Cyber – Code Green Prep

The Undetectable Computer Virus that Might Already Be Lurking On Your Computer

Aug 012014

Our computers these days have many USB devices connected to them.

As preppers, we anticipate, plan, and prepare for a strategic failure in some part of our national critical infrastructure, no matter what the cause or what the specific failure may be.

Some risks are obvious. But as prudent preppers, we also look to find and consider all risks, including those thought to be remote and unlikely. Some risks are subtle and generally little considered, even though they could potentially be devastating in their consequences, and possibly might also be frighteningly possible.

An example of a risk category that few people fully consider is some type of cyber attack on our nation. We’ve written about varying aspects of this in the past, most recently a mere week ago when we explain why the concept of a cyber-attack is so appealing to terrorists and others who wish us harm.

We don’t exaggerate when we say that almost everything in our lives is computerized these days, and the little bits that aren’t yet controlled by computers are quickly adding computerization and internet connectivity too. While there are indeed benefits in having our kitchen appliances and our home heating/cooling all connected to the internet, there are also increased vulnerabilities.

The problem about anticipating and defending against a cyber-attack is that doing so requires a skill a bit like driving down the freeway at high speed, while only looking in the rear-view mirror. On the freeway, the rear vision mirror will keep us in our lane, but only until the freeway curves ahead, and it won’t warn us if we’re closing in on the car in front. With cyber attacks, we only know what our enemies have done in the past, we don’t know what they might think of next in the future. Unfortunately, within even the simplest parts of any computer system lurk all sorts of unexpected vulnerabilities, sometimes overlooked due to the simplistic and ‘safe’ nature of the components. It is impossible to be certain that we have identified – and solved – all possible computer vulnerabilities (even though some ‘experts’ claim they have done so).

For example, think of one of the wonderful enhancements to computer peripherals these days – USB connections and their ‘plug and play’ automatic connection between the thing we plug in and the thing it is plugged into. A decade or more ago, this seldom worked as it should, and it was often referred to as ‘plug and pray’. Nowadays the ‘intelligence’ within USB devices has been greatly improved and they are better able to correctly identify themselves and install the necessary drivers automatically onto the host device which they’ve been plugged into.

Unfortunately, as the ‘intelligence’ of USB devices has increased, so too has the ability to exploit that intelligence and re-task it for nefarious purposes. A hacker could build a virus into the USB device’s ‘firmware’, and so when the device connects to your computer, it automatically loads itself onto the computer without triggering any of the typical anti-virus warnings.

Keep in mind that this type of attack could come not just from USB memory sticks and thumb drives. We’ve known for some time about the ability of USB drives to come with a virus pre-loaded on them, and also of course, for a virus to copy itself onto a solid state USB drive, the same way as it could onto any other drive. But this new risk is very different, because it doesn’t come from a USB’s available data storage. It is hidden in the USB’s internal memory and drivers. It could come from any USB device at all. A mouse. A keyboard. A printer. Look at all the USB devices you connect to your computer these days, and appreciate that all of them could be sources of infection.

Who would have thought you could get a disabling computer virus from your mouse or keyboard or webcam or whatever?

The problem is even worse. Once on your computer, the hacker’s code can then copy itself onto any other USB devices it finds, and of course can totally take over your computer and do whatever it chooses with it.

The problem is even worse than this. You might think ‘Okay, so I’ll only use USB devices I buy brand new in sealed boxes, and I’ll never share them with anyone else’s computers’. But – who is to say that the company making the USB devices hasn’t been compromised – either deliberately or unknowingly? Remember that much of the computer attacks that are directed at the US come from China, then look around your computer gear and see how much of that comes from China. Ponder the implications of that, and you’ll quickly realize why the government is increasingly concerned about allowing Chinese computer hardware into sensitive installations (and also, to be fair, why foreign governments are increasingly anxious about allowing US hardware into their sensitive operations too!). Even brand new untouched computer gear might be infected with pre-loaded malware.

