Security Concept: Attack Vector

Our last discussion looked at the security concepts of lock down and layered security. Attack vector is another important security concept. Different agencies and organizations have different words for this but it all comes down to the same concept.

Your adversary wants to attack you and they will attack you through some perceived weakness, a vector. Vector means a pointy little arrow. You can think of the arrow going through the path they’re trying to attack you. If a burglar kicks in your front door, the attack vector is the front door. Burglar crawls in through window, attack vector is the window.

In our last post, ThoughtfullyPrepping correctly said the best “lock down” to your PC being hacked over the Internet is pulling the connection to the Internet. The Internet is the primary attack vector hackers use to get into your system. We can subdivide this into smaller attack vectors. Some of the most common computer hacker attack vectors:

1) Your web browser
2) Your e-mail client
3) JAVA installed on your system
4) Flash player
5) Acrobat Reader

Some attacks go through one thing and then use another: A web browser attack taking advantage of flash player. These last three items have had tens of thousands of vulnerabilities over the years. How can you nullify attacks through these popular attack vectors?

If you don’t need it, uninstall JAVA. You could go without flash player, but how then would you play sheep dash or online flappy bird? Too great a sacrifice. Inside your browser you can install an add on (flashblock) that blocks flash content from automatically playing. This give you control over which flash content is allowed. Keep flash player updated. Visit the Flash Player Settings Manager website to check your settings and choose stronger settings than the defaults.

You can replace Acrobat Reader with a less targeted and less bloated pdf reader like Sumatra PDF.

For an e-mail client, choose one that doesn’t support scripting or one which can turn it off. Avoid Outlook and anything that supports Active X on Windows platform. Don’t open attachments in e-mails from strangers. Just delete them.

You could run your web browser sandboxed, using the free program Sandboxie. It will break many sites, but you can install browser add ons like NoScript which keep javascript and other scripts from running. Turn the extension off when you need scripting. For privacy, add Ghostrey to your browser.

By looking at known attack vectors you can reduce your vulnerability to attacks. By listing possible attack vectors you can get a good idea of how you can be attacked. It gets you thinking about how you can secure each line of attack.

The greatest weakness is entirely missing an attack vector. You’ve secured your home. The doors are bullet proof. The windows, impenetrable. A tiny burglar crawls through your dog door. A missed attack vector.

In the book, I devoted a page to securing window air conditioners. Why? It’s an overlooked burglar attack vector. Most ACs just sit in the window frame, held in place by a few tiny screws at the top. Burglars can easily push the AC into the home and crawl through the window. If you have a window AC, spend some time to secure it.

Securing your garage door from having the traveller disconnected is another overlooked home security attack vector.

When you secure anything, be it your home, computer, survival retreat, vehicle, anything, make a list of possible attack vectors. Don’t be overwhelmed. If you’re on the ball, you’ll see a huge amount of attack area. You can’t bulletproof everything. You don’t need to. The vast majority of attacks look for easy vulnerabilities. Something as simple as a locked door discourages break ins. A reinforced door makes a kick in difficult. Most burglars will move on to the house down the road when confronted with a few hardened attack vectors.

The same is true with computer hackers. Unless you’ve pissed off the NSA, when a hacker finds their favorite attack vectors closed, they’ll move on to hacking somebody else.

The End Of Privacy In America

The news is abuzz with the information that the NSA is working to build its “Big Brother” database, which is part of the Orwellian-named “total information awareness” program.

If you use Verizon, the government is linking your phone number to other numbers you called and which called you. This is done to build a “known associates” list. These lists are supposedly used to track down terrorists.

To track down fugitives, police use “known associates” to know where a felon can go to get help. The idea is that if the government knows everybody you’re in contract with, if you turn out to be a terrorist, they’ll be able to nab all of your terrorist friends too.

Doesn’t this seem to violate citizen privacy? I believed the NSA was supposed to only operate outside America. This has the potential for abuse.

There is a trend today to store personal information in “The Cloud” rather than on your own hard drive. In the far future, all information will probably be stored in “The Cloud” and computers will be boxes that can only access this information. There won’t be hard drives. When this happens, all personal information you keep on your computer will be available for instant access and analysis by the government.

***

OpSec, Prepper Stigma, Privacy, Face Recognition, & Facebook

Let me begin by saying I don’t like the term “opsec” which stands for operational security. That’s the sort of term you’d probably never want to drop on a neighbor. It’s like calling your place in the country a “retreat.” If you clarify that it’s a vacation retreat, that’s great. But don’t use the term “bunker” or, God forbid, “The Compound.”

It’s your country place. Your cabin in the woods. The place you go when you just want to get away from it all (not mentioning that “it all” includes mutant zombies). You’re not hardening your house’s security, you’re renovating. Your concrete pillbox is shooting for that WWII retro look. It’s an aesthetic-artistic thing.

