In a continuation of my suite on threat modeling, this post will address email threat modeling specifically. Selecting an email provider (or set of email providers) can be difficult if privacy and security are your chief concerns. Gmail is abyssmal when it comes to privacy, but even paid providers struggle to match its security. Selecting an email provider for sensitive communications should be done based on your threat model(s), and you may end up maintaining several accounts for different purposes. It is my hope that these threat models will provide some clarity into what threat(s) each email provider defends you against. I also hope this helps you choose a setup that you are comfortable with. Continue reading “Email Threat Models”
There are several Operational Security “commandments” lists on the internet. Some of them are quite good but being me, I wanted to write my own set of Ten OPSEC Principles. These OPSEC principles here are designed to avoid compromise (“getting caught”), and minimizing the damage when you inevitably do. The consequence of compromise varies based on your operational activities. To drug dealers or other members of criminal networks compromise means prosecution and jail time. For spies and intelligence operatives, or military special operations types, compromise means some combination of blowing an operation, being arrested or declared persona non grata, getting killed, or getting an informant arrested or killed.
A couple of weeks ago I posted my introduction to threat modeling. Several times in that post I mentioned the concept of profile elevation, and it will certainly be coming up more as I flesh out my thoughts on threat modeling. It has occured to me that this topic should be explored more fully. Profile elevation is a fairly intuitive concept. For our purposes we can describe it as† “the generally-undesirable condition of:
- becoming more visible to one’s adversary, and/or
- becoming more interesting to one’s adversary.”
Being either or both more visible and/or interesting to your adversary is a bad thing in nearly any adversarial situation (Murphy’s Laws of Combat: Try to look unimportant, the enemy may be low on ammunition). If you are highly visible to an adversary your movements, whether online or in the real world, are easier to track. If you are interesting to your adversary, he or she will be willing to invest time and money to pursue you, digitally or physically. Targeted surveillance costs time and money, and most adversaries will be limited in some capacity on each. In the digital collection realm this limitation is often one of analytical or language capabilities; paying competent analysts and linguists is expensive. Fitting their findings into a bigger picture is also difficult unless you have elevated your profile to the point of being interesting.
In the “tactical” community profile elevation avoidance is referred to as being a “grey man“. If your personal threat model(s) warrant it, you should strive for the being digitally grey. That is, blending with the herd and being generally uninteresting to avoid becoming a target. Once your adversary has become focused on you and your activities, defeating him or her can become extremely difficult in the short to mid-term, and next-to-impossible in the long term. As I mentioned in threat modeling, the best way to do this is to select mitigations that are in accordance with your perceived threat model.
The next two articles in my threat modeling suite will cover specifically threat modeling different encrypted email options and virtual private networks.
†This is my made-up definition. If you think it needs improvement, let me know.
I have previously written about categorizing attackers based on their levels of skill and focus. I have also written about categorizing security measures to defeat attackers with a given level of skill or focus. Both of these posts tie in closely with (and were early attempts at) a topic that I want to explore more fully in coming months: threat modeling. Threat modeling is the examination of two things as they relate to each other: an adversary and a security measure. The effectiveness of the security measure is weighed against the skill and capabilities, focus, and time available to the attacker. Threat modeling allows you to understand what you “look like” to your opposition, understand his or her capabilities, and select effective mitigations. Continue reading “Threat Modeling: An Introduction”
This week has been awash in coverage of a federal court ordering Apple to unlock an iPhone 5c used in the San Bernardino shooting. This story began for me when I awoke Tuesday at 5 a.m. EST to half a dozen text messages linking me to Tim Cook’s “A Message to Our Customers.” I have had almost a week to digest the letter, follow the story, and reach some conclusions. My thoughts and observations on the “Apple vs. FBI” debate are listed below.