This article explains the vulnerability and how there is no defense against it currently, saying

Most of us learned long ago not to run executable files from sketchy USB sticks. But old-fashioned USB hygiene can’t stop this newer flavor of infection: Even if users are aware of the potential for attacks, ensuring that their USB’s firmware hasn’t been tampered with is nearly impossible. The devices don’t have a restriction known as “code-signing,” a countermeasure that would make sure any new code added to the device has the unforgeable cryptographic signature of its manufacturer. There’s not even any trusted USB firmware to compare the code against.

We know, via Edward Snowden, that the NSA had some type of way of accessing computers through some type of USB exploit; it is likely that they may use some of these now publicly discovered vulnerabilities. If the NSA is doing this, if Edward Snowden has disclosed that, and if there is now public discussion of USB vulnerabilities, how many hackers are also doing the same thing?

Unfortunately, at present, there is no known solution to this problem. Your computer and your USB devices might already be infected.

A deliberate hacker attack could take the form of stealthily infecting as many computers as possible, and then having them all simultaneously fail on some future date.

Would that destroy our society and bring about the type of Level 2 or 3 scenario we plan and prepare for? We’re not sure, but for sure the very best case scenario would be a massive economic and supply disruption that would see many services totally fail and much of the physical distribution of food and supplies also interfered with. If computer based programs can no longer be used to manage agricultural processes, to plot demand and to schedule harvesting and processing, and to interface between the different companies in a complex supply chain, how will food efficiently make it from the field to the shelves of your local supermarket?

Without computers, what will happen to the banking system? If your job involves using a computer, how will you and all your colleagues, customers and suppliers do your/their jobs? If your company fails, what will happen to your job and your income?

The big unknowns are the nature and extent of a social collapse due to a failure of the nation’s computer resources. We fear it might be worse than we hope, and so we plan accordingly.

We suggest you carefully read the article that explains the USB vulnerability and its implications, particularly the part that concludes

That means you can’t trust your computer anymore. This is a threat on a layer that’s invisible. It’s a terrible kind of paranoia.

Implications for Preppers

There’s not a lot of special things you can do to prepare for a broad attack on all our computers. Your computers and USB peripherals might already be infected, and there’s nothing you can do about it.

All you can do is ensure that your retreat and your lifestyle can continue without any computerization, and keep your prepping at a necessary level in anticipation of a possible future Level 2/3 situation, no matter what the cause.

One thing in particular is to print out hard copies of as much of the electronic reference material you might have accumulated. If your computers fail, you don’t want to have all your prepping knowledge resources destroyed.

The Next Attack on the US May Not Involve Bombs or Planes

Cyber, Vulnerabilities 1 Response »

Jul 262014

You might be looking at a foot soldier – maybe the only foot soldier – in our next war.

Our notions of modern war and warfare are, in largest part, hopelessly outdated and dangerously inaccurate.

When you ask most people to describe how they would expect any enemy to attack the US – whether a nation/state or an amorphous terrorist group, you’ll probably get responses ranging from nuclear missiles to crashing more planes into buildings or other sensitive areas.

But the most likely future attack may not involve bombs, and may not even require our attackers and their invading force to come within a thousand miles of our shores. The notion of a gratuitous attack is, after all, not so much simply to kill some people and destroy some things, as it is to harm the enemy as broadly as possible. War has sometimes been described as ‘An extension of economic bargaining by another means’ and in its ultimate analysis, most wars are either about economic issues, or, if ideologically based, are still about changing each side’s economic status.

Here’s an interesting thought to help explain that thought. More of us probably suffered more direct harm/cost/inconvenience through the ‘Global Financial Crisis’ that unfolded in 2008 than we did when the planes crashed into the World Trade Center and Pentagon on 9/11/01. And, for those of us inconvenienced by 9/11, our inconvenience was probably a derivative effect of the 9/11 attack rather than a direct attack – because our flight was canceled, or the flight of someone coming to see us was canceled, for example.

