Wednesday, May 12, 2021

Security Attacks in the Real World

The physical world is a large, messy place. It’s full of
people, and some of these people might be hostile attackers. Most
companies respond to this threat with locked doors, CCTV,
security guards and, if they can afford it, secure installations.
Most companies are not at all equipped to deal with an attack via
the physical world.

The Physical World and Manmade Disasters

It’s 8 a.m. on a Monday, and
someone phones a bomb threat in. Several root
exploits for Bind 4 and 8 were made public that day, and while exploit
code was not publicly available, it did exist. How will your
tech staff upgrade the Bind servers? Can they go home and access
the network, and do the upgrades from there? Meanwhile, an
attacker is using this window of opportunity to hijack several of
your DNS servers.

It’s 1 p.m. on Friday and your computer suddenly reports a
network error. Upon further inspection it appears that the
servers are fine, and everyone in building A can access them, but
all the people in building B are unable to get at the server
(housed in building A). Eventually a continuity check is done on
the cables connecting the two buildings, and you find they aren’t
transferring anything. After a physical inspection of the cable,
you find it has been cut in several places in a service tunnel
and must be completely replaced. Hopefully it will be fixed by
Monday morning.

It’s lunchtime on a Tuesday, a week before your financial
year end. Several people dressed as carpet cleaners come into
your lobby with 55-gallon barrels, which they proceed to
open up and spill intentionally. They then leave quickly. Upon
examining the barrels, you discover they contain a known carcinogen. The
local police cordon off the building, and you are told it will
take at least a week to clean out the lobby and replace the
carpet that has been contaminated. Incidentally, no employees can
be allowed into the building unless they wear a hermetically
sealed suit and carry their own air supply while the cleanup is
going on.

These are all incredibly easy attacks to carry out. The first
requires only a quarter for the payphone, the second a quick
visit down a manhole with a pair of wire cutters, and the third a
few friends and some toxic chemicals (which may or may not be
hard to get ahold of). Then of course there is the skilled
physical world attacker who can do real damage.

An email arrives in your CEO’s inbox. Unless $50,000 is left
in a paper bag on a busy street corner, your servers will be
destroyed. Dismissing the threat, you all have a good laugh.
Several days later over half your servers fail simultaneously,
some with blue screens of death, others completely dead.
After several weeks and a lot of long hours, you end up replacing
most of the servers, almost all the RAM and CPUs, and a lot of
expensive network and telecoms kit. Luckily your insurance covers
it, but the downtime costs you several hundred thousand dollars.
A few weeks later, another email arrives in your CEO’s inbox
asking for two paper bags with $50,000 each. Do you pay or wait
to see if they can do it again? Worse yet, what if it is a
competitor, who decides to pick a random day once a month?

This scenario is becoming all too possible. Electronics are
becoming increasingly smaller; CPUs use increasingly thinner
internal “wires” (although compared with .18 microns, a wire would
be stupendously huge). This means they are more
susceptible to power surges and related phenomena. Now the trick
is, how does the attacker create a power surge? Well, since any
straight piece of metal tends to act as a wave guide, all you need
to do is provide a sufficiently strong wave that will be picked
up and converted into electrical pulses. A strong enough wave
can result in hundreds, thousands, tens of thousands or even more
voltage in an extremely small timeframe, but long enough to cause
damage.

The technology to create these waves is becoming
increasingly accessible. The most exotic would be to use an
atomic weapon of some sort. (Of course, if you possess one of these,
then chances are you have bigger fish to fry.) At a
very basic level, we have the HERF (High Energy Radio Frequency)
gun. Simplified, it is a lot of capacitators (to store and release
a large charge quickly) and some electronic components that you can
buy at Radio Shack to create a radio frequency pulse that is
directed. Various reports give the cost of these weapons as low
as $500. While they do tend to be large and bulky, mounting one in
the back of a van is not impossible. There are also documented
cases of extremely small (15x7x3 cm) HERF guns, which would be
about the size of a large book.

So what can you do to defend against these attacks? Shielding,
in the form of copper sheeting, grounded properly can soak up
these energy pulses before they hit your equipment. Unfortunately,
this type of shielding is not cheap or easily performed. Pretty much the only people who do this are three-letter government
agencies and the military. However, there are several excellent
documents that cover this topic, if you do decide to look into
it.

Another benefit of this type of shielding is that it largely
blocks Tempest. Tempest is the science (some say art) of
detecting electromagnetic radiation from various computing
devices such as monitors, keyboards and printers, and
reassembling them so that you know what the victim is seeing,
printing or typing. Protecting cable is easier; running it in a
solid metal pipe will deter a casual attacker, who if
sufficiently armored will hopefully draw attention to
themselves. (Hmm, what are they doing with a backhoe in our
parking lot?)

Dealing with attacks that deny the use of an entire building
(such as a bomb threat) is much more difficult. Having access to
a hot site (a site with a complete complement of equipment,
necessary software, etc.) is one possibility, but this is often
very expensive. An alternative would be to allow users to
telecommute, although this must be set up in advance (and
introduces a whole new group of security issues).

However, if
there is sufficient bandwidth,
everyone could go home and work (which is how SecurityPortal operates
on a daily basis — it is eminently possible). But if
your server room is somehow damaged (HERF gun, power outage,
etc.), then this will probably not work. One answer may lie in the new breed of
companies called ASPs (Application Service Providers). These companies actually host the servers and software;
the computers at your end act as terminals,
displaying applications to users and letting them work with
their data. An ASP could offer secure facilities to
host services. By concentrating many (thousands or more)
servers in one building, it becomes more economically feasible to
employ techniques like shielding, or to build a bunker and
drop everything 50 feet below the ground (for example
thebunker.net in Britain).

Most of this boils down to DR (Disaster Recovery), but the typical image with
DR is a fire, earthquake or other “natural” calamity. People rarely
think of what a hostile attacker or competitor may do, ranging from
a simple phonecall to hiring someone with a bucket of wet plaster (which poured into
servers can be somewhat disastrous).

Most businesses and organizations
can operate for limited periods without their computing infrastructure, but
as time goes on the dependence will only grow. There are documented cases of
a single employee doing something malicious, such as destroying backups and
deleting online copies of data, which drove companies close to bankruptcy
in some cases. Availability of services is becoming just as critical as securing
access to your data, and the real world plays a large role in this. //

Similar articles

Latest Articles

Database-Tuning Platform Launches and...

PITTSBURGH — A team out of Carnegie Mellon University is launching its automatic database-tuning product today with the help of $2.5 million in funding.   OtterTune,...

Top 10 Professional Services...

Professional services automation (PSA) software aims to offer service-based companies most of the software they will need to run their businesses in one package....

What is Data Aggregation?

Data aggregation is the process where raw data is gathered and presented in a summarized format for statistical analysis. The data may be gathered...

Dell APEX: Our...

One of the missteps IBM made last century was collapsing their sales model, which was services based, to generate a short-term revenue spike. Up...