1: All Security Involves Trade-offs
Every one makes security trade-offs every day, in a thousand ways: brushing teeth, locking the house, the car we drive, where we drive, buying food, and so on. (7)
Security is both a feeling & reality. (9)
"Security is about preventing adverse consequences from the intentional and unwarranted actions of others". (11-2)
- Security system: set of things put in place or done to prevent negative consequences.
- Protecting assets from accidents is safety; preventing assets from intentional actions is security.
- Attacker: performs intentional & unwarranted actions. Note that attackers can be good guys or bad (police or criminals).
- Attacks: intentional unwarranted actions, a specific way to attempt to break a security system.
- Assets: objects of attacks, small (your wallet) or large (national infrastructure).
- Countermeasures: individual, discrete, & independent security components which together make up a security system.
5-step process to analyze & evaluate security systems, technologies, & practices
- What assets are you trying to protect?
- What are the risks to those assets?
- How well does the security solution mitigate those risks?
- What other risks does the security solution cause?
- What costs and trade-offs does the security solution impose?
2: Security Trade-offs Are Subjective
Extreme trade-offs are easy. Protect yourself from credit card fraud by never using a credit card. Prevent terrorists from taking over planes by grounding all planes. (18)
Swiss door locks on homes: hard to pick. Require keys that can't be easily duplicated by common equipment. Key can be duplicated only by lock manufacturer at written request of property owner. Therefore, many Swiss families have only 1 or 2 house keys. (19)
Studies show most shoplifting takes place in fitting rooms. Why not remove fitting rooms? Sales would then decrease, and that trade-off doesn't outweigh the loss from shoplifting. (19)
Threat: potential way an attacker can attack a system. Risk: Likelihood of threat & seriousness of successful attack. (20)
Insurance is a risk management tool, allowing the insured to take risk & pass it along to someone else for a fee, turning a variable-cost risk into a fixed-cost expense, which is better for budgets. (21)
Different people & organizations have different tolerances for risk, making value judgments about the risk. Those judgments will of course differ. (22-3)
Perceived vs. actual risks (26-7)
- People exaggerate dramatic but rare risks & downplay common risks. We worry more about sharks, kidnapers, & terrorism instead of driving in our cars.
- People have trouble estimating risks for anything that is not normal to them.
- Personified risks are seen as greater than anonymous risks.
- People underestimate risks they take willingly & overestimate risks they can't control.
- People overestimate risks that are publicized.
As society & technology has gotten more and more complicated & specialized, it has become impossible for normal folks to learn everything they need to know about all the risks (how do you evalutate airplane safety? drug safety?). Therefore, we rely on proxies. (29, 36)
3: Security Trade-offs Depend on Power and Agenda
Players: the different parties, each with their own subjective perceptions of risks & trade-offs, involved in any security situation. (33)
Agenda: A player's own analysis of the security situation & internal and external non-security considerations. (33)
Proxy: a player who acts in the interest of other players. Remember, proxies have their own agendas too. (36)
Security theater: security countermeasures that provide the feeling of security instead of the reality. (38)
Nokia spends far more on battery security than on communications security. Battery security system senses when a 3rd-party battery is used & switches into maximum power-consumption, wearing the battery down faster, thus insuring that consumers stick to Nokia batteries. (39)
Externality: in economics, when one player's decision affects other players not involved in the decision. A company saves money by dumping waste in a river, which washes downstream to a small town. (42)
4: Systems and How They Fail
Adding security to anything requires a system. No matter how simple the original goal, systems are complex. (48)
System: a collection of simpler components that interact to form a greater whole. Machines together form a system. Also, complex social, political, & economic processes. Collections of interacting processes. (48)
Emergent properties, aka unintended consequences: one system will come to interact with, & affect, other systems in surprising ways. (49)
Examples of emergent properties (50):
- Early bank robbers would threaten the manager's family or shoot employees one by one until he opened the vault. As vaults got harder to blow open, robbers would kidnap the manager's family.