We say this not to belittle the horror of 9/11, nor to overlook the deaths of the approximately 3,000 people directly killed on 9/11. But more harm was done to more of us through the bloodless global financial crisis – an event that involved no spectacular events, attacks, explosions or casualties.

Furthermore, our enemies know that if they can harm our economic strength and our infrastructure, they directly harm our military and our ability to project power and influence around the world, and – in particular – in the areas that our enemies are most directly interested in. The size of our military is of course directly related to the ability of our economy to support it – if our economy can be destroyed, how long will it be before our military is reduced still more in size because we can’t afford it at its previous level?

For an answer to that question, look at the fall of the Soviet Union and the collapse of their military. It is only now that Russia is becoming economically strong once more that it can afford to revitalize its armed forces.

Or, if you prefer, look at China. Its military might is increasing in direct proportion to its economic might.

Or, for the reverse, look at Britain. Once the proud possessor of the world’s largest navy and most mighty military forces, but its military has imploded in step with Britain’s economic decline. Make no mistake. There is a very direct link between economic and military strength.

Okay, enough of that as introduction. So what will the next attack on the US look like? This article suggests it will be a cyber-attack on our economy, rather than a classic soldier based attack on our military. The article says that Al Qaeda are already probing and seeking ways to uncover and exploit any computer system weaknesses, anywhere in our society.

This is not new. We‘ve written about our vulnerability to cyber attack before. But this is the first time (that we’re aware of) that the authorities are now worrying about a targeted cyber-attack by Al Qaeda (you know, the terrorist force that President Obama assured us was broken and on the run in disarray a few years ago…..).

Do a thought experiment and wonder what would happen to your world if even only some computer systems went haywire and stopped working. It would be a bit like the scenario that was much considered but happily never occurred on January 1, 2000 – do you remember all the concern about the ‘Y2K bug’ lurking in outdated programming code? (If you don’t remember or didn’t understand what the Y2K bug was all about, it was because many computer programs only used two digits for the year, and so when the year (19)99 because the year (20)00, there was concern that some computer programs would crash because they might misinterpret 00 as meaning 1900 rather than 2000. It is explained more here.)

The Y2K bug was averted in large part because the world planned and prepared for it. Almost a third of a trillion dollars were directly spent urgently rewriting software, and who knows how much more was spent less directly on simply dumping old software and old microprocessor hardware and replacing it with more modern products that had four digit dates. A similar problem is not now expected until 10,000, when there may be another problem due to date fields only having four rather than five digits!

One could argue that it is a shame that the Y2K bug didn’t materially impact our lives back then, because it has made us more complacent about computers and their potential to wreak havoc in our lives.

But, never mind problems 8,000 years in the future. Please keep reading.

The Next Massive Attack on the US Will be a Cyber Attack

Much more pressing is the stated intention of Al Qaeda to attack our computer systems just as soon as they get resources in place to mount a massive coordinated strike. We’d not notice it if one or two computers failed, but we’d sure notice it if the nation’s entire banking system crashed, or if the power grid went down, or even if the internet backbone jammed.

As the other articles we’ve written about cyber-vulnerabilities, there are weaknesses in computers and control devices everywhere we turn (for example, this article about 11 million computers at risk from one type of attack), and with the internet, these devices are increasingly accessible remotely, even from other countries.

But – and here’s the worrying thing. Although there was a high level of public awareness about the potential impact of the Y2K bug, and a worldwide campaign to eliminate the risk prior to 1/1/01, where is the similar global action to harden up our computer systems? It is just not there, is it.

Think about this the next time you are in an elevator and push the button to go to your chosen floor. You are relying on the elevator’s control computer to do the right thing – to take you to the correct floor, to stop there, and to open the doors. What say it gets reprogrammed and jams you, with the doors shut, between floors? What would happen if almost every elevator in every building failed, simultaneously? That might not sound life threatening, but if you live or work on the 20th floor of a building, how will you now get up and down those 20 floors?

