Page 1 of 3
Google’s threat analysts have identified state-level attacks from China.
I hope both campaigns are working under the assumption that everything they say and do will be dumped on the Internet before the election. That feels like the most likely outcome.
New details:
At the CyberwarCon conference in Arlington, Virginia, on Thursday, Microsoft security researcher Ned Moran plans to present new findings from the company’s threat intelligence group that show a shift in the activity of the Iranian hacker group APT33, also known by the names Holmium, Refined Kitten, or Elfin. Microsoft has watched the group carry out so-called password-spraying attacks over the past year that try just a few common passwords across user accounts at tens of thousands of organizations. That’s generally considered a crude and indiscriminate form of hacking. But over the last two months, Microsoft says APT33 has significantly narrowed its password spraying to around 2,000 organizations per month, while increasing the number of accounts targeted at each of those organizations almost tenfold on average.
[…]
The hackers’ motivation—and which industrial control systems they’ve actually breached—remains unclear. Moran speculates that the group is seeking to gain a foothold to carry out cyberattacks with physically disruptive effects. “They’re going after these producers and manufacturers of control systems, but I don’t think they’re the end targets,” says Moran. “They’re trying to find the downstream customer, to find out how they work and who uses them. They’re looking to inflict some pain on someone’s critical infrastructure that makes use of these control systems.”
It’s unclear whether the attackers are causing any actual damage, or just gaining access for some future use.
Yesterday, the city of Los Angeles closed all of its schools—over 1,000 schools—because of a bomb threat. It was a hoax.
LA officials defended the move, with that city’s police chief dismissing the criticism as “irresponsible.”
“It is very easy in hindsight to criticize a decision based on results the decider could never have known,” Chief Charlie Beck said at a news conference.
I wrote about this back in 2007, where I called it CYA security: given the choice between overreacting to a threat and wasting everyone’s time, and underreacting and potentially losing your job, it’s easy to overreact.
What’s interesting is that New York received the same threat, and treated it as the hoax it was. Why the difference?
EDITED TO ADD (12/17): Best part of the story: the e-mailer’s address was madbomber@cock.li.
Colors are so last decade:
The U.S. government’s new system to replace the five color-coded terror alerts will have two levels of warnings elevated and imminent that will be relayed to the public only under certain circumstances for limited periods of time, sometimes using Facebook and Twitter, according to a draft Homeland Security Department plan obtained by The Associated Press.
Some terror warnings could be withheld from the public entirely if announcing a threat would risk exposing an intelligence operation or a current investigation, according to the government’s confidential plan.
Like a carton of milk, the new terror warnings will each come with a stamped expiration date.
Specific and limited are good. Twitter and Facebook: I’m not so sure.
But what could go wrong?
An errant keystroke touched off a brief panic Thursday at the University of Illinois at Urbana-Champaign when an emergency message accidentally was sent out saying an “active shooter” was on campus.
The first message was sent on the university’s emergency alert system at 10:40 a.m., reaching 87,000 cellphones and email addresses, according to the university.
The university corrected the false alarm about 12 minutes later and said the alert was caused when a worker updating the emergency messaging system inadvertently sent the message rather than saving it.
The emails are designed to go out quickly in the event of an emergency, so the false alarm could not be canceled before it went out, the university said.
I wrote an op-ed for CNN.com on the demise of the color-coded terrorist theat level system. It’s nothing I haven’t said before, so I won’t reprint it here.
The best thing about the system was the jokes it inspired late-night comedians, and others, to make. In memoriam, people should post the funniest of those jokes here.
Good. It was always a dumb idea:
The color-coded threat levels were doomed to fail because “they don’t tell people what they can do— they just make people afraid,” said Bruce Schneier, an author on security issues. He said the system was “a relic of our panic after 9/11” that “never served any security purpose.”
I wrote this in 2004:
In theory, the warnings are supposed to cultivate an atmosphere of preparedness. If Americans are vigilant against the terrorist threat, then maybe the terrorists will be caught and their plots foiled. And repeated warnings brace Americans for the aftermath of another attack.
The problem is that the warnings don’t do any of this. Because they are so vague and so frequent, and because they don’t recommend any useful actions that people can take, terror threat warnings don’t prevent terrorist attacks. They might force a terrorist to delay his plan temporarily, or change his target. But in general, professional security experts like me are not particularly impressed by systems that merely force the bad guys to make minor modifications in their tactics.
