Armchair Spies
Originally starting life as the DARPA-Net, and a combination of University networks, the Internet has grown over the last few decades to become the massive global network of information that it currently is. The content of this network, freely available to many, contains a lot of information that allows for espionage in relative anonymity. All it requires is a network connection, and a willingness to look. Information that was previously only open to state sponsored intelligence agencies, particularly those with space based imaging platforms, is now freely available to all Internet users.
The presence of search engines such as Google, Yahoo, InfoSeek, and a number of others that claim to index the Internet, makes accessing this information a much simpler task. The use of software programs variously known as spiders, crawlers or robots, allows these companies to build searchable, indexed, databases of content that appears on the Internet. Technologically unimpressive, these automated tools unearth incredible amounts of information which otherwise would be best hidden.
Unfortunately for those who are trying to prevent access to their sensitive information, it is extremely easy to misconfigure the interfaces that systems have with the Internet, unknowingly exposing sensitive information that should really be hidden. For hackers who seek to exploit this information, the use of the various Internet search engines forms an essential component of their hacking toolkits. The caching of web content by the various search engines can allow a remote attacker to fully research a target without actually contacting the victim's systems or sites.
Governments will always be engaged in activities which they do not want disclosed for fears that disclosure will harm national security. These protected activities will always attract attention from a section of the general population who have dedicated themselves to discovering the specifics. The Internet allows these people to coordinate their efforts more easily, provides a means for more rigorous fact checking, and allows a far wider distribution of the information than would otherwise be possible.
Such information access means that industrial, national and military espionage activities are almost trivial to undertake; a target may never know that they have been selected for espionage, and may never know what information has been discovered about them. Historically, only State agencies have had the resources to conduct this level of espionage, but now it is available to anybody with a network connection, access to a public library, and a critical mind.
For example, space-based imagery had only been available to countries with a space launch capacity, and their trusted allies. The late nineties saw commercial providers entering the space imagery industry, and the major powers sought to restrict the level of detail and distribution of content that these providers made available. Sites such as the White House have been modified to reduce detail in freely available imagery from a number of online sites. This is only a stopgap measure, as the section of the population who seeks out the protected information will devote themselves to obtaining unmodified imagery, or even directly observing the locations and reporting on the details.
Now, high resolution space-based imagery for significant areas of the globe has been made available through online services such as maps.google.com. This has caused concern from a number of nations, including the Netherlands, Australia, North Korea, South Korea, and reporting that Russia is concerned as well. Initially the images were 2-3 years old, but important buildings don't tend to move great distances in such a short timeframe. The coverage and resolution offered by this service, and others, means that military installations, critical infrastructure, communications arrays, and other sensitive locations are now freely viewable, sometimes at resolutions approaching 1m per pixel. It is possible to determine working flight line layouts for military installations (practical examples being F117 and SR-71 flight lines in the USA), military dockyard layout and facility usage, and ground based unit distribution. With rudimentary knowledge of antenna theory, it is possible to determine operational frequency bands, ranges and operational limitations for RADAR and communication arrays, including system weak points for disruption of services.
As some observers have noted, you can't blame technology for terrorism (being the current enemy of the month). Historically, militant organisations have shown a willingness to adopt new technologies in an effort to gain a technological advantage over their enemies, who might be held to a rigid bureaucracy which slows their technological uptake. Technology which offers anonymous delivery and distribution of their messages, especially to a global audience, is particularly valuable, and it forces existing intelligence bodies to re-evaluate their threat matrices to account for these new vectors.
Following on from last month's column on Techno-Arrogance, it is an opportunity to put forward some reasons why there is such a discrepancy between the technology aware, and the technology naive.
Arguments that the technology naive are 'stupid people', or 'ignorant by choice', is very demeaning and reflects an inability to communicate by the technology aware (although there are some who will never listen or learn). One thing which tends to be forgotten by the technology aware is that their technical expertise is far above the average, and what may be obvious to them is not necessarily obvious or straight forward to everyone else.
When a well designed phishing email arrives in the inbox of the technology naive, they can be easily fooled, and even the technology aware are not immune to a well crafted attack. Analysis of the source of an email, and an ability to interpret the results should not be a necessary part of receiving email, but it is rapidly becoming an essential skill when sorting through email. Unlike a telephone call or a letter in the mail, it is more difficult to determine a falsified email when trust has been placed in the information medium.
A random person on the street who is claiming to be from your bank is no different to the phishing emails that many people receive, but it is much easier to determine that the person on the street is not legitimate (at least for the technology naive). Perhaps that is the key to user education, association of emails with random people walking up to them on the street, and learning to delete and ignore them.
Even the hiring of 'technical' staff by the technology naive can be an eye-opening experience. It has been said that when an employer requires certain technical certifications (e.g. CCNA, MCSE, CISSP) to be held by employees, then it is possible to apply a generic technical model to that company:
- The first element is that the employee will be responsible to a manager who has little (if any) technical experience, and who will manage based on 'metrics' due to an inability to understand the technical performance of the employee. The use of the certificate as a filtering mechanism implies that they have difficulty determining the difference between someone pulling the wool over their eyes, and an industry veteran with many years of relevant experience.
- Secondly, salary will be set at an 'industry standard' level, as the certificate implicitly sets the limit of the employee's knowledge and abilities (as far as the company is concerned).
- Thirdly, the employee will be committed to life as an underling, unless they manage to break out with study in their own time. Professional development is always ongoing, but the company needs certificate holders to do the low-level work, and it is hard to find those who can actually do the work.
- Finally, it indicates a company which is set in its ways and which fears new technology or innovative use of existing technology, as those will probably not have any certifications, and which makes it difficult for the non-technical management to evaluate the strengths of the technology.
This generic model will not always apply, and not always apply completely, but it does form a minimum standard of what to expect for people who are seeking employment in technical areas, and which can point out the difficulties relating non-technical business operators to the highly technical employees.
This argument has also had some significant discussion recently, as the CISSP (Information Security Certificate) has come under fire for no longer being a relevant certification, with the 'certificate mills' pumping out CISSP holders who are diluting the perceived image of reliability that the certificate once attracted. Microsoft's MCSE and Cisco's CCNA have also been through this argument in the past, although the higher ranked certifications, such as Cisco's CCIE certification, appear safe, at least for a while longer. The SANS GIAC certification, which is still held in high regard amongst many technical people, is also headed to a similar fate with recent changes in the requirements that must be met to proceed along the path of obtaining certification.
24 October 2005
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.