Okay, so maybe you can struggle up and down the 20 floors. But what say the building’s HVAC system goes haywire too. Instead of a nice comfortable 70 degrees, the temperature goes up to 100 degrees. What do you do then? Smash the glass of the sealed windows to let some fresh air in (which at some times of year might be still hotter, anyway!)?

Now let’s make the traffic lights malfunction too. Maybe they’ll just simply fail. Or maybe they’ll randomly go green and red, encouraging accidents. Surely you know, on the occasional times when a single traffic light is out of service, how that can back up traffic for some blocks around. Now imagine if the entire city has failed traffic lights. How does your daily commute sound now?

With traffic jammed up, what say a building’s heating furnace or something else misbehaves, causing a fire to break out. How will the fire trucks get to the building to put out the fire? The sprinklers will activate and do the job for them? Well, maybe, but that assumes the sprinkler control system hasn’t been made inoperative too, and the water supply pumps haven’t also failed.

What about simpler things such as food and water? Well, as we’ve already mentioned, stop the water pumps and you stop the water. Now cause supermarket freezers and coolers to fail, and also disable their computerized re-ordering systems, and they’re down to dried good only with impaired means of resupply (particularly because the trucks will be snarled in the same traffic jams).

In truth, these are difficult and indirect ways to create chaos in our nation. A much simpler way is just to directly attack our electrical grid. This attack could either be via the switching control circuits, causing transformers to overload and explode, or it could (also) be via the power generating facilities. Have the power generating plants control systems fail, or program them to dangerously overload the machinery so the hardware itself fails. Can a nuclear plant be programmed to explode? We don’t know, but we bet it could be.

Why not make the computers that control Wall St and our stock exchanges go crazy. While you might think that the loss of the stock exchanges would not really matter much, the loss of liquidity would see businesses unable to fund their purchases of raw materials, and in turn, be unable to sell their finished goods because their customers also were losing access to their credit facilities. This would be a slower failure perhaps than just turning off the electrical grid, but if you have some of your retirement savings in any form of electronic/intangible holding (and, unless you have gold bars underneath your mattress, the chances are that most/all of your savings are in electronic abstract form) you’ve lost access to them. Not just businesses would be harmed. People could no longer buy and sell houses, cars, or much at all.

More immediately and with much greater direct effect, take out the banking system’s computers, and you can no longer use credit cards for payment, and you can no longer withdraw cash from your bank account. What happens then when you next go to buy groceries, or gasoline, or anything, anywhere?

The possibilities for harm via attacking our nation’s computers are without limit.

Note that while we rate our risk of cyber-attack as high, most of our adversaries are not similarly at risk, because they are either low-tech nations with less reliance on computers, or alternatively, they are amorphous organizations with no physical territory or computerized infrastructure that could be targeted.

The Benefits of Cyber-Warfare to an Attacking Force

Now, think about it as if you were an attacker. What would you rather do? Go to boot camp, endure three months of basic training, learn to shoot, and then be shipped off to invade the US, where you’ll be shot at, likely injured, and possibly killed? Or take some programming classes, and from the comfort of your own living room, in pyjamas and slippers, with a coke in one hand and a burrito in the other, write a computer program and insert it into a far away computer in another country, totally free of discomfort or personal risk?

There’s another benefit for an attacking force, too. If you are talking soldiers, obviously a platoon of 12 men requires, yes, 12 people. A battalion of 900 people similarly requires 900 people, and so on.

But, in cyber warfare, one single person can ‘enlist’ thousands of computers by infecting them with viruses that will, at a particular time, take over the computer. That one person can then instruct all these thousands of ‘zombie’ computers to attack simultaneously. An entire massive cyber-invasion can be planned and executed by a single person.

