Wednesday, March 12, 2014

Dissecting a Cyber Security Warning



My wife and I were watching the 700 club show recently and they did a piece about cyber security. The article and video can be found here.

The guest on the show describes a number of cyber threats
before recommending his book as a way to know how to protect yourself from them. I haven't read the book, so I can't comment on it's content, but let's break down some of the "cyber threats" he describes:

1. Attacks on our electric grid

2. A cyber hacking unit which is "the most sophisticated perhaps in the world"

3. Cyber attacks on stock exchanges ("They could just hack into it. They've hacked the NASDAQ multiple times, they've hacked the NYSE, they've hacked the Navy, the White House, the NSA, you name it."

4. That we have no way of preventing the stock exchange from being shut down, we just have to be ready to bring it back up

5. High frequency trading algorithms that could crash any exchange in the world ("He walked out with high frequency trading algorithms" "Those are the computers that trade continually")

As a side note he described someone as "walking out with algorithms" as though they're candy bars you could shop lift. Algorithms are ideas, like recipes. They can be written down, but they can also be explained to someone who would then just know it.

6. Associated Press Twitter feed hack that claimed the white house has been struck which caused the stock market to drop

7. EMP from a nuclear bomb that would "shut everything down" ("You could be isolated and alone, and you wouldn't know what to do")

Now that is a lot of topics, covering a broad range of ideas and threats. It sounds very scary, but there are a number of read flags that come up for me when listening to this.

Fast transitions between unrelated topics and threats
We start with "high frequency trading algorithms" and then jump to hijacking a twitter account and doing some social engineering. Those are very different things. They are related because they involve stock markets, but they require different skills sets and talents. These kinds of transitions make things seem connected and sound scary, but unless there is some evidence of a connection explained it's usually less concerning than it may sound.

Dramatic terminology
Here I'm referring to the line about being "isolated and alone and not knowing what to do" or the line in the opening about "effecting the average American's retirement account". These are emotional appeals, not factual or logical appeals. Loneliness or financial security from a retirement account are big emotional deals, but unless someone can explain specifically what the threat to those things is, you probably shouldn't react emotionally to the information.

This also applies at some levels to the targets he described. Supposedly our enemies have simply hacked into the NSA, White House (what does that mean, exactly? Computers inside of the white house, perhaps? Obama's Facebook maybe?), and a number of other high profile targets. But no details are given. These are all very patriotic targets that generate an emotional response.

The threat descriptions end with a sales pitch
My favorite hash tag (that apparently only I use) is: #iquestionyourmotives Anytime that someone uses emotional appeals and then offers to sell you something, take a step back and find a third party to discuss it with.

The author's area of expertise
The author is probably a brilliant man, but if you look at his qualifications he is an economist, not a security expert or even a computer scientist. I'm not saying he doesn't know things about those fields, but just like you should take any financial advice I give with a grain of salt, we should probably take his cyber security warnings with a grain of salt as well.

Generalized Statements of Impossibility
Any time some one says there is no way to do something involving a computer it should throw up a red flag. Of course we have methods of preventing attacks on different stock exchanges, just like we have methods of preventing attacks on anything else (IPS/IDS, Firewalls, SIEM, anti-virus, etc).

There are other red flags for me, but that's all I'll list.

This is very good reporting. It is interesting and exciting to watch, the guest is an excellent speaker. But it is not good education. It doesn't present actual examples of attacks or vulnerabilities and it doesn't point people towards accessible resources that can be used to improve the situation. Rather than scaring the public we are better off educating them to be concerned about things that are actually threatening than trying to panic them with dramatic terms that may or may not mean anything.