It was 2015, heady days for Bitcoin and its proponents. Here, finally, was an Internet-native currency with the potential to revolutionize finance, enhance trading, and increase the security of transactions.
Bitfinex, a Bitcoin bank, had just deployed its multi-sig security feature, and its CFO was bragging about what this might mean for digital commerce:
With our BitGo wallet solution it becomes impossible for our users to lose their bitcoins due to us being hacked or stealing them.
— Bitfinex CFO Giancarlo Devasini, 2015
First mistake, silly CFO. There’s nothing quite like a brag to motivate hackers. Fast-forward less than a year, and we find this predictable news in late July 2016:
Hackers have stolen bitcoins worth about $65 million after attacking a major digital currency exchange.
— CNN, 2016
That exchange? Bitfinex, of course. Now, hopefully chastened, these boastful executives are $65 million poorer.
Security on the Internet seems less and less likely to become reliable anytime soon. If anything, it seems headed in the other direction. The rate of hacking is increasing, as various barriers seem to fall before Moore’s Law. Simple human exploits work more often than one would hope — social engineering hacks, as these are called, are perhaps the most viable hacks of all.
This year’s US political race now has hacking as a central player, with one party’s servers hacked, allegedly by Russian government agencies, while the other party’s candidate cheers on from the sidelines, urging Russia to hack more in borderline treasonous language.
Cybersecurity has moved from the fringe to the cultural center, with Wikileaks, Snowden, Stuxnet, and myriad commercial hacks — including some of the world’s largest banks — adding to the list of infamy. The “Internet of things” has also added to security concerns, with a recent study finding that 75% of Bluetooth smart locks could be hacked open with ease. We broadcast personal and discernible data vapor trails nearly all of the time now.
At the same time, our media seems to get security backwards, with NPR and others scolding our military for using “outdated” technology — namely, floppy disks — to manage our nuclear arsenal. Given all this hacking of online government accounts, corporate accounts, and infrastructure, apparently our media also wants our nukes on the network, exposed to hackers. Because, you know, that’s more modern.
There is a combination of technophilia and naïveté at the heart of brave Internet security statements, taunts, and scolds. It’s as if everything has to be online, or it’s outmoded, when in fact, the answer to security likely involves a number of factors, some of them terribly old-fashioned and downright physical.
One example nicely illustrates why digital and analog need to be reconciled. Late last year, hackers knocked out power in Ukraine to about 80,000 residents for several hours. The outage might have lasted longer, but because the system is what some would call “antiquated,” authorities were able to reset the system by clicking circuit breakers back into place by hand. In a completely digital system, recovery might have taken much longer, and the system would have remained just as vulnerable.
There are clear benefits to analog systems, which our technophilia can cause us to overlook. As one security expert said in Bloomberg Businessweek in March 2016:
You can’t lie to analog equipment. You can’t tell a valve that it’s opened when it’s closed. It’s physics.
A circuit breaker is either tripped or not. A water spigot is either on or off. A reset or twist can restore the baseline state with ease in analog systems.
Analog controls can be simple, as the famous picture of Mark Zuckerberg with tape over his webcam and computer microphone shows. How the founder of a company that always pushes the boundaries of privacy himself enforces privacy is worth noting.
Adding analog controls delivers what security experts call “defense in depth” — meaning layers of security beyond the digital layer. Yes, that’s right — singular. Digital, even when layers are talked about, can’t achieve this yet, as one expert explains:
Defense in depth means you have layers of protection. But digital, even when it claims to have multiple layers, is in a sense one layer. Penetrate that, and you could potentially no longer have another layer you need to penetrate.
Finding one weak link in a digital security perimeter is often all it takes — a phished password, a disgruntled employee who wants to stick it to authority, an insecure video camera, a computer someone leaves on overnight, an old wifi-enabled printer with an old driver, and so forth. Once you’re past that one weak point, you’re in all the way.
Addressing the people issue is tougher. Many companies don’t pay enough heed to this aspect. How many of your organizations have annual security audits? How many train staff to avoid phishing schemes, to use strong passphrases, to report suspicious computer inquiries? How many keep sensitive systems under lock and key access, limited to staff with sufficient training, credentials, and liability? As the Sci-Hub scandal has shown, academic trust is probably too high. We need more skepticism — and training, and audits, and accountability — among the people handling systems (i.e., everyone) to meet the demands of the times. As we outsource more, these concerns amplify.