Many preppers feel opsec is about protecting your stash of supplies from desperate neighbors during a long-term WROL. I don’t worry too much about that. Maybe, it’s because, unlike many preppers, I don’t stockpile several years’ worth of food. If hungry neighbors showed up at my door during a true disaster and I had the resources, I’d help them. I have just enough weapons to make trying to take them away from me a miserable experience for a gang.

I want to address an aspect of opsec that doesn’t get as much attention in the prepper community: Protecting your job. Only a few years ago, I would have said the term “prepper” didn’t have any stigma attached to it. But, I fear that’s changing.

Shows like “Doomsday Preppers” portray preppers as more radical than most of us are. Other social or political elements want to co-opt the term “prepper.” That can lead to preppers being classified inappropriately, in ways that aren’t reflective of who we are.

If the word “prepper” takes a lexical turn for the worse in the future, it might be a label you want to avoid. If your Facebook page shows you holding a gun saying, “I’m a prepper!” that’s a label that could follow you through your lifetime. It probably will be harmless, but in some areas, it could conceivably cost you a job.

If you’re applying for the head maintenance position at a small school and the person evaluating your application sees the picture, he might worry you’re a nut who’ll shoot up the school. Even if he thinks you’re fully sane, he might worry that hiring you could cast him in a bad light. What were you thinking hiring this guy? In today’s tight job market, something as simple as a Facebook photo can be the difference between getting a job or being rejected. First rule of survival in the modern world: Don’t lose your job.

In my time, people might have a bad day at work and come home and vent about their boss who was a jerk that day. Some might even write in a diary. Youngsters today go to Facebook and post online. They share their feelings with their friends and the world. Some then get fired.

As a rule, the students you teach aren’t “germ bags.”  You don’t “like” your boss’s political opponent.  Don’t call your job “boring“, and accept your crummy tip and shut up.

I understand people want to assert their freedom of speech and express their opinions, but being able to pay your bills is nice too.

There’s a saying that if you don’t have anything nice to say, don’t say anything at all. Just smile and nod. Even smiling and nodding can get you into trouble today.

Facebook purchased Face.com, a facial recognition software company. Facebook is creating the largest face database in the world. Originally the plan was to make an interface for all software developers, but that plan got axed. There were too many creepy possibilities.

Stalkers could take an iphone picture of somebody and instantly know all about them. It could be a nuisance for attractive women. This should give those considering a career in undercover security/police work pause. Do you want your photos on the Internet?

If a somebody snaps a picture of you sitting with two police officer buddies, that photo could compromise your opsec. Most surveillance cameras today don’t have the resolution to identify a face, but that will change in the future.

Face photo searches could turn up every photo you’ve ever been in and could identify the other people in the photo. If you live or work in an urban or suburban environment, you’re being photographed regularly by security cameras. Most of that video footage is destroyed and recycled, but what happens when advertisers start offering businesses money for the video?

I agree with Demcad: “In my opinion, Facebook is just a hub to sell customer information to corporations.” One company (Face Deals) is using cameras at stores to capture photos of customers as they enter. That information allows the store to know what special offers and deals might appeal to the person. As one commentator posted, the problem with “opting out” of such a program is that the camera is still snapping your photo and storing it in a database. You’re only opting out of being given special deals, not being photographed and tracked.

There are some upsides to all this face tracking. Lost children at amusement parks might be quickly found. Dangerous felons can be identified and taken off the streets. If nothing else, face recognition is in its infancy and there are some amusing face recognition fails to give us a good laugh. (my favorite: The Pumpkin)

Here’s a nice article about protecting your privacy on Facebook. Don’t post your place of birth or age. Computer scientists at one university successfully predicted many people’s Social Security numbers from public information. The same people are now linking pictures to SSNs (not for any malicious purpose, but just to show they can).

One writer speculated Facebook’s ultimate goal is to become the “driver’s license of the Internet.” To use your cell phone or computer, you’d need to log on with a face-recognizing video camera.

***

Face recognition reality is only one aspect of how privacy is changing in the modern world. The FDA was caught spying on employee’s e-mail.

The end of privacy.  An interesting editorial talking about license plate tracking.

Google Android devices  like to know where you are.

The new totalitarianism of surveillance technology

While we’re talking about faces, here’s an interesting 60 Minutes special (on youtube) about people who can’t remember faces. There are super-recognizers who remember every face they ever see.

On other topics:

Forrest fires continue to be a problem throughout parts of the country. Idaho just had its worst forest fire season on record.

‘Preppers’: Ready For Anything (A Buffalo News article about preppers)

Gerber is recalling Bear Grylls Parang Machetes because they might be a laceration hazard. They’re included in Gerber’s Apocalypse Survival Kit. I walked by a TV the other day and thought I saw Bear Grylls selling deodorant.