- Locks led to lock picking
Security is only really tested when something goes wrong. Insecurities can exist for yrs before something goes wrong. Your home has never been broken into? Maybe no one has tried, or maybe many have tried and failed: both situations look the same. (50)
Most systems (cars, phones, government) are useful for what they do; security systems are useful because of what they don't allow to be done. Security experts worry more about how systems don't work, about how they react when they fail, how they can be made to fail. (50-1)
Someone was showing B.S. his company's network security operations center, confident it could respond to any security situation. B.S. asked what if an attacker calls in a bomb threat first, so everyone leaves the operations center? Oops. In the same way, the boy killers at Westside Middle School in Jonesboro, Arkansas set off the fire alarm 1st so everyone rushed outside, where they could be shot. 5 were killed, 10 were wounded. (52)
Security is a binary system: it works or it doesn't. However, it doesn't necessarily fail entirely or immediately. An attacker can use a small break to break the entire system. (52)
Systems have seams, where the vulnerabilities exist. For instance, armored cars are safe, and banks are safe. What about when the guards are walking with the money from the armored car into the bank? A seam. (54)
Jeweler's Building in Chicago. Built in 1926. Designed so delivery vehicles can drive directly into the building, onto large elevators, & end up on the floor they need to be on to make the delivery. (54)
Passive failures: system fails to take action when it should, or does what it's supposed to but at the wrong time. Active failures: system fails by taking action when it shouldn't. Most of the time, active failures (false alarms) are far more common than passive failures. This therefore affects the innocent users rather than the attackers, since attacks are by definition rare. (54)
Afghanistan during the Soviet invasion: rebels approach Soviet base during night & throw rabbit over fence. Lights, alarms, shooting, & Soviets realize they killed a rabbit. The next night, the same thing. Eventually, Soviets turn off sensors, & rebels can penetrate the base. (56)
Soviet embassy in Wash., DC: whenever there was a thunderstorm, US spies fired sugar pellets against embassy window. Motion sensors go off. Eventually, Soviets turn off sensors after too many thunderstorms, allowing US to spy. (56)
Public hangins in olde England a prime time for pickpockets. Weddings & funerals a prime time for robbers today. (56)
In 1985, after a volcanic eruptions buried Armero, Colombia, 2 residents came back a few days later to dig out the bank & rob it. (56)
All systems will fail. These words make no sense when discussing security: unbreakable, absolute, unforgeable, impenetrable. (57)
Mercedes engineer showed that if a car is too strong, the passengers absorb the impact, so he invented the crumple zone: part of the car that will crumple in predictable ways, absorbing the collision's energy & thereby protect the passengers.
5: Knowing the Attackers
Attackers can be categorized by motivations, objectives, expertise, access, resources, & risk aversion. (59)
Attackers bring with them the expertise, access, manpower, & time they have available to them or can obtain. (60)
In 1978, Stanley Mark Rifkin was a consultant at Security Pacific National Bank in L.A. Using his insider knowledge of the money transfer system, he moved millions of dollars into a Swiss account & then converted that money into diamonds. He also programmed the computers to automatically erase the backup tapes that would incriminate him. He bragged about it, so he got caught. (62)
In the late 1980s, German co. Henkel built a textile chem. plant in China. By the time it opened, a duplicate plant was already running down the road, owned by Chinese. (65)
After the Libyans bombed the La Belle Berlin disco in 1986, Pres. Reagan announced that we knew Libya had done it, thus compromising the fact that we could eavesdrop on Libyan embassy messages to and from Tripoli. (68)
Lucas Helder put a series of pipe bombs in mailboxes around the Midwest in order to leave a pattern in the shape of a smiley face on a map. (70)
6: Attackers Never Change Their Tunes, Just Their Instruments
Around 600 BCE, Athenian lawgiver Solon fouled water supply of Krissa, a city he was attacking, with hellebore root, causing diarrhea. In medieval Europe, attackers would catapult dead animals into cities to cause plague. Tartars catapulted corpses of plague victims into Kaffa in 1346. British gave Indians smallpox-infected blankets. Napoleon tried to infect Mantua, Italy with swamp fever in 1797. (73)
I'm Sorry attacks, aka plausible deniability: "errors" that attackers can make & then apologize for if caught. (74)