And the alerts don’t result in a more vigilant America. It’s one thing to issue a hurricane warning, and advise people to board up their windows and remain in the basement. Hurricanes are short-term events, and it’s obvious when the danger is imminent and when it’s over. People can do useful things in response to a hurricane warning; then there is a discrete period when their lives are markedly different, and they feel there was utility in the higher alert mode, even if nothing came of it.
It’s quite another thing to tell people to be on alert, but not to alter their plans, as Americans were instructed last Christmas. A terrorist alert that instills a vague feeling of dread or panic, without giving people anything to do in response, is ineffective. Indeed, it inspires terror itself. Compare people’s reactions to hurricane threats with their reactions to earthquake threats. According to scientists, California is expecting a huge earthquake sometime in the next two hundred years. Even though the magnitude of the disaster will be enormous, people just can’t stay alert for two centuries. The news seems to have generated the same levels of short-term fear and long-term apathy in Californians that the terrorist warnings do. It’s human nature; people simply can’t be vigilant indefinitely.
Another alert system to compare this one to is the DEFCON system. At each DEFCON level, there are specific actions people have to take: at one DEFCON level—and I’m making this up—you call everyone back from leave, at another you fuel all the bombers, at another you arm the bombs, and so on. What actions am I supposed to take when the terrorist threat level is Yellow? When it is Orange? I have no idea.
EDITED TO ADD (11/25): Good observation:
The DHS National Threat Advisory is a public alert system. That a public alert system is indicating imminent disaster is not surprising. In fact it’s inevitable. It’s the nature of public alert systems to signal imminent disaster at all times. I’ve composed “Blakley’s Law” (next time I come up with one of these I’ll rename this one “Blakley’s First Law”) to describe the phenomenon:
“Every public alert system’s status indicator rises until it reaches its disaster imminent setting and remains at that setting until it is retired from service.”
It’s easy to see why Blakley’s law holds: if something terrible happens and the alert status didn’t predict it, the keepers of the alert status will be blamed for not preparing us for the disaster. Setting the alert status to “Disaster imminent” when no disaster is likely costs the public some money and mental health, but it doesn’t hurt them in other ways. On the other hand, setting the alert status to “Don’t worry, be happy” just before a disaster does happen is the worst case for everyone – nobody prepares for the disaster, and the people in power lose their jobs for failing to prevent or prepare for the crisis.
From Slate:
We do nothing, first and foremost, because there is nothing we can do. Unless the State Department gets specific—e.g., “don’t go to the Eiffel Tower tomorrow”—information at that level of generality is completely meaningless. Unless we are talking about weapons of mass destruction, the chances of being hit by a car while crossing the street are still greater than the chances of being on the one plane or one subway car that comes under attack. Besides, nobody living or working in a large European city (or even a small one) can indefinitely avoid coming within close proximity of “official and private” structures affiliated with U.S. interests—a Hilton hotel, an Apple computer store—not to mention subways, trains, airplanes, boats, and all other forms of public transportation.
Second, we do nothing because if the language is that vague, nobody is really sure why the warning has been issued in the first place. Obviously, if the U.S. government knew who the terrorists were and what they were going to attack, it would arrest them and stop them. If it can’t do any better than “tourist infrastructure” and public transportation, it doesn’t really know anything at all.
[…]
In truth, the only people who can profit from such a warning are the officials who have issued it in the first place. If something does happen, they are covered. They warned us, they told us in advance, they won’t be criticized or forced to resign. And if nothing happens, we’ll all forget about it anyway.
Except that we don’t forget about it. Over time, these enigmatic warnings do al-Qaida’s work for them, scaring people without cause. Without so much as lifting a finger, Osama Bin Laden disrupts our sense of security and well-being. At the same time, they put the U.S. government in the position of the boy who cried wolf. The more often general warnings are issued, the less likely we are to heed them. We are perhaps unsettled or unnerved, but we don’t know what to do. So we do nothing—and wish that we’d been told nothing, as well.
I wrote much the same thing in 2004, about the DHS’s vague terrorist warnings and the color-coded threat advisory system.
EDITED TO ADD (10/13): Another article.