- The FBI has chosen to use this issue to paint encryption in an unfavorable light. This single issue has advanced the government’s position that encryption is a tool for terrorists and criminals. James Comey (the Director of the FBI) has long been an outspoken advocate for encryption “backdoors” and “front doors” but until now has had few concrete examples to sell the public on such mechanisms. This is the chance they have been waiting for.
- There is probably very little to find on the phone in the first place. I talked about why I believe this a couple weeks ago on a podcast interview. I talked about why I believe this which basically boils down to: there isn’t much to find on the phone that can’t be gotten elsewhere. Jonathon Zdziarski posted an even more thoughtful list of reasons this device probably doesn’t contain anything of real intelligence value.
- This is an opportunity for the FBI to put Apple in the unenviable position of looking unreasonable and uncooperative. It’s just one phone, and they were terrorists, after all. The problem is, as Apple points out, is that it creates a dangerous precedent. We have consistently seen mission creep with other laws and technologies that were designed for use in very isolated instances but have been used to pursue an increasing number of lesser crimes.
- The FBI is essentially conscripting Apple software engineers to write code for the government’s use. This should be alarming to any business owner. If the federal government can compel a company like Apple to write code (or do any work, really) without pay and against its objections, it can do so to anyone. Apple, it should be pointed out, was only recently overtaken by Google as the world’s most valuable brand.
- Apple has its own set of motivations for defying the judge’s order to open the device. This has been pointed out vociferously. My own opinion is that regardless of why Apple is taking a pro-privacy stance, they are. The market wants privacy, and Apple fills the void. Apple is not a non-profit, not a humanitarian or philanthropic organization, and it is not the EFF. Very few for-profit companies are filling this void, so my money will go to the one who is.
- An interesting article arose out of this controversy that backs up my call for longer, stronger passcodes on your iOS devices.
- Encryption works.
This has certainly been an interesting week, and there are certainly more to come.
In an age of almost weekly hacks on various multinational corporations, banks, Hollywood movie studios, and government agencies—each more brazen or damaging than the last—it’s no surprise that a spate of books on the subject has hit the market in recent months. After all, those hacks, along with the countless others that go unrecorded every day around the world, affect us all in one way or another.
Future Crimes: Everything is Connected, Everyone is Vulnerable, and What We Can Do About It, by Marc Goodman is one of those books that addresses the growing chasm between our Internet-woven lives and the security necessary to protect us from the people who would exploit our reliance on it.
And it’s an eye-opener. Goodman, a former police officer, current cyber security expert and founder of the Future Crimes Institute, makes his living studying cyber threats and the people and organizations who perpetuate them. He’s one of the leading experts in the field, having worked with the FBI and Interpol, among others. Given his credentials, Future Crimes is exactly what you might expect it to be: a well-researched tome of extremely detailed case studies covering everything from hacks and cyber attacks committed against private individuals and organizations to the methods used to gain access to some of the most protected security systems in the world.
As it turns out, according to Goodman, hacking is no longer solely relegated to the realm of lone teenagers working out of their parents’ basements. Instead, hacking has become a multi-billion dollar industry, with operations as sophisticated and well-funded as some of their targets. Singletons, terrorists, organized crime syndicates, state sponsored hackers, and “hacktivists” (groups of hackers who do what they do for what they perceive to be good causes) all have staked a claim in the digital gold mine that is the Internet. They work full-time, attempting—and usually succeeding—to access and steal data that can be used to turn a profit or, in some cases, wreak unimaginable havoc.
In one of his more eye-opening chapters, Goodman discusses how terrorist groups have upped their game when it comes to harnessing technology to achieve their goals. Describing in minute detail how the terrorists in the 2008 Mumbai attacks used Google Earth, BlackBerrys, and real-time social media updates to plan and conduct their attacks (the same technology we use to plan a date), Goodman lays bare the terrorists’ tactics, techniques and procedures. The actual operatives on the ground, he writes, had constant, direct communications with an operations center in Pakistan staffed by commanders who were watching events unfold on major news networks, allowing them to monitor their operatives’ progress and the Indian government’s response.