Martin Guerre: peasant living in Artigat, France, near Toulouse. Disappeared in 1548. 8 yrs later, "Martin" returned, recognizing people in the community. Returned to his wife & fathered 2 more children. Trial in 1560 to determine who he really was. Sentenced to death as an imposter. Appealed to a Parliament, & on the day he was to be acquitted, a one-legged man entered town, claiming to be the real Martin Guerre, dooming the other one to be hanged. (74-5)
In 1994, Citibank's computers were attacked by criminals from St. Petersburg, Russia. Millions of dollars were stolen. (76)
Ring of thieves in Iowa collected license plate numbers off luxury cars in airport's long-term parking lot, then retrieved home addresses from DMV centers, & then robbed homes, knowing that the people were gone. (77-8)
Possible attacks depend on the scope of the assets you're defending, which in turn depends on your agenda. A burglar alarm defends your home & encourages the burglar to hit the next-door house, which meets your agenda of protecting your house but not the agenda of the police. (79)
Pseudoephedrine was originally available in bottles of 100. Manufacturers assumed the main problem was shoplifting. Actually, speed manufacturers bought the bottles, so shoplifting wasn't the problem. The easy availability of large quantities was. Manufacturers switched packaging so each tablet had to be punched out by hand, making it a pain in the rear for speed makers to get all the tablets they needed. (79)
Raiders of the Lost Ark: Indiana Jones is threatened by a large man with a scimitar. Indy shoots him instead. He cheated in the face of a potential attack and thereby succeeded. During the Middle Ages, treasure was kept in churches & monastaries because no Christian would steal from them, since his soul would go to Hell. This didn't deter the Vikings, who didn't believe in Christianity or Hell. (80)
D. B. "Dan" Cooper hijacked plane flying from Portland to Seattle on 24 November 1971, claiming he had a bomb. Received $200,000 & 4 parachutes on the ground in Seattle. Somewhere over southwest Washington at 10,000 feet, he lowered the plane's back stairs & parachuted out. Never caught. Cheated: lots of effort securing entry & exit to plane, but nothing in mid-air. Another cheat: asked for 4 chutes, so that FBI had to assume he was going to make plane crew jump too & couldn't disable any of the chutes). (81)
Threat analysis, aka risk analysis: examining an asset & trying to imagine all possible threats against that asset. Must think systemically. (82)
7: Technology Creates Security Imbalances
British Army used machine gun to create security imbalance at Battle of Ulundi in 1879, killing Zulus. Radio gave users in WWI an advantage over those who didn't use it. In WWII, security imbalances created by radar, cryptography, & atomic bomb. (88)
Complex systems have more problems when they are nonsequential & tightly coupled. Nonsequential: components don't affect each other in an orderly fashion. Tightly coupled: change in one component rapidly sets off changes in others. (90-1)
Technology often leads to standardization, which makes possible Class Breaks: attacks that break every instance of some feature in a security system. Examples: making phone calls for free with a Cap'n Crunch whistle. Mexican one peso coin (worth about 1/2 a cent) would work instead of a $1.50 token in toll machines on bridges in NYC. Connecticut Turnpike tokens (worth $0.175) worked in NYC subway turnstiles (supposed to be $0.90)—the same company made both tokens. (93)
Once a class break is figured out, an attacker can use automation to attack a far greater number of systems, making the attacker far more dangerous. (94)
1st computers were built by British to crack German military communications encrypted by Enigma machines during WWII. (95)
In 1970s, Shah of Iran bought intaglio currency printing presses for the Tehran mint. When Khomeini seized power, he started minting $100 bills instead of Iranian rials. US Treasury called these bills "supernotes" or "superbills". One of the main reasons US currency was resdesigned in 1990s. (95)
Leverage: tech. gives attackers leverage so they can do more. Class breaks give attackers leverage so they exploit one vulnerability to attack everything affected by that class break. Automation gives attackers leverage to exploit far more systems. Technique propagation gives attackers leverage because they can try out attacks they don't even understand. (99)
Asymetric threat: leveraged attack by a small group. Yale economist Martin Shubik said one way to think about different periods in history is to chart number of people ten determined men could kill before being stopped. The number was level for most of history, but has gone up dramatically in recent decades. (100)
8: Security Is a Weakest-Link Problem
Create a weak link & exploit it. You can't open a bag of potato chips. Make a tiny tear with your teeth, & it rips open easily. (103)
Defenders have to consider every possible attack at every possible point. Attackers have to only choose one attack & concentrate on that. (104)
Minimize problems caused by the weakest link (105):
- Defense in depth: 2 walls instead of 1. 1 wall with razor wire on the top.