Now, what if you were a defender. It is one thing to see a line of advancing enemy troops, and as part of your force, to defend your territory against them and to repel them. But what good are ‘boots on the ground’, aircraft, tanks, guns, night sights and everything else when your enemy is not physically present, but instead is somewhere else, but you don’t know exactly where?

There’s another issue, too. How do you fight back against a computer virus? You don’t know where in the world it came from, and even if you did find out, by the time you’ve located the source of the virus, the person has moved, and initiated another attack from another city (or even another country).

As we started off saying, anyone who plans to fight a war with guns and bullets these days is short-sighted and crazy. Why go to all the hassle and personal risk when you can simply unleash a computer virus that will do more damage than all the bullets and bombs you could carry?

The flipside of this is also relevant. Anyone who plans their nation’s defense on the assumption that the enemy will only be using bombs and bullets is also crazy. Sure, we need to keep a national military force, but our most likely attack is going to come through a computer circuit, and rather than being aimed at our troops, it will be aimed at the soft underbelly of our society – its vulnerable and unprotected computer systems. That’s where we need to be placing the most focus and defensive resource.

Our enemies have told us they want to cyber-attack us, and our enemies are trying, on a daily basis, to infiltrate our computer networks. The war has already started.

Bottom Line for Preppers

A cyber-attack could bring about an instant disaster, but may instead create a ‘boiling frog’ effect in society. Our social support systems and structure would slowly degrade, rather than instantly fail. This would engender tolerance of the problem and hope that it will be resolved, but if the attack is staged and ongoing, instead of improving, more systems will go off-line and problems will get worse.

This makes it very difficult to know when you should evacuate your city area and move to your retreat. We discuss this in our article ‘Why slow disasters may be as serious as sudden disasters‘. We urge your to (re)read that article and create your own ‘lines in the sand’ that will trigger your decision to bug-out and switch from every-day mode to TEOTWAWKI mode.

The World As We Know It Almost Ended in September 1983

Cyber, Nuclear, Other, Vulnerabilities No Responses »

Oct 182013

A Topol-M ICBM parading through Moscow’s Red Square.

Chances are you can come up with a long list of things that might go wrong so as to cause TEOTWAWKI. But do you have ‘computer mistake’ on your list of things to worry about? If you don’t, you should.

This article concerns the little known events on 26 September 1983, when Russia’s (well, back then, it was the Soviet Union) early warning system reported multiple missiles, launched from the US, and headed towards its territories. The early warning system further rated the probability that this was a real bona fide first strike attack on the USSR at its highest level of certainty.

The duty officer at the monitoring station was supposed to urgently telephone the country’s leadership in Moscow, and there was close to a certainty that the leadership (Yuri Andropov had recently taken over the General Secretary position from Leonid Brezhnev) would respond by ordering a reciprocal strike on the US, launching their own missiles before the incoming missiles could destroy them on the ground.

But the duty officer suspected that, no matter what the computers were telling him, the warning was false rather than real, and saw some inconsistencies in the raw data. So he disobeyed his instructions and instead of calling the leadership to report an incoming missile strike as he was supposed to do, he reported a system malfunction to the people responsible for maintaining it.

As it turned out, he did the right thing. But if he had followed orders, we’d have ended up with an inadvertent nuclear war that would have very likely destroyed most of the US, the USSR, and much of the rest of the world.

Details here.

Thirty years later, could such a thing still happen? Unfortunately, the answer is ‘yes’. Indeed, there is less time now for incoming information to be evaluated and cross-checked, and more of an urgent need to respond before any incoming strike takes out our own (or anyone else’s) arsenal. Furthermore, increased computerization makes it harder to see the ‘raw data’, and we instead have to rely on the computerized, processed, interpretations.

So go ahead and add this to your already long list of potential life-changing events – and put it in the most extreme category, because it is something that could suddenly occur without any warning or any chance for us to transition from our normal lifestyles to our retreats. Perhaps now is also a good time to read our series on radiation issues.

