Jason Lackey
Solutions Marketing

You cannot airgap users

February 12, 2018 by Jason Lackey

The world of security is both fascinating and incredibly challenging. While whitehat technology and tools keep getting better, the blackhat side of the house is more than keeping up. Case in point: AutoSploit. Recently published to GitHub, AutoSploit isn’t really new, rather it is a mashup of the existing Shodan vulnerability search engine and Metasploit, which have been around for years.

What is new, though, is how enabling the new mashup is, taking a low barrier to entry for those who might want to play script-kiddie and making it even lower.

Pretty scary, right?

Well, yes, but…there are even scarier things out there and one of them is a fundamental component in just about every network – the user.

While there are all sorts of scary spoilts and hacks and back doors, it’s pretty hard to jump an air gap. In fact just about everything out there, with very few exceptions (see van Eck/TEMPEST), simply isn’t going to make it across one, at least not without some help.

That’s where users come in, because they have been doing things to break and compromise computer systems since pretty close to day zero, inspiring of one IT’s favorite acronyms, PEBCAK (problem exists between chair and keyboard). Compromise the user and the network is soon to follow.

For example, STUXNET, one of the largest and most successful hacking efforts, used USB drives to cross the air gap. Once in play, it caused all sorts of havoc with Iran’s nuclear weapons program, including the destruction of an estimated 1000+ centrifuges at the Natanz uranium enrichment facility. If users had followed appropriate air gap protocols, those centrifuges never would have started popping like a fresh scoop of popcorn on a hot griddle.

Of course stupid comes not just as a single flavor but rather in a spectrum (or perhaps several spectrums) running from passively dull and lazy to something resembling active treason (for those Firefly fans out there, this scene from Serenity covers one way of addressing breaches of security protocol).

Even in places where certain cities don’t exist on most maps and those who say the wrong things to the wrong people may face the Bulgarian umbrella or fall victim to some plutonium tea, you still find willful, active acts of extreme stupidity.

The Honey Badger of Mining Rigs

Tsar Bomba - Honey Badger of Atom Bombs
Russia's Tsar Bomba, the 50 megaton honey badger of hydrogen bombs.

Crypto-currencies, like BitCoin, can be created, or mined, by anyone with an internet connection and a sufficiently powerful computer. Some of the most powerful computers in the world are used in nuclear weapons research as they are needed to run the detailed simulations required to advance the state of the art in nuclear weapons without actually testing the devices. If a system is powerful enough to simulate the likes of the Tsar Bomba then it is likely powerful enough to do a pretty decent job of mining crypto-currency.

It would appear that the temptation was too much – someone at least tried to bridge the intentional air gap that separated one of the most sensitive computer systems in the world from the internet and seemingly tried to use that very system as a mining rig.

Which brings us back to users, who have always been the weakest link in the security chain. You are not going to be able to eliminate them, but you can make things better. A couple things you can do include training – if you explain that some of the things that make life harder for users are actually important security provisions and further explain how users can work around these requirements, most will. People in general want to do the right thing and are willing to help. The other side of the coin is that to be truly secure you probably want to make sure that everyone really is on your side and thus it may be useful to perform fairly detailed background checks on people you hire. If one of your employees has a gambling problem or financial problems he or she may be tempted to do things otherwise unthinkable – like using a nuclear weapons simulator as a mining rig.

Regardless of how robust the rest of your chain is, be sure you spend some time on the human element. You may not be able to use deadly umbrellas or toxic teas, but a little training and checking can go a long way.