- Compartmentalization: walls around every building instead of 1 wall around the city. Divide assets into smaller pieces and secure them separately. (107-8)
- Choke points: force attackers to only come in at one or two places, narrowing their range of possible attacks. Force people, goods, or data into a narrow channel that is more easily secured. However, choke points only work if there's no way around them. (109)
Iroquois Theater in Chicago advertised as "absolutely fireproof" because it had an asbestos curtain that would drop in the event of a fire backstage, thus protecting the audience. Because they were sure it was foolproof, they didn't bother with sprinklers or any other safety mechanism. On 30 December 1903, a fire erupted when a backdrop ignited. The curtain dropped, but got caught on a stage light. The doors to get out were locked or required the use of a small lever. 603 died. BTW: the curtain wasn't even made of asbestos; instead, it was constructed of cotton. (106)
Ants tell friend vs. foe by smell. Beetles sneak into an ant colony, play dead if attacked, & get the ants' scent on them. At that point, they can wander about eating ant larvae safely. (107)
One type of defense in depth: overengineering, which brings better defense at the expense of more complexity. 2 kinds of overengineering: 1. Make it more redundant (airplanes), or 2. Give it greater capacity (buildings). (107)
In Russia, more drivers installed security that makes cars impossible to hotwire. As a result, carjackings increased, which is far more dangerous for the driver than mere theft. (113)
B.S. was standing in a queue after 9/11, waiting to go thru security at an airport. Realized that bombings would now occur in the line instead of in the waiting area. (113)
Up to early 1970s, people could take guns & rifles on planes. 1973: hijackings occur, so metal detectors & X-ray machines put into place for passengers & luggage. 1985: cleaning staff hide guns & grenades in lavatory so terrorists can hijack TWA plane, so ground crews now have background checks performed on them. 1986: terrorist hides explosives in luggage of unknowing girlfriend, so passengers asked if they packed own bags. 1980s: terrorists smuggle bombs on checked luggage but don't board plane, so airlines now don't fly luggage without the passenger, & checked luggage is X-rayed. (115-6)
9: Brittleness Makes for Bad Security
Bad security is brittle instead of resilient. Brittle security fails badly. If one part breaks, it all breaks completely. Minor problems turn into major problems, and major problems turn into disasters. (119-20)
A system's resilience is the most important security property it has. (121)
Automated security is usually static: its response is one thing only. Car alarm goes off when car is disturbed. Card reader lets holder of correct cards into building. Dynamic defense that can adapt quickly is far better. (122)
Static security works best against copycats who repeat attacks; innovation requires dynamic security. (123)
Some spiders cut large bugs free that might damage the Web. Web more important than feeding. (123)
Class breaks are more likely in a homogeneous system, but they can happen in a diversified system. (124)
Irish Potate Famine of 1845-6 causes by a fungus. Only one type of potato was planted, on land that couldn't support other crops, so the effects of the fungus were magnified. (125)
Secrets that are difficult to change, & global or system-wide secrets, are brittle & fail badly. The secret door, the one password, how to get into the cockpit. (126)
Secrets are hard to generate, transfer, & destroy safely. (127)
Many safes have secret drill points, spots in the safe that are less armored than the rest & which, if drilled, allow the lock to be removed or boltwork to be retracted. Only supposed to be known by salesmen, manufacturers … & criminals. (127)
Default to insecure behavior: if secure system doesn't work, system reverts to something less secure instead of shutting down. Can't verify credit cards? Take 'em anyway. Encryption key lost? Send email in the clear. (128)
10: Security Revolves Around People
14 December 1999: Ahmed Ressam tried to enter US by ferry from Victoria Island, British Columbia, with bomb in trunk of car. Was going to drive to LA Int'l Airport, put bomb in suitcase on luggage cart, set timer, & leave. Had fake ID in name of Benni Antoine Noris, which cleared computer. Caught by US Customs Agent Diana Dean, who thought he looked "hinky". (133-4)
Every security system requires trusted people to function. Guy who installs locks. Doctors with access to medical records. Police. Baggage screeners. (137)
Ron Harris: computer lab technician for Nevada Gaming Control Board. From 1992-1995, rigged slot machines so they would pay jackpots when certain sequence of coins was played. For ex.: 3 coins 1st pull, 1 coin 2nd pull, 2 coins 3rd pull, then jackpot! Large winnings aroused suspicion, so caught. (137-8)
Even automatic system have trusted people: those who set them up, maintain them, & fix when broken. (139)
3 ways to secure trusted people and/or machines (139-41):
- Put trustworthy people in positions of trust.
