I recently came across this this photo – some of the things that I took on holiday with me back in 2006:
I was struck by one of the most recognisable items in the picture – The Art of Intrusion by Kevin Mitnick.
The book is an interesting mix of Kevin Mitnick – a notorious former black/greyhat computer hacker/cracker – talking to former associates about other alleged hits.
Obviously, in the same way as watching Frank Abagnale‘s Catch Me If You Can doesn’t mean you support the passing of fraudulent checks or posing as airline pilots, clearly I also don’t endorse any of the things described in the Art of Intrusion – but the really valuable thing about the book is that it allows you to get inside the minds of ‘the bad guys’, see and understand how and why they do things.
The prequel to The Art of Intrusion is slightly different. The Art of Deception is the story of Kevin Mitnick’s own run from the FBI – Mitnick famously evaded the FBI for 2 and a half years before his arrest, during which time he managed to gain unauthorised access to the voicemail of the FBI officer who’d been assigned to his case (allowing him to evade capture for some time longer).
A few weekends ago, I was Blue Light Camp – billed as “the first truly interdisciplinary emergency services unconference in the UK”. As the name implies, there were many people from a variety of different emergency services backgrounds and so when I saw a talk titled The Art of Deception, I vaguely remembered the book, and wandered along. Kate Norman of an NHS trust (or known better to me as a friend of Ian Forrester), had recently read the book and was interested in people’s opinions. No-one else had read the book, but the discussion that followed was quite insightful.
I hadn’t gone along to talk internet security, in theory, yes, I’ve been in ‘Cyber Security’ competitions but largely my aim of attending this event was to listen, learn and meet some passionate and enthusiastic “blue lights”. The discussion was interesting because we really covered a lot of ground; privacy online, uses of social media and website’s being taken down/defaced.
The question was: “What can one do about one’s website being defaced/hacked/DDOS’d/etc?”
I think really the answer is quite simple: “You can apologise and do your best to bring things back to normal as fast as you can with the resources you have available”.
Ultimately, whatever you do, you can never be fully confident your website is secure – in the same way that you can be confident that whilst you’re a good driver, even if you’ve done advanced driving courses, someone can still drive into your rear end at a traffic lights or cut you up on a motorway and a collision happens. Even if you took all the possible precautions, there’s still some risk involved.
In terms of compromise of websites; even if your penetration testers haven’t found any serious flaws in your CMS (hint: if this happens, hire someone else), even if your base operating system is all patched and up to date, it’s not unlikely that tomorrow, someone will discover a vulnerability that affects one of them, and that your regime of patching doesn’t happen that quickly because you value stability.
It’s a very thin line to tread, and ultimately, it’s wisest to recognise that you’re going to do your best, but at some point in the next 10 years, you’ll need to apologise to your users. Being good at apologising to your users is not a skill to be sniffed at. If you can do it well, explain what happened in terms the users and your management understand then so much the better. There are worse things your could do than looking into the best ways to apologise to your users – to me this seems like a good use of training time.
During the session at Blue Light Camp I brought up this XKCD cartoon:
The amusing thing about me reading The Art of Intrusion was that it was 2006. 6 years ago. I was a teenager. I was still at school, and that must have been a library book (I’ve never owned a copy of it). It was just one of the security orientated books I read at the time (along with Bruce Schnier’s “Secrets and Lies in a Networked World”)
The types of attack, the types of thinking described in the books are alive and well today – there isn’t a problem with legislation – illegal acts are quite clearly illegal – yet really there’s been many years in which to learn how best to respond to security issues.
What scared me though is how far we’ve come in terms of the pervasiveness of technology since 2006 (back then government websites were mainly brochures, I hadn’t joined Facebook yet, Twitter really didn’t exist), and yet the basic premises of responsible and realistic net security are still not well known.
How can we fix this? How can one explain net security to the masses? As in ‘nothing is ever truly safe’ not ‘you need a password with lower and upper case and numbers’? As in ‘we fucked up, we’re really sorry, have some cake’.
I don’t know the answer, but I think it’s probably not going to be by prepending everything with “cyber” and trying to scare the shit out of everyone.
At Blue Light Camp I described Kevin Mitnick as “a bad person”.
I was asked: “well did did anyone die because of him?”
I responded negatively..
“Well on the scale of people we deal with, he’s not a very bad person then!”