Guarding Against Idiocy (2 of 2)

(Part 2 of 2)

A few days ago I posted Guarding Against the Inside Job which was the first half of this thought — today’s post is part 2 — the fun one: Idiocy! Many of you already know that this name resembles that of one of my favorite movies. Need a hint?

Idiocy

Yep, Idiocy and Idiocracy are pretty close but they essentially mean the same thing: people doing really dumb things. This is the fun one, not just because of the name, but because we have all seen it and perhaps even fallen for it a time or two. This is where someone within the company just does something that’s dumb and, by doing it, opens the door for an outsider — a real “hacker” — to come in and have his way with the company computer system.

Let me start by asking you this simple question:

Have you ever heard of Stuxnet?

It is only the first known militarized use of a computer worm — the most advanced and sophisticated computer worm the world has ever seen. This is the one that took out Iran’s nuclear centrifuges. Now do you remember?

What is even more interesting about Stuxnet is, despite all of its sophistication, it couldn’t get into Iran’s nuclear facility on its own — it needed some help. By most accounts it found it in the form of a USB stick that someone working in the facility brought in and plugged into a computer in the facility. That was all of the help Stuxnet needed and it took care of the rest itself. If you want to read more about this, check out Hamish Barwick’s (@HamishBarwick) fascinating article Nuclear warheads could be next Stuxnet target — it is guaranteed to send a chill down your spine!

The point about the USB stick should send chills down the spine of every company out there as well. Do you want to take a guess at how much this happens at your company?

If you haven’t done a study to find out, that’s ok, you’re in luck. The United States Department of Homeland Security did one for you to find out how hard it is to corrupt workers and gain access to organizations’ computer systems. This is all explained in an article written by Cliff Edwards (cedwards28@bloomberg.net), Olga Kharif (okharif@bloomberg.net), and Michael Riley(michaelriley@bloomberg.net) in Bloomberg entitled Human Errors Fuel Hacking as Test Shows Nothing Stops Idiocy in which the authors provide a quote from Mark Rasch that sums it all up nicely:

“There’s no device known to mankind that will prevent people from being idiots”

In the article the authors explain the test by which computer disks and USB thumb drives were secretly dropped in the parking lots of government buildings and private contractors. Of those that were picked them up, 60 percent were plugged into office computers and if they had an official logo, 90 percent were installed.

You really need to read the extensive and very informative article. The ultimate finding was that human error alone can essentially nullify all of the expensive security systems your company has in place; humans are the weak link in the fight to secure networks against hackers.

From everything we have seen so far, that is indeed the case. So the question you have to ask yourself is, “are your people as well prepared as your network?”

9 thoughts on “Guarding Against Idiocy (2 of 2)

  1. Wow what a great article and whoever took that photo of you did a really great job! Looks like you are getting ready for your birthday in a couple days. So guess I will say it early – “Happy birthday you popcorn eating dude, you!!” LOL

    Seriously, I enjoyed the articles but just couldn’t resist the temptation to mess with you a little.

    Bob Wieters
    myrestartyl.com

  2. Oh, I am SO glad I was out of the workforce (not by my own choice) before USB sticks came in! We had enough problems with idiots bringing garbage on 3 1/2 inch floppies! Then you had the “malicious but well-meaning” idiot – a coworker wanted to play games, but there were no software-based sound controls (a 1988-model of PC). So the guy unplugged the speaker. Problem was, on the same circuit was the rechargeable battery that kept the RAM “warm” – including all the special boot-up and security info the company used. The battery discharged over time, and one morning, the guy tried to fire up his computer and it crashed a la Hindenburg. Took the support staff hours to fix the thing!
    And never discount outside idiocy. We once lost ALL contact with a computer center in Dallas (our company was in Chicago). A couple hours of frantic but failed communications attempts finally answered our question. Some redneck was shooting at a squirrel, and nailed the main overhead cable bundle going into the building – power, data, phone, and everything!
    Remember these two key things – Murphy was an optimist, and anything idiot-proofed only requires an idiot to fail.
    And Happy Birthday, whenever that is. You’re not getting older, the know-it-all punks are getting younger. ;)

    • John, your stories are awesome! Man, I can’t imagine something like that happening with the RAM warmer! The squirrel hunter, however, takes the cake — I’m still laughing about that one!

      Thank you buddy — I’m turning 42 tomorrow and finally getting a meddlesome wisdom tooth pulled to celebrate — should make for a fun day, depending upon what kind of sense of humor the doctor has!

  3. Just make sure the anesthesia they use (general or local) is something you’ve had before. I was knocked out to get all 4 wisdom teeth removed, only to have an allergic reaction and wake up, groggy and unable to open my eyes, with a mouthful of blood.
    Uh-oh – I should’ve made sure you had dinner BEFORE I mentioned that. Not exactly an appetizing story.
    I don’t think I’ve mentioned my high school experience with a Digital Equipmnent PDP-8E minicomputer. If I haven’t, I’ll tell you the story of a friend of mine and I creating a “NORAD simulator”. Great fun! (If I did tell you the story, please forgive my sieve-like memory! :D )

  4. Well, not quite like WarGames, though we were about 4 years ahead of the movie. (Yes, I am an old fart!)
    Our high school had an old PDP-8E mini with 3 Teletype 33 terminals – the old beasts with the IBM Selectric-style “typeball” and the 8-bit paper tape. They made a HORRIFIC racket, and since you could pass an ASCII code to ring the bell (a real honest-to-God metal bell), you could make them even noisier. Add to the fact the terminals were inside a little concrete-walled enclosure about 9′ x 9′, with closed windows and a self-closing door.
    Now the Teletype terminals had a a switch for Offline and Online. The teachers taught that you were supposed to flip the switch from Online to Offline (thus halting any programs) then back to Online, then you typed “NEW” to kill off any code. Teenagers being lazy creatures, hardly any of them did that.
    So a friend of mine and I sat down and wrote a BASIC program that made the terminal act just like normal. It would even store anything the user typed in, and list it out on a “LIST” command. Everything seemed perfectly normal, until the unwitting dupe would type “RUN” to execute. At that point, we triggered both the paper tape reader AND writer, repeatedly rang the bell, made the typeball bounce, and then proceeded to print out some message along the lines of “YOU HAVE ILLEGALLY ENTERED NORAD MISSILE COMMAND. ALL MISSILES WILL BE LAUNCHED IN 30 SECONDS UNLESS PASSWORD ITS ENTERED. ENTER PASSWORD:”.
    Of course, only a special command would stop this. We even had a countdown clock start typing out. We had more panicked kids run out of the room screaming bloody murder! The teacher in charge of the computer quickly hunted us down, and we got a royal chewing out – though he never punished us, I think because he used us as an object lesson of why clearing memory was so important! :D
    Yeah, if I’d applied myself in high school, I probably could’ve made valedictorian. But I was having too much fun! ;)

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s