- Compartmentalization: give trusted people only the info & access they need to do their jobs.
- Defense in depth: give trusted people overlapping spheres of trust, so they watch each other.
Transitive trust: You trust Bob; & Bob trusts Steve. If you therefore trust Steve, trust is transitive. Brittle. Once someone is successfully inside an airport, all other airports trust them. If someone got a weapon inside the system, it could remain in the system, being moved around as needed, indefinitely. (141)
Koh-i-Noor diamond transported from Bombay to England in 1850. Diamond placed in iron chest. Iron chest double-locked & placed in larger double-locked chest. Each key held by different person. (142)
Why movie tickets in theaters? Why buy from one person & have ticket torn up by another? Limits trust in each person. If one person, you could get in free. With tickets, owners can count tickets to see how many people went in, & then count money in till to make sure they match. (143)
Social engineering: getting unwitting insider to help with an attack. (143)
1994: Frenchman named Anthony Zboralski calls FBI in Wash., DC, pretending to be FBI rep working at US embassy in Paris. Persuades person in DC to explain how to connect to FBI's phone-conferencing system. Runs up $250,000 phone bill in 7 months. (143-4)
Spy Magazine sent famous people checks for $1 to see who would deposit them. Many did, thus giving away their signatures. Or send a package requiring a signature & request a copy from FedEx. (144)
"Good people are expensive, and cheap people are unreliable." (145)
11: Detection Works Where Prevention Fails
Prevention is passive, working without anyone having to do anything. (147)
Prevention the hardest aspect of security to implement successfully, & often the most expensive. Best combined with detection & response. (148)
A safe rated as TL 30 can resist professional safecracker with tools for 30 min's. TL-TR 60 can resist safecracker with tools & acetylene torch for 60 min's. Safe therefore buys time, allowing alarms to sound & guards to come. Without detection & response, it doesn't matter what the safe's rating is. (149)
No tours & no visitors in Fort Knox, except once, in 1974, to prove that the site was not a hoax. (149)
Prevention + detection + response systems form a triad that together provide dynamic security, resilient failure, & defense in depth. (149-50)
Visible detection systems (this house protected by alarm, beware of dog) more effective against random attack than targeted attack. (151)
Random detection/response system takes place occasionally & isn't constant. Tickets checked randomly on MetroLink in St. Louis. (152)
Person on assembly line is to find bad widgets. Brain sees widgets going by, & soon they all look alike. Brain doesn't notice bad widget, so it slips by. (154)
During World Trade Center rescue, search dogs got depressed when they couldn't find bodies, so rescue personnel hid in rubble for dogs to "find". (154)
Most PINs for ATM cards are 4 digits, so 10,000 possible combinations. However, ATMs take cards after 3 failed PINs, so criminal can't try all of them. (155)
Audit: review data in order to catch attacks after the fact. Cheapest way to provide security, but must be auditable (good for fraud, bad for murder). Can act as prevention, if criminal knows he'll be caught. (156)
After 2000 Pres. elections, some said, "If we can protect e-commerce on the Net, we can protect elections." Wrong: commerce protected by auditing after the fact. Can't really do that with election. Secret vote. How can you disprove hacking the election if someone says they did it? (159)
Computers can make auditing difficult. Can't change or forge register tapes: printed sequentially on continuous paper (could do this, tho: block writing, simulate running out of ink, disable writing for single transaction, forge entire tape). Computer files can easily be altered or erased, however. (160)
Predictions necessarily ineffective, since attacks are rare. You're preparing for something that rarely if ever comes. But if it makes people feel better … (161)
Data vastly different from information. FBI, CIA, & NSA had data before 9/11, but it wasn't information. (161)
Open source intelligence: collect intelligence without spying. Anaylyze public documents, translating data into information. (163)
12: Detection Is Useless Without Response
In Russia, thieves will shoot if you respond to a car alarm. As a result, car owners put bear traps under the gas pedal. (167)
5 kinds of response (168):
- Reaction: response directed against the attackers. Sometimes best to allow attackers to succeed a little bit, further commit themselves, & then employ defenses.
