This is Today’s Bummer from the Washington Post: “A government consultant, using computer programs easily found on the Internet, managed to crack the FBI’s classified computer system and gain the passwords of 38,000 employees, including that of FBI Director Robert S. Mueller III.
The break-ins, which occurred four times in 2004, gave the consultant access to records in the Witness Protection Program.”
Would you like some rudimentary datapoints from a professional computer guy? Fair enough, but remember I work for one of the big computer companies, so ensure you have your jaundiced cynic filters in place.
David’s Four Rules of Computer Security
1) There is no way to keep something secret if more than one person knows about it.
2) There is no secure computer if the computer has a keyboard or a hard drive, or a monitor or a network card.
3) It is easier to steal things than to decrypt things.
4) Human engineering always wins if humans are involved.
Let’s start at the top of that list. I have a secret word. If I tell someone that secret word then I no longer have a secret word that is secure. I have to spend the rest of my life wondering if that second person will tell my secret word in a moment of passion, blackmail, greed or stupidity. That compromises the security of my secret word.
Security is also compromised by a sticky note on my keyboard, or using my Mother’s maiden name as a password. I’ll let you in on a secret: My secret word is Altoids. There. I feel better now.
Any electronic or electromechanical device can be surveiled remotely. Using changes in magnetic fields you can derive what is being typed. Using a telescope and a window you can see what is being read on the screen. Using simple software, readily available on the Internet, you can trap keystrokes and communications sessions.
You can tickle the magnetic particles on a hard drive that has been erased to make them show the erased data. It is the same concept as reading the impressions left on a pad of paper. We used to use a liquid solution called Edit-Vue to find the sync marks on videotape to physically cut and edit 2” video tape. The same concept in software and hardware can help forensic technicians make a hard drive give it up.
You can add a device to a network to make it send you the full stream of data, from which you can derive what is being written. You can listen in to phone calls, be it a cell phone or a land line using simple electronics.
Odds are your employer either is, or is strongly considering, reading all your work email. The government is reading the rest of it, looking for terrorists. Your Internet Service Provider probably is too, either for the government, or just trying to keep the spam down to a dull roar. A spam filter, by definition, reads your email.
Encryption involves higher math, transposing letters in a word in a pattern that is hard to detect and at first, very hard to read. Unfortunately every language has a string of letters that recur with greater frequency than others. There are also letters that don’t show up very much.
In English, the most common letters, in order, are ETOANIRSH. Knowing that and knowing that XQZ don’t show up much, you can start to work encryption backwards, testing potential letter combinations. Software can do this for you, as computers can do the higher math faster and better than human brains.
Stealing secrets is easier than trying to tap into wires, exposing magnetic particles, or doing the math on encryption. If I was a bad person and wanted the laptop of an executive who has, oh, the Secret Coke Formula on a file, I could spend hundreds of hours trying to find it surreptitiously. Or, I could wallop him over the head with a brick and steal his laptop. Which is easier to do?
The principal reason the British were able to decrypt the Enigma cipher early in WWII was two pieces of technology: One, was Alan Turing’s computational bombe machine. Second, they stole a working Enigma machine from a German Navy U-Boat. The rest of it was brilliant people, working the math and knowing how humans think.
Human engineering is, by far, the easiest. Aldrich Ames, the biggest Soviet spy captured in recent memory, sold thousands of secrets over two decades of the cold war, to the Soviets for one thing: Money. Greed works and so does sex, blackmail and, with lesser efficacy, appeals to logic or loyalty.
The classic Internet human engineering hack is the Nigerian (now Saudi/Iraqi) bank scam. I still get those emails and still shake my head that people fall for it. If people didn’t fall for it, the scammers wouldn’t be sending them out.
Phishing is another human engineering trick. If it looks like my bank, smells like my bank and behaves like my bank, it must be my bank, right? I keep getting requests from Bank One, MBNA, Bank of America and PayPal asking me to confirm all my information. One problem: I don’t bank with those folks and I don’t have a PayPal account. I have received one phish ‘from’ my bank. I turned it over to their security people.
There are too many stories in the IT biz about an unidentified voice on the phone asking for access to certain files or shares and saying they forgot their password. The hapless tech then resets the password for the voice on the phone. One of the funniest I saw was when Allan LeMongelo called to get his password reset. Lemon Jello was a hacker. It worked: The Human was engineered.
So how do you keep secrets? It takes a combination of all four rules and knowing that all four can be breached. The trick is to have a combination that controls things, but doesn’t get in the way of people doing their work. Get that mix right and you are closer to being secure.
Plus, you must have obvious, well understood and visibly applied punishments for breaking security. Summary execution in the office lunch room is a touch excessive, but it does work as a negative incentive.
What this means for you is easy enough: Believe nothing you read, see or hear on the Internet, especially if it is from your bank, credit card company, ISP or government. If they want information, call them directly with a call that you have dialed to a number you looked up somewhere else. Figure out if you feel like complying, or telling them to pound sand into a bodily orifice.
Assume anything you write, send or look at is being read by someone who hates your guts and is looking to screw you any way they can. The best way to stop a blackmailer is to state: “Yeah I like rough sex with pelicans. Here’s my boss’s phone number, you want me to dial it for you?”
A little paranoia goes a long way.
RoadDave 