Security Attacks in the Real World

Most IT departments are more vulnerable to physical attacks than you'd think. What exactly are the risks, and what can be done to minimize them?

The physical world is a large, messy place. It's full of people, and some of these people might be hostile attackers. Most companies respond to this threat with locked doors, CCTV, security guards and, if they can afford it, secure installations. Most companies are not at all equipped to deal with an attack via the physical world.

The Physical World and Manmade Disasters

It's 8 a.m. on a Monday, and someone phones a bomb threat in. Several root exploits for Bind 4 and 8 were made public that day, and while exploit code was not publicly available, it did exist. How will your tech staff upgrade the Bind servers? Can they go home and access the network, and do the upgrades from there? Meanwhile, an attacker is using this window of opportunity to hijack several of your DNS servers.

It's 1 p.m. on Friday and your computer suddenly reports a network error. Upon further inspection it appears that the servers are fine, and everyone in building A can access them, but all the people in building B are unable to get at the server (housed in building A). Eventually a continuity check is done on the cables connecting the two buildings, and you find they aren't transferring anything. After a physical inspection of the cable, you find it has been cut in several places in a service tunnel and must be completely replaced. Hopefully it will be fixed by Monday morning.

It's lunchtime on a Tuesday, a week before your financial year end. Several people dressed as carpet cleaners come into your lobby with 55-gallon barrels, which they proceed to open up and spill intentionally. They then leave quickly. Upon examining the barrels, you discover they contain a known carcinogen. The local police cordon off the building, and you are told it will take at least a week to clean out the lobby and replace the carpet that has been contaminated. Incidentally, no employees can be allowed into the building unless they wear a hermetically sealed suit and carry their own air supply while the cleanup is going on.

These are all incredibly easy attacks to carry out. The first requires only a quarter for the payphone, the second a quick visit down a manhole with a pair of wire cutters, and the third a few friends and some toxic chemicals (which may or may not be hard to get ahold of). Then of course there is the skilled physical world attacker who can do real damage.

An email arrives in your CEO's inbox. Unless $50,000 is left in a paper bag on a busy street corner, your servers will be destroyed. Dismissing the threat, you all have a good laugh. Several days later over half your servers fail simultaneously, some with blue screens of death, others completely dead. After several weeks and a lot of long hours, you end up replacing most of the servers, almost all the RAM and CPUs, and a lot of expensive network and telecoms kit. Luckily your insurance covers it, but the downtime costs you several hundred thousand dollars. A few weeks later, another email arrives in your CEO's inbox asking for two paper bags with $50,000 each. Do you pay or wait to see if they can do it again? Worse yet, what if it is a competitor, who decides to pick a random day once a month?

This scenario is becoming all too possible. Electronics are becoming increasingly smaller; CPUs use increasingly thinner internal "wires" (although compared with .18 microns, a wire would be stupendously huge). This means they are more susceptible to power surges and related phenomena. Now the trick is, how does the attacker create a power surge? Well, since any straight piece of metal tends to act as a wave guide, all you need to do is provide a sufficiently strong wave that will be picked up and converted into electrical pulses. A strong enough wave can result in hundreds, thousands, tens of thousands or even more voltage in an extremely small timeframe, but long enough to cause damage.

The technology to create these waves is becoming increasingly accessible. The most exotic would be to use an atomic weapon of some sort. (Of course, if you possess one of these, then chances are you have bigger fish to fry.) At a very basic level, we have the HERF (High Energy Radio Frequency) gun. Simplified, it is a lot of capacitators (to store and release a large charge quickly) and some electronic components that you can buy at Radio Shack to create a radio frequency pulse that is directed. Various reports give the cost of these weapons as low as $500. While they do tend to be large and bulky, mounting one in the back of a van is not impossible. There are also documented cases of extremely small (15x7x3 cm) HERF guns, which would be about the size of a large book.

So what can you do to defend against these attacks? Shielding, in the form of copper sheeting, grounded properly can soak up these energy pulses before they hit your equipment. Unfortunately, this type of shielding is not cheap or easily performed. Pretty much the only people who do this are three-letter government agencies and the military. However, there are several excellent documents that cover this topic, if you do decide to look into it.

Another benefit of this type of shielding is that it largely blocks Tempest. Tempest is the science (some say art) of detecting electromagnetic radiation from various computing devices such as monitors, keyboards and printers, and reassembling them so that you know what the victim is seeing, printing or typing. Protecting cable is easier; running it in a solid metal pipe will deter a casual attacker, who if sufficiently armored will hopefully draw attention to themselves. (Hmm, what are they doing with a backhoe in our parking lot?)

Dealing with attacks that deny the use of an entire building (such as a bomb threat) is much more difficult. Having access to a hot site (a site with a complete complement of equipment, necessary software, etc.) is one possibility, but this is often very expensive. An alternative would be to allow users to telecommute, although this must be set up in advance (and introduces a whole new group of security issues).

However, if there is sufficient bandwidth, everyone could go home and work (which is how SecurityPortal operates on a daily basis — it is eminently possible). But if your server room is somehow damaged (HERF gun, power outage, etc.), then this will probably not work. One answer may lie in the new breed of companies called ASPs (Application Service Providers). These companies actually host the servers and software; the computers at your end act as terminals, displaying applications to users and letting them work with their data. An ASP could offer secure facilities to host services. By concentrating many (thousands or more) servers in one building, it becomes more economically feasible to employ techniques like shielding, or to build a bunker and drop everything 50 feet below the ground (for example thebunker.net in Britain).

Most of this boils down to DR (Disaster Recovery), but the typical image with DR is a fire, earthquake or other "natural" calamity. People rarely think of what a hostile attacker or competitor may do, ranging from a simple phonecall to hiring someone with a bucket of wet plaster (which poured into servers can be somewhat disastrous).

Most businesses and organizations can operate for limited periods without their computing infrastructure, but as time goes on the dependence will only grow. There are documented cases of a single employee doing something malicious, such as destroying backups and deleting online copies of data, which drove companies close to bankruptcy in some cases. Availability of services is becoming just as critical as securing access to your data, and the real world plays a large role in this. //






0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.