- Mitigation: response directed towards what is being defended. Further defending what is being defended. Aimed not at attacker, but at defender & assets. Assumes failure & attempts to minimize damage. Ex's: automatic sprinkler system, evacuation procedures, deactivate credit cards, iguana leaves tail behind with attacker, firefighters dig trenches & start backfires. Some overlap between reaction & mitigation. (170)
- Recovery: response after the fact. Rebuilding. Making better. Ensures system survives the attack. Mitigation after the attack is over. Ex's: backup of hard drive, lifeboats on ship. Sometimes recovery is easiest way to provide security. (171)
- Forensics: figuring out what happened & how, after the fact. Evidence collection & analysis. Identify attackers & bring them to justice. Better defend against attacks the next time. Forensics & recovery almost always in opposition: either clean up the mess or preserve the mess for evidence, but you can't do both. (172-3)
- Counterattack: attack the attacker.
Prisons exist for a combination of 4 reasons: revenge, removal, deterrence, & rehabilitation. (175)
Deterrence: how security systems prevent future attacks. The more unpleasant the punishment, the better the deterrent. If attackers think they won't get caught, tho, it doesn't matter how severe the punishment. Also, severe punishment may lead to the attacker thinking, "I might as well get hung for killing as for robbery". Deterrence not very effective against emotional attackers.(176)
13: Identification, Authentication, and Authorization
Barriers cannot be impenetrable: must keep attackers out, but must allow trusted people in. (181)
Token: authentication device that authorizes you. (182)
Three closely-related but differing concepts (182-3):
- Identification: Who are you? Most important security system humans have, & one we use everyday, over and over. Do not confuse identification & authorization: knowing who someone is is not the same as knowing what they're allowed to do. (184)
- Authentication: Prove it.
- Authorization: Here is what you are allowed to do. Ex's: plate at an all-you-can-eat restaurant, postage stamps, tickets to movie.
Computer username identifies you, but password authenticates you. Passport name identifies you, but picture authenticates you. Credit card number identifies you, but signature authenticates you. (186)
3 ways to authenticate someone (186):
- Something he knows. Ex's: passwords, secret handshakes, PINs, lock combinations. (186)
- Something he has. Ex's: key, card. Of course, anyone can give this to anyone else. Authenticates someone as member of a group, not an individual. (186)
- Something he is. Biometrics.
In Hebrew, "shibboleth" means "ear of grain". Judges 12:1-6. Gileadites defeated Ephraimites in battle & set up blockade to slaughter fleeing Ephraimites. Asked every person to say "shibboleth". Gil's could pronounce the "sh", but Eph's could not, instead saying "s". (187)
Biometrics: may be a unique identifier, but not a secret. Leave fingerprints everywhere, & anyone can photograph your eye. (187)
Biometrics are an authentication tool, but often misused as identification tool. For authentication, biometrics answer "does this biometric belong to that person?" For identification, biometrics must answer "who is this? is this biometric anywhere in our database of other biometrics?" Cause of many active failures. Biometrics are OK for authentication but not for identification. (188-9, 203)
Questions for creating secure authentication system (191):
- Where is the authentication stored? By those getting authenticated, or doing the authentication? (the latter is more secure).
- Is authentication being done remotely?
