Sunday, March 05, 2017

The Sky Isn't Falling. Yet.

I really love the Internet. I get a kick out of technology in general, of course, but I'm crazy about the Internet in particular. When you think about what it's given us—communication, information, empowerment, and more—it's difficult to come up with too many other technologies that have had this great an impact. To a great extent, the Internet has truly democratized information.

And yet . . .  When I stop and think about it, I kind of freak out. I mean, I don't want to sound alarmist or anything, and I generally like to stay calm about the issues, but I THINK WE'RE ALL TOTALLY SCREWED!!

OK, there. I feel better now. I'm calm. But here's what I mean…
This is Hollywood Presbyterian Medical Center in East
Hollywood, CA. The hospital paid $17,000 to recover
its ransomed data files.
Let’s start with ransomware: This is malware that, when accidentally downloaded (generally by people who have ignored the basic security rules that tech people keep trying to get them to follow), encrypts your files, which it then holds for ransom. (The ransom varies, but $300 to $500 or so is a typical ballpark: enough to make it worthwhile for the bad guys, and just barely cheap enough for most of us to at least consider paying the ransom.) In most cases, the encryption is done very well and very quickly; you are not getting those files back unless you pay the ransom. (Or unless you have a good backup and know how to restore your files from that backup.)

Businesses and individuals have been getting hit with ransomware regularly, but more recently, the bad guys have discovered other tempting targets: municipal entities, law enforcement agencies, and hospitals, for instance. Think about it: A small police department or hospital has data that is very important, sometimes literally a matter of life and death, including such things as patient records, info from medical devices (sometimes from various implants), evidence stored for court cases, and more. This is critical stuff. The data should have been backed up and the organization should have a relatively bulletproof backup-and-restore process in place, but many such entities do not. That's why the combination is almost irresistible to bad guys: These organizations have critical data they cannot afford to lose, and crappy (or sometimes non-existent) IT departments. The result? These are big, juicy targets; crooks can easily mount an attack, and the payoff can be big.

How big? Last year, bad guys encrypted data from the Hollywood Presbyterian Medical Center, and demanded $3.4 million (in untraceable Bitcoin, a digital cryptocurrency) to give it back. Hospital executives declared a state of emergency and employees reverted to paper and faxes. (Ironically, it's sometimes possible to negotiate with the thieves; in this case, the hospital eventually paid about $17,000 to get its files back. Still, $17,000 is a pretty good chunk of change)

Of course, there are other attacks, and other types of attacks.

Last December 23rd, unknown intruders (possibly state-sponsored actors under Russian control, though this remains unproven) hacked into the computers of the Ukraine's (please do not ask me to pronounce this) Prykarpattyaoblenergo electrical control center. Operators watched, dumbfounded and helpless, as the intruder simply navigated through onscreen menus, shutting down some 30 electrical substations, one mouse-click at a time. The hacker then disabled backup power supplies in two of the region’s three electrical distribution centers, leaving all concerned literally and figuratively in the dark.

About 230,000 people were suddenly without electricity in an area where the temperature that evening dropped to around 14 degrees Fahrenheit. (Lest you think that the U.S. power grid is more secure and sophisticated than a control center in Ukraine, note that many experts said that the Ukrainian station was better secured than many U.S. stations.)
This is the first known hack of a power grid that resulted in a power outage of that size, but it's probably not the last. (For a sensational—some reviewers said sensationalist—read on the subject, see Ted Koppel's Lights Out.) The reality is that, as unsecure as our private infrastructures (see the hospitals and corporations mentioned above) are, many government and quasi-government infrastructures are even more disorganized and less secure. (If this surprises you, then you haven't been paying attention to news of the DNC—and now RNC and other—hacks. Also, you've never been in the Army.)

Here's the problem in a nutshell: We took an inherently unsecure technology, the Internet (which was created to share, not hide, information), and made it into the backbone of both our infrastructure and our economy. We've taken steps to make it more robust and mitigate its weaknesses, but the reality is that just about everything—from our power grid to our banking industry and from hospitals to law enforcement—now runs on what turns out to be a vulnerable and easily crippled technology.

And it's going to get worse as the Internet of Things takes hold. The IoT involves connecting literally billions of things to the Internet, everything from your toothbrush to your thermostat and from your doorbell to your dog’s water bowl. Those connections will, for the most part, make your life much easier. Until suddenly they don't.

Take baby monitors, for instance. It's comforting to know that your child is safe and snug in his bed; being able to hear the cooing sounds your toddler makes as he sleeps is soothing. Hearing the voice of some stranger speaking to your child through the monitor is definitely not soothing, but it has happened on occasion. Why? Well, the baby monitor is on your wireless network, and is probably not very well protected. Neither you nor the manufacturer took steps to secure that device.

This is just one of several brands of baby monitor
that has been hacked.
But the technology itself is not the only major problem. The other weakness is . . . well, us. Any security pro will tell you that the biggest vulnerability is human, the people standing between the palace door and the storeroom in which the crown jewels are held. Basically, people are not very good at security, because we're lazy, na├»ve, and entirely too nice. We really, really want to be helpful, so when we get an email asking for information, we're all too ready to part with that information. When someone claiming to be a hardware tech or copier repair person shows up at a place of business with a clipboard, a baseball cap with a company logo, and a good story, people are almost always willing to "help" him by parting with names, phone numbers, even passwords.

Almost without exception, we are the weak link in the security chain. We click links in phishing emails, visit sketchy websites, download suspicious files, and answer the (seemingly innocent) questions of people who wander into our places of business. We place all our very personal information on the Internet for anyone to see: between Facebook, LinkedIn, and Twitter, anyone looking for information about you or your business has all he needs. 

Chris Hadnagy is a security expert and a penetration tester; companies pay him to break into their networks in order to uncover flaws. Chris says that he can "social engineer" (read: schmooze, lie, or finagle) his way onto any corporate network well over 90% of the time. Years ago, says Chris, the difficult part of his job was uncovering enough information to be able to mount a convincing deception. Now, he says, with all the information floating around on the Internet, his biggest problem is sifting through the tons of data available to decide which pieces are most useful.

Still, a hacked baby monitor or an individual who’s fallen victim to ransomware is not what worries me. We can learn to protect ourselves; if we don't, then we have only ourselves to blame.

But state-sponsored attacks on infrastructure are another story. Weapons are rarely made without someone wanting to find an excuse to use them, and the Internet is, among other things, a weapon. It's simply too terrifyingly easy to conduct an attack that could turn into a full-blown cyber war. A digital attacker risks nothing, really. It's a form of warfare that, unlike all other forms, is cheap, fast, simple, and deniable. That’s a temptation too alluring to ignore. You can engage an enemy anonymously from half a world away, and there's absolutely no risk that you or any of your fellow "soldiers" will get hurt. You can cripple a region—or possibly an entire country—with just a few well-placed strikes. Whether the attacker is a state actor (or someone who operates at the behest of such actors) or an independent guerilla operator, the technology is too available, the risk is too small, and the payoff too big to ignore.

And that is what worries me. I do believe that we will eventually address many or even most of these security issues, but I suspect that our actions will be reactive in nature: nothing will be done until something very bad happens, and then suddenly security will be on everyone's mind, from our legislators to our law enforcement people, and from infrastructure developers to IoT manufacturers.

We should probably be thinking about such matters before the sky starts falling.

No comments:

Post a Comment