Cyber Attacks in a CyberSecurity Emergency
Disclaimer: This content is the result of my having survived several emergencies of varying effect sizes. Most of these ideas are rules of thumb, and not canned answers. As in any emergency your best outcome will be if you keep calm, consider many options, and flow from plan to backup plan as required.
Rumor has it that there are many script tool-kits that contain multiple attacks that a hacker can use to attack a target. I presume that political entities might design their own tool-kits, train their agents, and roll out an attack with hundreds of agents on the ground. There might even by cyber-mercenaries for hire who will work for any political entity, if paid enough.
Municipalities or regions with high tourism might be particularly vulnerable. On the other hand, regions with high tourism also have a strong local infrastructure of locals who know & trust each other, share a distinct culture, and know how to solve problems without involving tourists.
I have seen many cyber attacks, and will write about the ones that I have operational theories about. These attacks are organized by attack vector and specific to a particular emergency. (Keep in mind that each cyber emergency will likely involve distinct attacks.)
Disclaimer: please remember that these are the hypothesized attacks observed from user experience with no knowledge of the source code for the attack. These descriptions could be heterogeneous, in that there could be more than one attack that uses a similar attack vector.
- Wireless attack(s)
- sometimes may involve an open wireless network
- cell phones and laptops may surreptitiously log-on to an open wireless network
- signs of attack:
- changes in the behavior of the web browser
- Linux password prompts that asks for password again and again even when the password was typed correctly
- no wireless, i.e. physically disable it, or disable via ifconfig (command line: sudo ifconfig wlan0 down)
- no open wireless networks
- encrypt the wireless networks
- re-install OS from clean source
- DNS attack(s)
- involve tainted DNS servers, where a user's DNS lookups are redirected to an illicit server
- may involve poisoned OS updates from an illicit update server
- signs of attack:
- immediate root access to machine by attacker
- might see machine break any way possible: uninstalled software, attack payloads, new machine behavior, etc.
- get OS updates from a trusted source, i.e. from a CD-rom library of software or from a trusted update server
- Set your DNS server to a trusted DNS. There are hundreds of DNS servers in the US. Pick one from a region that has stable & clean-ish IT infrastructure.
- If in doubt, do not update your machine.
- USB attack(s)
- Trojans that spread mostly via USB, and also through the network when firewalls are down
- Grants immediate root access to the attacker
- May have a root-kit payload, as well as bot payloads for psychological attacks based on conditioning.
- These payloads could be a miniature and computerized versions of the agent-based psychological attacks, and would be designed to alert the political entities to key personnel that should be subjected to more extensive social engineering and psychological attack.
- Activate firewall.
- Do not use USB, unless a technically qualified person can certify that the USB devise is clean.
- Back up files via the network (ssh, ftp, or the cloud), or via an attached drive that uses a non-USB protocol. Remember that each back-up option has its own vulnerabilities which may become attacked.
- Reinstall the OS from clean binaries.
- Browser attack(s)
- involve injecting malware onto a machine that has browsed a compromised web site
- strange behavior in a web-browser that may eventually be leveraged to root access by the attacker
- update your browser
- browse only trusted web sites
- avoid watering holes on the web
- PDF attack(s)
- involve attacks that are embeded in PDF documents
- only open PDFs from trusted sources
- keep Adobe and other PDF viewers up-to-date
The main vulnerability that is exploited by the attackers is the attempt to standardize security procedures. The more standardized the computer configurations in a region are, the easier it is to attack many machines at once.
Effective attacks exploit standardization. Effective responses remove standardization and pursue independent work-arounds. When we decouple the responses, use multiple work-arounds, and independently establish security protocols, we reduce the attacks effectiveness.
We must all be involved in improving security. We cannot depend on standardized responses. For every rule-of-thumb, there are very good reasons to violate the rule-of-thumb. So, the security for each sub-net and each machine should be independent and be based on the particular vulnerabilities that entity or individual is exposed to.
- When you ask IT for help, try to learn a little more about your computer and it's configuration. Try to make your computer's configuration different from the standard in some important way.
- Shut off wireless in your apartment or home, to see if your health or stress levels improve.
- Consider using your cell phone less, to see if your health or stress levels improve.
- Communicate with trusted friends in an open, electronic-free way.
- Document your IT difficulties, even if there is nobody on hand to help immediately.
- Compare your IT difficulties with a neighbor or friend. If your computeres are slightly more secure in some way, then volunteer that your friend or neighbor might use your resources temporarily. (i.e. if you have a new computer that has an active firewall and hasn't been updated, then let a friend borrow it for online banking... but do not save the passwords in the machine.)
- Do everything you can to build trust, security, and confidence in realistic ways. Try to refrain from overselling any one solution.
© 2015-2021 Intrepid Net Computing. All rights reserved.