Sunday, December 15, 2013

Who's driving this bus?

I saw this brief interview excerpt on a friend's facebook posting:  Carl Sagan interview.  I found the full interview here.  It got me thinking about what I do on a daily basis.  As a security consultant I am ever struggling to explain computer concepts and computer security concepts to clients for the purpose of eliciting an informed risk-based decision on some issue that I'm working on for them.  I'm constantly amazed at how little people understand or even want to understand about computers and computer security.

A day in the life

I overheard a conversation at work on Friday where one of the telecom people was working an incident where an employee was attempting to dial into a conference call and was asked to put in their social security number for access or verification or some such thing.  After putting in the SSN, the system immediately hung up.  The person dialed back and got the normal prompt for the teleconference that asked for the conference code.  Now aside from the combination of simple tricks that were used to fool this person into divulging private personal information; the fact remains that far too many people immediately disengage their brain when their hands touch a keyboard.  They instantly assume that they know nothing about computers and don't bother to even try to think.  They simply react like rodents in an experimental lab pressing a button for a food pellet.  I have many stories like this one.

Now it is easy to rationalize my employment by saying that "if it weren't for people like that I wouldn't have a job."  Many people are fond of reminding me of this fact.  It is painfully true and it pains me to admit as much.  However, when the majority of the computer using public is so under-educated about computers and technology, and more importantly, computer security, it is extraordinarily dangerous.  Think for a few moments on how much of our lives are ruled by ones and zeros.

Road Trip!

Take a virtual trip with me to the grocery store as an example.  Simply getting into my car, I encounter several bits of technology that can be vulnerable to attack.  My key transmits a signal that unlocks my car door.  This can be vulnerable to a replay attack.  Many cars have navigation systems, mine doesn't, but I use my phone for that.  We'll deal with those separately.  Nav system, has a cache, which can be read.  Where was I last and when?  My house, my work?  You could certainly extrapolate when I'm not at home and how long it takes me to get to work.  Smart phones, remember, I don't have a Nav system, are basically just small versions of laptops.  Many issues there.  My calls, my locations, my contacts, my emails.  The list goes on.  What about the black box on my car that the insurance companies have quietly developed tremendous skill in decoding.  Originally meant for the car makers and mechanics, but insurance companies have become quite the skilled hackers of these things.  Even the run flat tire detection system in my car has been recently theorized to have vulnerabilities.  Of course there is all the tracking that government agencies do with my electronic toll pass outside of the toll collection that they tell you about.  Remember I said we were going to the store?  We haven't left my driveway yet.

Ok, down the road we go

At the end of my neighborhood is a stop light, controlled by a computer, with a sensor so emergency vehicles can make it go red for cross traffic, sometimes red for all traffic or sometimes green for them.  Can't imagine this is any less vulnerable to exploit than any other system made by humans.  Well, actually, I know these systems are vulnerable.  Along the way we pass a public park with sports fields.  Lighting systems computer controlled from a remote location several states away, maybe even in another country.  A few more traffic lights and we are at the store.  Before we even get into the store I'd point out to you the video surveillance cameras.  Let's head into the store.  More cameras.  Lighting systems, cooling systems, heating systems, fire alarm systems, back up power systems...all computer controlled and likely capable of calling for help in the event of a system failure or alarm.  That's just the basics that run the place.  Of course there will be a panic alarm and security alarms in the event of robbery.  Then there are the systems for tracking and managing inventory.  Computer networks designed to place orders to suppliers and distributors all over the country.  Coupons, cash, loyalty discounts, credit card transactions, instant coupons based upon my shopping habits, bar codes...all managed by computers and ALL vulnerable to compromise.  For the sake of this discussion, we'll ignore that my grocery store has a bank in it, but we'll use the more general case of another organization having a presence in the store, like coffee, pharmacy, cleaner, fast food, or florist.  This is a third party connection to each of those organizations' infrastructure that could be possibly shared with the store for connectivity or even services like loyalty or credit card authorization.  My grocery store has wireless too.  Oh and let's not even get into the electrical grid that powers all this stuff.  What fun!  Dizzy enough yet?

What could go wrong?

This is just a typical trip to one store, but all of these systems along the route are vulnerable to compromise, both physical, over the air, or over the wire.  But most people go about their lives quite oblivious to the technological near-disaster that looms all around every day.  The basic reason many assume is, "well, it works, so it must be safe, right?  And I'm sure they have technical people that are addressing all those security issues."  Well, the good news is there are some very competent and skilled people doing just that.  The bad news is there simply aren't near enough of them to go around.  The worse news is there's even more that don't have a clue that there is a problem with many or any of these systems.  And worse still, there are those that refuse to acknowledge the problems exist, even with presented with very strong evidence and expert advice.  If someone doesn't think there is a problem, how likely do you think they will be trying to fix it...or even monitor for bad things caused by bad people?

I'm not a huge fan of twelve step programs, but I will cite a piece of their wisdom.  The first step to recovery is acknowledging that you have a problem.  And people...Sagan was dead on balls accurate.  We live in a society driven by technology that few understand, especially when it comes to security risks.  We all need to learn more and demand more from ourselves.  We need to demand more from the people that make the products and technology.  Finally and most importantly, we need to demand expertise and accountability from the regulators and lawmakers so that it is impossible to ignore the dangers.