If Cyber Attacks Go Personal

We tend to think cyber attacks will be directed to institutional weaknesses: power grids, communications, etc. But the following scenario imagines that we are equally vulnerable at a personal level. Bruce Schneier links to this:

The U.S. secretary of defense had wondered this past week when the other shoe would drop. Finally, it had, though the U.S. military would be unable to respond effectively for a while.

The scope and detail of the attack, not to mention its sheer audacity, had earned the grudging respect of the secretary. Years of worry about a possible Chinese “Assassin’s Mace” — a silver bullet super-weapon capable of disabling key parts of the American military — turned out to be focused on the wrong thing.

The cyber attacks varied. Sailors stationed at the 7th Fleet’ s homeport in Japan awoke one day to find their financial accounts, and those of their dependents, empty. Checking, savings, retirement funds: simply gone. The Marines based on Okinawa were under virtual siege by the populace, whose simmering resentment at their presence had boiled over after a YouTube video posted under the account of a Marine stationed there had gone viral. The video featured a dozen Marines drunkenly gang-raping two teenaged Okinawan girls. The video was vivid, the girls’ cries heart-wrenching the cheers of Marines sickening And all of it fake. The National Security Agency’s initial analysis of the video had uncovered digital fingerprints showing that it was a computer-assisted lie, and could prove that the Marine’s account under which it had been posted was hacked. But the damage had been done.

There was the commanding officer of Edwards Air Force Base whose Internet browser history had been posted on the squadron’s Facebook page. His command turned on him as a pervert; his weak protestations that he had not visited most of the posted links could not counter his admission that he had, in fact, trafficked some of them. Lies mixed with the truth. Soldiers at Fort Sill were at each other’s throats thanks to a series of text messages that allegedly unearthed an adultery ring on base.

The variations elsewhere were endless. Marines suddenly owed hundreds of thousands of dollars on credit lines they had never opened; sailors received death threats on their Twitter feeds; spouses and female service members had private pictures of themselves plastered across the Internet; older service members received notifications about cancerous conditions discovered in their latest physical.

Leadership was not exempt. Under the hashtag # PACOMMUSTGO a dozen women allegedly described harassment by the commander of Pacific command. Editorial writers demanded that, under the administration’s “zero tolerance” policy, he step aside while Congress held hearings.

There was not an American service member or dependent whose life had not been digitally turned upside down. In response, the secretary had declared “an operational pause,” directing units to stand down until things were sorted out.

Then, China had made its move, flooding the South China Sea with its conventional forces, enforcing a sea and air identification zone there, and blockading Taiwan. But the secretary could only respond weakly with a few air patrols and diversions of ships already at sea. Word was coming in through back channels that the Taiwanese government, suddenly stripped of its most ardent defender, was already considering capitulation.

Institutions are made of individuals, and attacking individuals can cripple institutions. But it is also enormously more difficult to attack many individual accounts. I find this scenario compelling, implausible, and a useful exercise in thinking laterally.

Hackers steal tools from NSA, hack everyone with them

From the New York Times:

Hackers exploiting data stolen from the United States government conducted extensive cyberattacks on Friday that hit dozens of countries, severely disrupting Britain’s public health system and wreaking havoc on tens of thousands of computers elsewhere, including Russia’s ministry for internal security.

Link

There are really only two things that need to be said about this, both said well by others:

  1. “Remember last year when a whole bunch of people wanted Apple to create a special version of iOS for the U.S. government, under the promise that it would never escape their safe hands and get into the wild?” John Gruber, Daring Fireball (link)
  2. “Either everyone gets security or no one does.” Bruce Schneier (link)

The point is there’s no such thing as a security backdoor that “only I can use.” If you want systems to truly be secure, they must truly be secure.

Don’t Click Links in Emails, John Podesta Edition

The news today thinks it knows how John Podesta, Hillary Clinton’s campaign chairperson, got badly hacked.

John gets an email. It’s allegedly from no-reply@accounts.googlemail.com. It tells him that “someone” from the Ukraine tried to login to his Gmail account, and he should change his password.

John’s IT person inexplicably says the email is legit and that he should change his password immediately. John apparently clicks the provided link and gives his Gmail password away.

Red flags that the email is not legit:

  • The subject is *Sоmeоne has your passwоrd*. Hmm… odd phrasing. Odd-looking o‘s.
  • The change password link is to a bitly.com address. (Don’t go there.)

Do not click links in emails. Especially do not click links in odd emails or on links behind link shortening services.

I don’t really blame Mr. Podesta. We expect too much of users regarding computer security. But still. This is avoidable.