Computer Security: today’s paranoia, tomorrow’s reality
When the Internet opened its gates to academia in the late 80s and, together with the World Wide Web a few years later, to the general public, computer security was considered somehow irrelevant. People pointing to vulnerabilities and security risks (“hackers”) were labelled as paranoid. But they woke to reality during the outbreak of the “ILOVEYOU” virus in 2000, which caused large scale infections of Windows PCs (including many at CERN).
Similarly, warnings about weaknesses and insecure control systems, issued by CERN and others (see our Bulletin article “Hacking control systems, switching lights off!"), were ignored until the “Stuxnet” attack against control systems in Iran proved them right in 2010. Reality beat 'paranoia' again. Last year, the paranoid fear of many security experts that our whole IT infrastructure might have been infiltrated and spied on turned real, if you believe in the revelations of whistle-blower Edward Snowden (see "Security vs. Nations: a lost battle?"). Paranoia vs. Reality: 0-3. And the next strike is approaching…
The Internet is currently transforming away from an instrument for people sharing information to an “Internet of Things” with almost any device able to publish relevant and irrelevant data to all those who listen. Many gaming consoles and even TV sets require Internet connectivity for an “enhanced entertainment experience”. So do cars, as their entertainment systems provide interfaces to communicate with your phone. In the future, they might even communicate with other cars and the next traffic light to optimise traffic flow. “SmartMeters” will measure your energy consumption at home and share this with your energy provider in real time - using the Internet. “Nest Labs” (recently acquired by Google) does the same with home air conditioning and heating. Espresso machines provide USB ports for you to upload your favourite recipes and make your “coffee experience” even better.
The paranoia? All these devices run some kind of operating system. But compared to computers or laptops, the corresponding hardware vendors do not have a real incentive to provide permanent updates and patches for them. Currently, even some smartphone manufacturers are slow to provide suitable upgrades to the firmware of their older product lines. Why should we expect better from a manufacturer of Internet-ready espresso machines or heating systems controllable from your tablet PC? Indeed, this reality has already caught up with us, as German heating systems were found vulnerable* and numerous fridges(!) where found to be sending spam messages into the world...
Conclusion? Being paranoid is not that bad. It might just mean that you’re ahead of your time. At CERN, we should listen more to our intuition. Do we really have sufficient security measures in place? Is our data properly protected? Are our computing services able to fend attackers off? Is the way we do development and testing still adequate given that today everything is interconnected? When will reality enter CERN and create havoc? We’re interested to know where you would invest in computer security at CERN, where to improve, and what to leave out. Just e-mail us at Computer.Security@cern.ch. Be paranoid!
* Subsequently, the corresponding vendor suggested affected households disconnect their Ethernet cable.
Check out our website for further information, answers to your questions and help, or e-mail Computer.Security@cern.ch.
If you want to learn more about computer security incidents and issues at CERN, just follow our Monthly Report.
Access the entire collection of Computer Security articles here.