And don’t think that those mandatory password changes every 90-120 days are helping you much. A study earlier this year showed that once a password is stolen, it’s easy to guess the next one — and hackers usually are smart enough to get things they need to keep up with the password routines once they get in the first time. Also, if you have one of these policies, it can cause people to choose weaker passwords, because they know they’ll have to change it later — that is, they choose a simple one they won’t forget, and then often just add a number or letter at the end when requested to change it.
And social engineering is a deft art for some. Social engineering hacks feed on anxiety. As one expert is quoted in a recent story about the cybersecurity concerns around the Olympics in Brazil:
Hackers prey on people’s enthusiasm.
Simply state that a password needs to be confirmed, credentials may have been compromised, and use branding and a URL with reasonable verisimilitude, and you can get a few passwords from a group.
Ultimately, people are your best defense, but if they aren’t trained to spot problems, they can be your greatest liability. This need for adding people to the defensive framework for digital will only become more acute as more things become connected — pacemakers, insulin pumps, automobiles, mass transit controls, airplane control systems, prison door locks, home locks/thermostats/systems. Relying on a single layer of digital security, one that is constantly being stretched thinner, is foolhardy.
Another issue demanding non-digital solutions is the existence of under-capitalized start-ups in the security space. Drop the phrase “security solution” in a meeting with venture capitalists, and apparently the wallets open right up. However, some of these start-ups have been caught sending social security numbers in the open, and have been fined for it. The Federal Trade Commission is looking closely at these vendors and regulating them more strictly.
Solving problems on an infrastructure that is in the midst of so much change and a de facto arms race involving hackers, governments, and corporations, all pouring thousands of hours into cyberhacking and cyberwarfare and cyberespionage, makes for an uphill battle, even for well-funded and serious entrants into the security space.
Talking out loud about digital security is fraught with problems, as well, and fewer people are doing it. The boasting at the beginning of this post starts to hint at some reasons why. Outlining your security measures actually helps write a playbook for potential intruders. “Security through obscurity” may not always work, and “security through secrecy” may not always work, but together they can be potent defenses. Invisibility is a superpower.
But security threats are pernicious, and growing in their availability. Now, even a local police department or lone wolf may be able hack your phone with relative ease, and you may never know it. Using an International Mobile Subscriber Identity (IMSI) catcher, a device (also known as a Stingray or Hailstorm) that fools your cell phone into thinking it’s a cell tower, then uses that connection to grab information, monitor calls, and so forth, you could be hacked sitting at the airport or at a local restaurant, and not even realize it. Your phone has no idea it’s being fooled, and behaves normally.
IMSI catchers are falling in price, and their appeal within law enforcement makes it difficult for lawmakers and courts to decide how to handle the devices. In India, huge scandals have occurred in which politicians and lawmakers and celebrities were monitored for weeks on end, their call logs revealing sexual dalliances, dealmaking, and other nefarious behaviors. It’s comparable to the Murdoch scandals of hacked voicemails, but much more pernicious as it’s more easily done and there are fewer clear legal or technology protections.
There’s even speculation that your phone could download an app that would turn it into an IMSI catcher, so you could monitor your neighbors, kids, and spouse. Hack the cell signal, hack the phone.
Analog systems — switches, plugs, and “airplane mode” — have many security advantages over digital systems. First, they demand local management, meaning intruders or scalawags need to overcome actual physical barriers like distance and doors and fences before they can access analog systems. Even terrain can become a major barrier to intrusion — putting a core system inside or atop a mountain can exhaust and defeat potential intruders. This is one reason vast data centers are often in the middle of nowhere. In comparison, the landscape of digital is flat, and the physical exertion required to break into a system with even hours at the keyboard is relatively light, and certainly not as arduous or costly as traveling to a faraway place to throw a switch. Abetted by computers, the cost of hacking continues to edge toward zero.
But analog systems aren’t perfect, either. Anyone who has watched Penn & Teller’s Fool Us has seen analog hacks at work. If you’ve watched the show, you’ve also probably noticed how magician tradecraft can be shared between practitioners in an obscure manner, and how great the divide between experts and laypeople can be.
For the uninitiated, the format is made clear in the title — magicians come on to see if they can do a trick that Penn & Teller can’t explain or figure out. If they can, the get a “Fooled Us” or “FU” trophy, and a booking to perform with Penn & Teller in Las Vegas. Each magician tells a producer beforehand how they do the trick, so that someone can verify when Penn & Teller are fooled. In most cases, Penn & Teller are not fooled, but they are respectful of the art, so will explain in very a very obscure manner how the trick was done, forcing a few key terms into their appreciation of the act so that the performer knows they’ve deduced his or her technique. In some cases, Teller will approach with a notebook containing a diagram of how it was done, and the performer will either confirm or deny the deduction.