Goodman also discusses the darker side of the internet, or the Dark Net, a digital underworld built specifically for illicit use that most of us don’t know even exists. He tells the story of Silk Road, the “eBay of drugs and vice,” where, if you’re savvy enough to gain access and speak the language, you can hire assassins, buy or sell child pornography freely and without fear of law enforcement interference, and even trade in human organs.
Setting aside the more nefarious aspects of the cyber world to discuss the legitimate, day-to-day aspects of the Internet doesn’t do the reader’s nerves any good. Future Crimes also details the easy and legitimate access we all either freely give away or inadvertently leak to data brokers every time we use our computers or smart phones. The staggering net worth of this raw data—ages, genders, browsing habits, sexual preferences, medical conditions, personal networks and the like—collected about tens of millions of people around the world, every day, climbs into tens of billions of dollars each year. This information is not only attractive to criminals, but to legitimate companies “across all industries, whether retail, transportation, or pharmaceuticals” as well. The World Economic Forum regards our personal data as “the new oil” when it comes to overall value.
Despite being well-written, Future Crimes is a veritable train wreck of a book, brutal in its detail, with case studies piling on top of each other like so many derailed freight cars. The never-ending string of crimes related in the book becomes so mind-numbingly messy that it eventually exhausts the reader. This, unfortunately, begins around the halfway point and dilutes the overall effectiveness of the message Goodman is trying to impart. He knows the ultimate effect his book will have on the reader, though, stating in the prologue that “if you proceed in reading the pages that follow, you will never look at your car, smart phone, or vacuum cleaner the same way again.”
While heavy on the “crimes” portion of the world in which we now live, Future Crimes unfortunately offers very little in the way of solutions for the current state of affairs. The few fixes under our control are consigned to a short appendix at the end of the book that Goodman promises, if followed, can help the reader avoid 85 percent of current threats. Beyond that, though, it’s apparent that our inexorable link to all things digital now and forever makes being hacked just a matter of time.
If you’re interested in security, cyber security, or how the details of your life can be probed, stolen or affected by accessing the Internet, this book is a must-read. If you’d rather not know, exactly, how almost every pixel of your online existence is accessed, mined, and sold or stolen over and over again, take a pass.
FUTURE CRIMES: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It
By Marc Goodman
Anchor Books, 512 pp.
Thom Nezbeda is a journalist focusing on global conflict, crisis, and security issues. He writes about Middle Eastern and European affairs, military affairs, counterterrorism, national security the growing refugee crisis, and religious persecution. A former on-air radio personality and general assignment reporter after college, Thom put his journalism career on hold to join the military, where he spent nine and-a-half years as a Marine Corps Infantry Squad Leader and team leader in the Army, with combat tours to Iraq and Afghanistan. He is a graduate of the Defense Language Institute’s Arabic Basic Course, speaks French, and has extensive experience in Europe and the Middle East. Thom has written for The Georgia Guardian, Blue Force Tracker, The CP Journal, and The Soufan Group among others. For more information or to follow Thom visit http://www.thomnezbeda.com/.
On this site I talk about a number of different security measures. Just as in my discussion of attacks and attackers it is important to have a firm understanding of security measures and exactly what type of security each provides. Though many, including me, view an alarm as a serious security upgrade it is important to realize that it does not actually make your home more difficult to get into. An alarm is merely a detective security measure; that is, it makes your home more difficult to get into undetected. There are three categories of security measures: deterring, delaying, and detective. Alternatively these categories can be thought of as “before” (deterring), “during” (delaying), and “after” (detective) security measures, based on what stage of an attack with are intended to address.