For biometrics to work, verifier must establish (a) biometric matches the master biometric on file, and (b) biometric came from person at time of verification. Without verifying both, system is insecure. (192)
Token expiration requires procedures for enrollment & revocation. Security system only as secure as enrollment & revocation systems. (192-3)
All tokens must themselves be authenticated. (195)
In 1995, 25 people arrested in Las Vegas & Atlantic City for passing $1 million in $50 & $100 bills, printed on Tektronix Model 540 color laser printer. Slot machines accepted bills. Prostitute received $300 & complained. Casino detected counterfeits, & police waited for counterfeiters to return to gamble again at same casino. (195-6)
Driver's licenses with photos were introduced in New South Wales, Australia & were supposedly unforgeable. A month later, someone broke into the Motor Registry office & stole the machine that made them, along with 1000s of blanks. Oops. (196)
In 1614, phony Don Quixote novel appeared, supposedly written by Cervantes. Cervantes then included some of the phony characters & events in his sequel. (197)
Map companies add fake towns & hills; if someone copies the map, fake data included. Phone books & mailing lists include fake listings; if someone copies the data, fakes are included. In essence, a data watermark. (198)
18 March 1990: 2 men entered Isabella Stuart Gardner Museum in Boston disguised as police. Duped guards & tied them up. Stole 12 paintings by Rembrandt, Vermeer, Manet, & Degas valued at $300 million. Art is still missing & crime is unsolved. (199)
False flag recruitment: Spies from one country recruit someone, claiming to be actually from another country. Russian spy might claim to be from France. (199-200)
In 1975, Stephen Holcomb walks into Traverse City, Michigan bank with German 100,000-mark note, printed in 1923. Foreign exchange teller cases note for $39,700. Note was actually worthless. Example of the "I'm sorry" attack. (200)
14: All Countermeasures Have Some Value, But No Countermeasure Is Perfect
Berlin Wall had these defenses (207-8):
- 302 watchtowers, with armed guards
- 12-foot-tall concrete wall
- field of steel stakes
- barbed wire
- 20 bunkers
- leashed guard dogs
- mined sand
- ditch 10 to 16 feet deep
- electric fence with alarms
- barren land: the Death Strip
- concrete wall 13 feet high (what people on the West saw)
- Running away: must be faster, able to run longer, or more clever than pursuers. (208)
- Hiding: works best when there are lots of places to hide. Invisibility is type of hiding. Hiding in plain sight is form of invisibility. Hiding fails when it doesn't take attacker into account: what works for a human may not work for a dog, & vice-versa. Attackers can use hiding as well: the Trojan Horse. (209-10)
- Fighting back. (210)
- Diversions: primarily an attacker's tactic, designed to make security system's detection & response ineffective. Can be used by defense too. (211)
- Deception (213)
- Security seals: won't prevent someone from breaking in, but will provide undeniable evidence that someone has tampered with it. Only as good as the verification. Without auditing, ineffective. (215, 217)
- Replication: doesn't prevent data from getting lost or stolen, but does protect you from losing the data. 2 types of replication in nature: 1. produce many offspring & don't nurture them, & 2. produce few offspring & nurture them. Downside of replication: less secure against theft, because now must secure more copies. (217-8)
- Security notice: warns of existence of defensive countermeasure. Not necessary to have actual countermeasure in place to get deterrence: fake home alarm systems, beware of dog signs without owning a dog, fake videocameras. These are free riders: get the benefit without having to pay for it. Effectiveness of free rider's deterrence depends on quality of the fake. If bad, it doesn't work & may encourage attacks. Free riders can be benefitted without even realizing it: if criminals think lots of people have LoJack on their cars, car theft may decrease across the board. (218-9)
- Retaliation threat. (220)
- Being distasteful: making target of attack less attractive to attacker. In Disneyland, ties a soiled diaper onto your baby stroller so it won't be stolen. Spit on your food in the cafeteria. (220-1)
- Benefit denial: make the thing less useful so it won't get stolen. Car stereo with face plate. Anti-theft tags on clothes that burst if cut, putting dye on clothes. (221)
- Don't be a target: some are targets because of who they are (tobacco co's, military) or what they do (flash large sums of money). (222-3)