I wrote about the DHS’s color-coded threat alert system in 2003, in Beyond Fear:
The color-coded threat alerts issued by the Department of Homeland Security are useless today, but may become useful in the future. The U.S. military has a similar system; DEFCON 1-5 corresponds to the five threat alerts levels: Green, Blue, Yellow, Orange, and Red. The difference is that the DEFCON system is tied to particular procedures; military units have specific actions they need to perform every time the DEFCON level goes up or down. The color-alert system, on the other hand, is not tied to any specific actions. People are left to worry, or are given nonsensical instructions to buy plastic sheeting and duct tape. Even local police departments and government organizations largely have no idea what to do when the threat level changes. The threat levels actually do more harm than good, by needlessly creating fear and confusion (which is an objective of terrorists) and anesthetizing people to future alerts and warnings. If the color-alert system became something better defined, so that people know exactly what caused the levels to change, what the change means, and what actions they need to take in the event of a change, then it could be useful. But even then, the real measure of effectiveness is in the implementation. Terrorist attacks are rare, and if the color-threat level changes willy-nilly with no obvious cause or effect, then people will simply stop paying attention. And the threat levels are publicly known, so any terrorist with a lick of sense will simply wait until the threat level goes down.
Of course, the codes never became useful. There were never any actions associated with them. And we now know that their primary use was political. They were, and remain, a security joke.
This is what I wrote in 2004:
The DHS’s threat warnings have been vague, indeterminate, and unspecific. The threat index goes from yellow to orange and back again, although no one is entirely sure what either level means. We’ve been warned that the terrorists might use helicopters, scuba gear, even cheap prescription drugs from Canada. New York and Washington, D.C., were put on high alert one day, and the next day told that the alert was based on information years old. The careful wording of these alerts allows them not to require any sound, confirmed, accurate intelligence information, while at the same time guaranteeing hysterical media coverage. This headline-grabbing stuff might make for good movie plots, but it doesn’t make us safer.
This kind of behavior is all that’s needed to generate widespread fear and uncertainty. It keeps the public worried about terrorism, while at the same time reminding them that they’re helpless without the government to defend them.
It’s one thing to issue a hurricane warning, and advise people to board up their windows and remain in the basement. Hurricanes are short-term events, and it’s obvious when the danger is imminent and when it’s over. People respond to the warning, and there is a discrete period when their lives are markedly different. They feel there was a usefulness to the higher alert mode, even if nothing came of it.
It’s quite another to tell people to remain on alert, but not to alter their plans. According to scientists, California is expecting a huge earthquake sometime in the next 200 years. Even though the magnitude of the disaster will be enormous, people just can’t stay alert for 200 years. It goes against human nature. Residents of California have the same level of short-term fear and long-term apathy regarding the threat of earthquakes that the rest of the nation has developed regarding the DHS’s terrorist threat alert.
A terrorist alert that instills a vague feeling of dread or panic, without giving people anything to do in response, is ineffective. Even worse, it echoes the very tactics of the terrorists. There are two basic ways to terrorize people. The first is to do something spectacularly horrible, like flying airplanes into skyscrapers and killing thousands of people. The second is to keep people living in fear. Decades ago, that was one of the IRA’s major aims. Inadvertently, the DHS is achieving the same thing.
Finally, in 2009, the DHS is considering changes to the system:
A proposal by the Homeland Security Advisory Council, unveiled late Tuesday, recommends removing two of the five colors, with a standard state of affairs being a “guarded” Yellow. The Green “low risk of terrorist attacks” might get removed altogether, meaning stay prepared for your morning subway commute to turn deadly at any moment.
That’s right, according to the DHS the problem was too many levels. I hope you all feel safer now.
Here are some more whimsical designs, but I want the whole thing be ditched. And it should be easy to ditch; no one thinks it has any value. Unfortunately, if the Obama Administration can’t make this simple change, I don’t think they have the political will to make any of the harder changes we need.
Research that proves what we already knew:
Crying Wolf: An Empirical Study of SSL Warning Effectiveness
Abstract. Web users are shown an invalid certificate warning when their browser cannot validate the identity of the websites they are visiting. While these warnings often appear in benign situations, they can also signal a man-in-the-middle attack. We conducted a survey of over 400 Internet users to examine their reactions to and understanding of current SSL warnings. We then designed two new warnings using warnings science principles and lessons learned from the survey. We evaluated warnings used in three popular web browsers and our two warnings in a 100-participant, between-subjects laboratory study. Our warnings performed significantly better than existing warnings, but far too many participants exhibited dangerous behavior in all warning conditions. Our results suggest that, while warnings can be improved, a better approach may be to minimize the use of SSL warnings altogether by blocking users from making unsafe connections and eliminating warnings in benign
situations.
Sidebar photo of Bruce Schneier by Joe MacInnis.