Category I: Deterring Measures. Deterrents are those security measures that play a role before the attack is even attempted (i.e. during the reconnaissance phase of an organized attack). Deterring security measures deter the attack from even attempting the breach by making him or her re-think your defenses in comparison to risk of compromise and his or her ability. Security measures in this category often include signs or stickers indicating the presence of an alarm, visible security cameras, etc. Other deterring measures include motion lights, visible cameras, signs warning of alarm systems and dogs, and routine police patrols.
Deterring security measures are difficult to quantify in the digital security realm, but they exist. A password prompt for a full-disk encrypted computer may serve as a deterrent to an attacker, as may a passcode on a smartphone.
Category II: Delaying Measures. Delaying devices are those devices that play a role during the breach attempt. Locks cannot make your home impossible to get into, but they can make the task take an unacceptably long time especially if the attack is intended to go undetected. Items in this category include locks, fences, anti-shatter window film, etc., all of which are intended to slow an attacker’s progress during the breach. In some cases delaying devices may exceed an attacker’s skill level and force him to move on to an easier target.
Delaying measures are the ones the average user primarily employs on the digital perimeter. These measures include strong encryption of data-at-rest using file-level and full-disk encryption on computers, encryption of data-in-transit using HTTPS and a VPN and ensuring your Wi-Fi is encrypted, and the use of good, strong passwords.
Category III: Detective Measures. Detective security devices are the “after” measures, the ones that alert you that a breach is in progress or has already occurred or been attempted. Devices in this category include intrusion detection systems (alarms) and surveillance cameras. The presence of these types of devices may have the added benefit of serving as Category 1 security measures, but this is generally not their primary purpose. In addition to alerting us to the breach or breach attempt, Category 3 security measures can also capture images of the attacker, alert police or security, and, if overt, place severe limitations on the amount of time an attacker is willing to spend “on target”. A good example of Category III measures in the digital world are event logs.
There is some degree of overlap in these categories and you should understand exactly what benefits a given security measure provides when considering your perimeter. A high security lock is a good example of a security measure serving in multiple categories. The lock is certainly primarily intended as a Category II security measure. Because of the novel mechanisms and tight manufacturing tolerances common to high security locks it would be extremely difficult to pick or otherwise defeat covertly, delaying the attack and forcing the attacker to spend a great deal of time exposed during this process. This simple fact alone may also place it in Category I. An intruder who notices the lock may decide it is simply too difficult to defeat (and wonder what other security measures you have) and move on. On the other hand, if the attacker is sufficiently determined to enter your home, he may make the decision to simply kick in the door or break a window. This would place the lock indirectly into Category III, as you would immediately notice a kicked-in door or broken window and know someone had been in your home. This is the chief comfort I derive from the high security locks I use: while I fully realize that a burglar could smash a window, I know with a reasonable degree of certainty that no one (except possibly a Level IV attacker) can enter my home without my knowledge.
Types of Attacks, Types of Attackers
In previous posts I have referenced two different types of attacks: opportunistic and focused. These categories apply to attacks of all kinds, physical and digital, an understanding them is important to fully understanding how to defend against them. This post will attempt to define these two types of attack and the attackers that may carry out each. Please note that these are my own definitions and should not be considered “official”.
Types of Attacks
The types of attacks one may face fall into one of the following two categories: opportunistic and focused or targeted. These two descriptions exist on far ends of the spectrum; every attack will fall somewhere between the two.
The Opportunistic Attack: This type of attack is most common, and is not directed at you personally. Though it may feel extremely personal, especially if the attack is violent in nature, the attack is merely one of opportunity. I considered also categorizing the opportunistic attack as “random”. This attack is not truly random, however. The attacker has made an assessment (perhaps an extremely inaccurate one, perhaps not) that you or your belongings are vulnerable and upon this assessment has made a decision to attack. We can almost entirely avoid this type of attack by being a hard target. Doing so will encourage the opportunistic attacker to move on to a softer target.
