-based systems. But once the contagion had spread to Villacoublay no
flight plans could be downloaded. Until an alternative method of delivering the
flight plans could be cobbled together, the Rafales were no more useful than
scrap iron.
The
French press reported the embarrassment in detail. Perhaps as consolation, it
was careful to note that things could have been worse – and were, in Great
Britain. There, the press said, 24 RAF bases and three-quarters of the Royal
Navy Fleet had succumbed to Conficker.
The British and French navies may have been unintended victims of
a worm designed for criminal ends. But after Conficker, no one can believe that
an air gap is a security fail-safe.
They’re Not
Looking for Me. The last of the illusions, or at least the last of mine, is that
I’m just not that interesting. Other people have more money. Other people have
more valuable secrets. Who’s going to come looking for me?
That’s the last hope of every herd animal. The predators can’t eat
everyone. If you lay low and blend in, they won’t pick you.
Wrong on two counts, I’m afraid. First, take this test. Add up
your savings, car value, house equity, and investments. Is the total over
$65,000? If so, you’ve got a lot of
company on the globe. Probably ten percent of the world’s 6.8 billion people
have assets exceeding that amount – say 700 million in all. Being one in 700
million sounds like pretty good herd-animal odds until you realize that, for
every person with more than $65,000, there are nine people with less.
As computers become exponentially cheaper, most of those nine
people will be able to get on line. Then there will be nine people looking for
ways to take money from you. And another nine for your spouse, nine for your
neighbor, and nine for each of your business partners. Maybe nine each for
every person you know.
So they can eat
everyone.
There are already Nigerian hip-hop anthems and videos celebrating
the rolling-in-money “Yahoozees” who fleece Americans like Howard Crank. The world is already full of
scam artists willing to work for less than minimum wage. Most of them know
English and have access to the Internet.
The relentless march of empowerment will soon give the Yahoozees
of the third world new tools for finding you. In a way, that’s what a Spanish
lottery email does. Most of us delete lottery spam. But if one in ten thousand
responds, even with great caution, that person has selected himself for
fleecing, and the pitch can then be tailored precisely to his failings. So what
if that part of the scam is a bit labor intensive? There are nine people with nothing better to
do than sit around trying to get into the mark’s head.
Remember that real-time password-stealing program? Well, the thieves don’t have to go looking
for rich people to infect. Instead, they infect everyone, and let the malware
find the rich ones. The password-stealing program consumes an infinitesimal
part of a modern chip’s processing power to run quietly in the background,
watching and waiting until its victim logs on to one of about 1500
predetermined financial sites. Anyone logging in to one of those sites, the
authors figure, probably has enough money to be worth cleaning out. So when an
infected computer sets itself apart from the crowd by logging on to a financial
site, the malware alerts its author, who can now focus on taking money from
that computer’s owner.
Moore’s Law has taken a lot of the work out of the hunt. And,
thanks to the empowerment of information technology, it will keep making the
job exponentially easier, year in and year out.
Until the predators find you, too.