- Protocol: steps that some trusted person carries out to enforce security rules. Some protocols automatically enforce fairness: coin flips, cut-and-choose (you cut the pie, I choose the slice first) (224-5)
- Procedures: Steps carried out by trust people after an attack or security event occurs. Protocols are carried out every day; procedures only occur when something bad happens. Cannot do mitigation & recovery with procedures. (226)
- Trusted third parties: trusted people not directly involved in interaction. Banks are trusted 3rd party between merchants & customers. (224)
- Testing. As system gets more complicated, harder & harder to test. (228-9)
Cullinan Diamond was largest uncut diamond ever discovered: 3,106 carats & 1.5 lbs. Extracted at Premier Mine near Pretoria, South Africa in 1905. Transvaal gov't bought diamond as gift for King Edward VII, so had to transport it to England. How? Detectives sent from London to guard it. News leaked that a steamer was carrying the diamond, & the detectives were on the steamer. Diamond on the steamer was fake. In reality, the Cullinan was packed in a small box with a three-shilling stamp on it, and mailed to England anonymously by parcel post. When it was time to cut the diamond in Amsterdam, the British Royal Navy escorted an empty box, while diamond cutter Abraham Asscher carried it in his pocket via train & night ferry. (211-2)
Opossum plays dead: lies still, hardly breathes, & smells bad. Most of possum's predators don't eat dead things. (214)
In 1800s, rural banks installed a decoy safe in obvious location to fool robbers. (214-5)
Honeypot: decoy computer network designed to be found 1st by attacker, luring attacker away from real network/servers. (215)
Flaps and seals experts: At CIA, someone who can open someone's mail, get info, & reseal it so no one knows. (216)
828: group of Venetian merchants stole body of Saint Mark from his tomb in Alexandria. To get body past Muslim customs, they covered body with pork. Mosaic outside walls of Basilica de San Marco in Venice shows inspectors recoiling from pork. (220-1)
Nuns disfigured own faces so barbarians wouldn't rape them. (221)
In NYC subways, light bulbs have left-hand threads so they don't fit normal sockets, rendering them useless to steal. (221)
Tokyo purposely designed to be hard to navigate. Streets mostly unnamed. Addresses formed from district, zone, block, & house. Nothing numbered consecutively; houses numbered by construction order. System ordered by Edo shogun Tokugawa to create defensive maze around palace. (222)
West Germany had plans in place to remove all street and road signs if Soviets invaded. (222)
Adelie penguins: what they eat & what eats them is in the ocean. All bunch on shore, no one willing to jump in, all pushing each other, until one finally jumps in or is pushed. Then all jump in at same time. (223)
Protocols work if people know & respect them. In Inca cities, a horizontal pole across a doorway signified an uncrossable barrier. (226)
In 1998, Denny's chain closed restaurants for Christmas for 1st time in 35 yrs. Problem: since stores open 24/7, many did not have locks on the doors! (229-30)
15: Fighting Terrorism
1984: followers of Bhagwan Shree Rajneesh infected restaurant salad bars in Oregon with salmonella. 751 were injured. (234)
Timothey McVeigh's bomb in 1995 that killed 196 was made of ammonium nitrate fertilizer & standard fuel oil. Combo used so commonly that law enforcement calls it ANFO. (237)
Cyberterrorism is misnamed. Terrorism causes terror; when email is down, it's annoyance. (237)
16: Negotiating for Security
After 9/11, gov't wanted to ban laptops, but airlines complained that it would drive away busines travellers. Gov't wanted to ban matches & lighters, but tobacco co's complained. (262)
Lawrence Lessig identified 4 environmental constraints on behavior (263-5):
- Market forces.
- Technology, what Lessig calls "architecture".
- Societal norms.
17: Security Demystified
"You can't win. You can't break even. You can't get out of the game." (272)
3 categories of information:
- things we know
- thing we don't know
- things we don't know that we don't know
Real security requires people to understand attackers, attacks, countermeasures, rules, procedures, systems, & agendas of all players. (276)
Secrecy bad for security for 3 reasons (279):
- Causes additional security problems because it conceals abuse.
- Prevents you from having information you need to make knowledgeable trade-offs.
Malcolm X: To scare burglars, keep bathroom light on all night. "The bathroom is the one place where somebody could be, for any length of time, at any time of the night, and he would be likely to hear the slightest strange sound." (281)