The Focused/Targeted Attack: This type of attack is carried out specifically against you and is much more difficult to defend against. The focused/targeted attack will be characterized by a lengthy planning and reconnaissance period, during which time you may be under surveillance, have your perimeter probed, and test runs may occur. The true danger with a focused attack is the willingness of the attacker to adapt his or her methodology to bypass your countermeasures. The best defense against a focused, targeted attack is vigilance and a comprehensive defense-in-depth.
Types of Attackers
Attackers themselves are slightly more nuanced. Categorizing attackers requires attention to two specific attributes: skill level and focus (how interested the attacker is in you specifically). The combination of the two will vary, and will define the attack. The least capable attackers will lack both skill and focus, while the most capable will have ample levels of both.
Level I: An attacker at this level will possess minimal skill, minimal knowledge of his or her target, and little to no focus on a specific target. Examples of this attacker include the kid who is sniffing unsecured Wi-Fi hotspots, the guy who hopes to shoulder-surf your PIN at the ATM, or the smash-and-grab thief who notices there is no car in your driveway and all your lights are off. Defeating this category of attacker is relatively easy: make yourself a hard target by using common sense security measures. An attack by a person at this level will be an opportunistic attack.
Level II: A Level II attacker will possess either some degree of skill or some personal knowledge of you. Examples include an accomplished, skilled burglar who has cased your home or an ex-boyfriend/girlfriend who is out for revenge and has personal knowledge of you but little skill. An attack originating from someone in this category has a higher likelihood of success than an attack from a Level I attacker, and may be opportunistic or targeted/focused. Further, an attacker in this category may be easily dissuaded when encountering a significant obstacle.
Level III: Level III attackers are characterized by a combination of a decent skill level and either personal knowledge of you or the skill and patience to acquire that knowledge. Examples of this type of attacker include professional criminals, serial killers, hackers, and con men. Encounters with individuals in this category are relatively rare but the consequences are potentially dire. An attack by an individual in this category may be opportunistic or targeted, but his or her methodology will be more sophisticated. Deterring or defeating someone in this category requires much more work than Levels I and II. Upgraded security measures, constant adherence to best practices, and situational awareness are the best defense against an attacker in this category.
Level IV: Level IV attackers are known in the information security community as “advanced persistent threats”. Governments fall into this category, as do hacker groups like Anonymous and other extremely sophisticated adversaries who are specifically targeting a specific individual. The attacks perpetrated by these types are not opportunistic; they are targeting you for a specific reason. Perhaps you have angered someone, you are perceived as threat to them, or you are the subject of an investigation. An advanced persistent threat will be characterized by intense focus, extremely sophisticated techniques, the time to conduct a thorough reconnaissance, and the ability to adapt to defeat your countermeasures. The chances of facing a Level IV attacker are very small, and the chances of an Level IV attacker succeeding increase steadily over time.
The higher the level of the attacker and the more the attack trends toward targeted focus, more finesse can be expected to be employed, and time is on the side of the attacker. Unless he or she is strictly opportunistic the attacker has the luxury of time; time to probe your perimeter, learn from mistakes, and try again another day. At this point defenses become somewhat less about preventing the attack and more about making the attacker’s job more difficult and detecting his presence before, during, or after the attack.
There is a long-standing adage among security “people” that says convenience and security are ever at odds (or perhaps a bit more precisely put, inversely proportional). As the convenience of a given system goes up, its security will necessarily go down. Generally speaking this is true. The convenience of a system is lent to authorized and unauthorized users alike. I would like to deal with specificity rather than generality in this post, however, and closely examine the relationship between these two concepts and one more.
Safety is the other factor that that I would like to bring into this discussion. Though safety and security are closely interrelated and often used synonymously they are different and must be examined as separate phenomena. Before we go further, I should tease out the difference between the terms safety and security.
Safety v. Security
Safety is, at its essence, protection of life and prevention of injury, caused primarily by accidents and mishaps. A manufacturing plant may place great emphasis on safety by implementing a “Safety First” campaign, installing fire suppression systems, placing eye-wash stations throughout the facility, and having an EMT on duty. All of these steps make the facility a safer environment but none of them increase security at all.
