WC.com

Sunday, August 30, 2020

The Physical Premises of Cyber Security

Comedian Jeff Foxworthy waxes eloquent about learning that aircraft windshields are throughly tested; he says "they shoot chickens out of a cannon at them." He notes that he "remembers career day in high school," and that included "plumbers and lawyers." But, he does not recall "a booth where you could sign up to shoot chickens out of a cannon at the windshield of an aeroplane (phon)." He believes at his high school there would have been a line for such a booth. There might be those who would do such a job simply for the novelty?

That comedy routine came back to me recently when I ran across a story on Wired.com that explains a "Courthouse Break-in Spree" and "White-Hat Hackers." When that article was published on August 5, 2020, the Workers' Compensation Hot Seat was presented the next day: Cybersecurity Threats: What You Can’t See Can Hurt You. Cybersecurity has been on my mind this year, with multiple posts devoted to the topic: Cyber Threats 2020 (July 2020) Cybersecurity 2020 (November 2019), Cybersecurity, 2020's Hot Topic (January 2020), and Cybersecurity 2020 Again (April 2020).

The Wired article introduces the idea that people are paid to attempt to breach computer system security. They are the "White-Hat Hackers" who are engaged to test the measures that have been put in place to keep networks and data safe from those who would misuse or abuse them. This apparently includes both cyber and physical attack simulations. The physical attacks involve actually breaking into buildings (by what are called "physical penetration testers" and "security consultants") to see what cyber access can be achieved, and it is the focus of the Wired article. There are companies that specialize in such cyber-testing (I do not recall that table from the high school career day, but then there were not really computers back then, or perhaps Aeroplanes, it was a long time ago). 

Two individuals were hired by the Iowa court system (the judicial branch of state government) to test the computer security afforded in various courthouses. This assignment may immediately cause one to question who owns those courthouses. That is a valid concern that these "White Hats" might have wished to ponder. This ownership of premises point raises an undercurrent of the separation of powers that exists in government. While the state court system hired these individuals to break into courthouses, that court system does not own those courthouses. They are the property, apparently, of the counties. 

As you can imagine, these individuals become fairly adept at working around security. The article describes how they "case their targets," and find outside doors unlocked, alarms unarmed, and engage in tricks such as "lock-shimming." They wander through facilities in which they pick locks, install devices to monitor networks, and even find passwords written on post-it notes or other fairly conspicuous locations. In short, they find opportunities for network breaches. 

In September 2019 they they broke into a courthouse and went about their business. Eventually, they set off an alarm, which attracted law enforcement. Though the police arrived, they ironically could not enter the secure courthouse. The two "White-Hat Hackers" exited the building, greeted the police and identified themselves. They presented the responding officers with a letter from their employer explaining their mission. This led to some friendly discussion with police, which included one office having a Foxworthy-type question: "How does one get a job like that?” A fair question. 

But, the situation devolved when the county sheriff arrived. After comprehending the situation, the Sheriff noted “This is not state property, this is county property.” Later in the conversation, he returned to that theme with "this isn’t the Iowa court’s property.” The Sheriff had the two arrested for trespassing and burglary, mugshots were taken, and they appeared before a judge the next morning (in the courthouse they had broken into). The judge expressed disbelief in their mission telling them “You’re going to have to come up with a better story than that." Despite calls from the jail the previous night, no one from the state court system (the client) appeared in court to corroborate their mission or status. 

As time passed, the two "hackers" found themselves charged with crimes. There were apologies and yet acrimony between the state court system, the "Hackers" employer, and the county. There were allegations that the physical break-in had not been anticipated by those at the state that hired the "hackers," and evidence that the state employees certainly knew. Eventually, the Courts conceded that they had instructed the "hackers" and intended a "physical penetration"; however, a statement was then issued that the state and the "hackers" had “different interpretations of the scope of the agreement.” 

Eventually, the charges against the "hackers" were dropped "with just days until their trial." The computer "security industry" has taken the situation as a warning, a "teachable moment." There are implications asserted involving the interrelationship in Iowa between the legislative and judicial branch, as well as between the judicial branch and the counties. It is a long article with a variety of interesting details. 

In the end, there are a number of lessons. First, it appears that penetrating computer networks either in a cyber or physical sense is not that difficult. The failures of users to secure networks, protect passwords, and more are disconcerting. Beyond that, for those who would undertake such testing, the lesson appears to be two-fold: (1) get the scope and intent of the mission in writing beforehand, and (2) notify the local police in advance of any such "physical penetration" of a facility. Those likely each apply equally whether the testing is cyber or physical in nature.

That reminded me of a vehicle repossession fellow I knew years ago: "When you go to steal a car, always find a payphone and call the police just before you do, but not too long before you do." That old fellow had been chased by an unknowing sheriff or two and had been shot at by a few car buyers as well. There is danger in this world. It is astounding how much "street knowledge" is required to perform certain jobs well. 

The Wired story illustrates the dangers to networks and processes. It reminds us of the separation of powers both among state branches and among the various levels of state government. It is an intriguing story with multiple warnings on cybersecurity. But, it never answers the inquiry of "How do you get that job" which would perhaps be of the most interest to Mr. Foxworthy. Apparently, the answer to that is apply. The experts say that jobs across the board in cybersecurity are plentiful, well-paying, and waiting for graduates.

Are your passwords written on Post-it notes stuck to the bottom of a desk drawer or keyboard? Worse, is it your dog's name or similarly simple?