When Penn & Teller are fooled, it can be amazing. Video below of one of the more famous instances. It’s a noteworthy segment, because you can see Penn & Teller sensing early on they’re going to be fooled — Teller is delighted and tickled, while Penn is frustrated and irritated:
The reason for this digression is to note that even physical, analog systems — like cards — can be hacked so effectively that trained, expert practitioners can be fooled. The security of analog is not perfect. The recent story of police using a 3-D printed fingerprint from a dead man to unlock his phone to see if that could help solve his murder is a blend of digital and analog leading to a security hack. No Minority Report eyeball extraction needed, and we now have digital technology bleeding into analog security with relative ease. ATM skimmers are another ingenious blending of analog and digital hacking.
For publishers and those who want to change the publishing world, the news on the cost front isn’t good. Security is another reason why digital will continue to be more expensive than print ever was. With multiple moving targets and some of the most expensive systems and talent involved, the trend is clear. As more information about our customers, our businesses, and our employees moves online, protecting it will be ever more important. We’ve seen fake peer review scandals as systems were compromised by devoted fraudsters. As we seek to close these gaps and others we have yet to discover, budgetary impacts — technology, people, and infrastructure — may be significant, and will certainly be ongoing. Even if these costs are passed along by cloud vendors and others, they will exist.
Ultimately, security is not an absolute state, but a relative state. Is it better now, or worse? Just like banks are robbed less often because of security cameras, cars stolen less often because of remote locking, and houses robbed less often because of security systems, the mode is risk reduction. Risk elimination is unrealistic.
What can we do to improve it? Train your people to avoid common pitfalls and audit their behavior. Train people to log out and shut down when they’re away from their computers. Encourage people to use your VPN when they’re in public spaces or on airplane wi-fi. Make sure key systems are behind lock and key. Improve ways to report suspicious emails to management. Create clear accountability for violations of security policies and practices. And, most importantly, make security a topic that you discuss more than once a year.
Personally, maybe use airplane mode more often. Maybe even turn your phone off at night. And maybe turn your router off at night. Those analog switches that click “off” and “on” with clear purpose have a major role in controlling access to your systems. Teach your kids to log out of games, how to use privacy controls, and so forth. Or have them teach you.
As long as there is something worth stealing, something at stake, there will be someone, somewhere, willing to try.
Discussion
6 Thoughts on "Locks, Keys, and Firewalls — Why Internet Security Requires Digital, Analog . . . and Diligent Humans"
The tallest person in the world will be able to pluck the highest fruit from the tree. Internet cunning, as with height, is likely to show an inverted U-type distribution. If that person, out there on one limb of the distribution, is on our side, then all should be well. Apart from digital/analog fiddling, we should be thinking about such persons and what steps could be taken to ensure he/she, and those close to them in the distribution, are on our side. Denying them access to the research literature (SciHub comes to mind) will almost certainly put their backs up.
You’re assuming that the hackers behind Sci-Hub were really after papers. What they got were university credentials, which provide a lot of access thanks to broad SSO policies for university systems. Their ability to do this was mostly a social engineering hack — phishing gullible people, exploiting anti-publisher attitudes. I’ll bet there is good business now for consultants training and auditing security at universities. Diligent people are our best defense, but real layers including physical barriers also help.
DILIGENT PUBLISHERS
Not disputing your excellent advice. The lady who gave us SciHub gave us her rationale, and I believe her. The diligent people you call for should include diligent publishers who can think their way to reconciling open-access with the dollar profits so necessary to sustain their operations.
Full disclosure: With the support of various publishers, in the early 1990s I founded Bionet.journals.note, which was, in some respects, a precursor of Scholarly Kitchen.
Now, hopefully chastened, these boastful executives are $65 million poorer.
No, they’re not. Everybody is out 36%, and users are being compensated with a form of stock option.
Yes, there’s an entire evolving story about how Bitfinex executives “socialized” the losses, essentially making it clear that users of digital currencies may be liable for theft, essentially self-insuring. Will there be an FDIC for digital currencies? We shall see. But for now, those trading in digital currencies are also bearing the risk premium for theft.