Security is typically defined as protection against criminal acts, and may or may not refer to the protection of people. The same manufacturing facility in the example above can install CCTV cameras, high security locks, an ominous chain-link fence, and an access control system to sensitive areas, all of which increase security. Unlike safety measures that do not make the plant more secure, these security measures may make it safer against certain threats while simultaneously making less safe against others. With the security measures, the employees are safer against criminal acts that would result in death and bodily injury such as a disgruntled gunman or a terrorist act. Depending on the implementation, however, the security measures may make it more difficult for employees to egress in the event of an industrial accident, lowering the overall level of safety.
Though all of the examples I have cited thus far pertain to physical safety and security, convenience, security, and safety are all factors in the digital security realm, as well. Though the protection of data systems and data from power surges, natural disasters, hard drive failures, and other mishaps (typically through backups) is lumped in with “infosec”. It would perhaps be more appropriate to call this type of protection “infosafety” (to coin a term). Protecting these same infosystems and their backups from deliberate human threats is an approriate use of of the terms “infosec” and “information security”, however. Finally, convenience plays a huge roll in infosec and “infosafety”. Both infosec and infosafety can be at odds, though it may seem counterintuitive. It would be very safe to have data backups on multiple hard drives and in mulitple cloud providers. It would be even safer if these backups were unencrypted; encryption introduces the possibility that the data may not be able to be decrypted when needed. This system would be very safe but it would also be incredibly insecure.
It is entirely possible for a system (whether digital, residential, commercial, industrial, et cetera) to be both safe and secure. It is also possible for the same system to be very secure but unsafe, or to be very safe but insecure; the distinction is in the dangers that are primarily protected against.
Security v. Safety v. Convenience
Convenience is also in competition with security. Generally speaking, the more convenient a system becomes for the user, the more convenient it becomes for an attacker and security is subsequently lowered. For example, employees at our exemplar facility may tire of having to use a key to gain access back into their workspace after smoking and leave the door propped open. This is a convenience measure in the interest of the individual employee, caused by the security measures that are in the interest of the plant’s owners or managers. This also impacts safety, since an open door will not prevent the spread of fire or dangerous gasses that a closed door would.
In closing, a physical security system must balance safety, security, and convenience. It must be safe for the occupants, secure against outside threats, and convenient enough that the system will not be overridden. In digital systems (at least at the personal user level) have no requirement for safety, but they should still balance security and convenience. The designer of the system (the homeowner or Chief Security Officer) must weigh all of these considerations when implementing a system. He or she must also monitor use and be willing to adapt the system or provide user training based on usage patterns to achieve maximum compliance.
The convenience of a system can impact both its safety and security. It is not secret that as many security and safety processes as possible should be automated. Things like backups, updates, and encryption should happen with as little user input as possible to ensure compliance. When a system becomes overly complex, users will opt-out of the security of a system; this is when things like leaving computers on and unlocked being to occur. The convenience of a system should be weighed against the risks the system faces and the tolerance of its users for security measures. Make a system too secure and pretty soon it is far less secure because users will begin bypassing the security to achieve a balance, an equilibrium, a stasis of safety, security, and convenience.
This topic is especially germaine to me both in the writing of books on security, and in convincing my family and friends to adopt encryption and other security measures. There is a constant struggle between the two, and those who do not have a specific interest in security and/or privacy typically have a very low tolerance for inconvenience. Why do I recommend ProtonMail over Thunderbird with GPG/Enigmail? The latter is certainly more secure. Why do I recommend Cryptocat over ChatSecure when ChatsSecure is more secure? I do so because I want to encourage participation among those who have little interest. As security becomes more convenient through services like ProtonMail and Tutanota, perhaps a significant percentage of people will choose to adopt security.