The BBC Asks What Would Happen if All Satellites Stopped Working

Cyber, Solar, Vulnerabilities 2 Responses »

Jul 302013

Satellites provide both obvious and obscure but essential services to every aspect of our modern convenient lives.

Ignore, for the moment, how it would happen, and instead think about what would happen, if all the satellites ‘up there’ stopped working. The BBC recently published an article asking – and answering – that question.

You can probably guess at some of the results of a global failure of all satellites. Our GPS systems would stop working. A lot of the content on our televisions and radios would disappear – not just satellite radio and tv channels, but regular programming on regular stations, too; much of which is distributed by satellite feed.

Some long distance phone communications would become more difficult. While much/most long distance phone communications go by terrestrial microwave or fiber or cable, some is still routed via satellite.

Weather forecasting and reporting would become more difficult.

Air traffic control would deteriorate, although the transition from ground/radar systems to GPS type systems has been shamefully slow in the making and is only rolling out now.

So there’s a quick list of five effects of a loss of all satellites, none of which sound like they are life changing or life threatening, right?

But let’s now ‘drill down’ a bit further and consider some of the other uses and implications of satellites.

If our weather forecasting abilities deteriorate, that has massive implications on many things. It interferes with optimized crop production. It makes it harder to plan sufficiently in advance for severe weather such as hurricanes. Airplanes are more likely to fly into storms rather than be able to avoid them.

The military uses of satellites is also significant. A great deal of intelligence gathering is done via satellite – not just real-time and offline imagery (both still and video) but SIGINT too – monitoring ‘the other guy’ and understanding some of what he is up to. Satellites are also used to control our growing squadrons of drones around the world, and are used for tactical communications by personnel in many areas of the overall military structure.

These continue to be bothersome, but not life changing. There are many more ‘pin prick’ type issues such as this – ranging from the failure of many ’emergency locator beacons’ to a slow down in first responder services due to not being able to use GPS to most efficiently get where they are going. But possibly the biggest problem would come from an unexpected aspect of the loss of the GPS satellites that has nothing to do with location data.

GPS satellites do a great deal more than simply tell us where we are. But don’t sneer at the value of that ‘simple’ thing. Most of us, several times a year, and possibly even several times a day, reply on our GPS units. Or, if we don’t directly reply on the GPS to navigate with, maybe we rely on its derivative data – showing us a traffic conditions map, enabling us to decide which route we take to get between home and work. Much of that traffic data comes from ‘probes’ – a fancy way of saying ‘monitoring the GPS in your phone, and if the GPS fails, so too do the probes and therefore, the traffic data in general.

However, we’re still only skirting the edges of problems when GPS systems fail. Sure, commercial transport relies on GPS much more than we as ‘ordinary’ drivers, and we’ll all have to start to find our old maps and brush up on our map reading skills. But, the really big thing, uncovered in the BBC’s largely simplistic analysis, is the other thing that the GPS service provides – ultra-accurate timekeeping.

The BBC claims that without the timekeeping services provided by GPS, the entire internet will degrade and possibly even collapse. And all of a sudden, that’s a very different ballgame, isn’t it. The article says

Our infrastructure is held together by time – from time stamps on complex financial transactions to the protocols that hold the internet together. When the packets of data passing between computers get out of sync, the system starts to break down. Without accurate time, every network controlled by computers is at risk. Which means almost everything. [Our emphasis]

So, the loss of satellites – or, even worse, the loss of just the GPS satellites, would end up meaning TEOTWAWKI.

Now, how likely is it that such an event might occur? More likely than you might think.

One major solar storm would be all it takes. A major solar storm could destroy the GPS satellites (as well as so much more besides). We’ve written about the risk of solar storms before, and in particular, in this article we quote from a study which estimates there to be a 12% chance of a super storm occurring in the next ten years.

So, there’s about a one in eight chance that some time in the next decade our modern world’s infrastructure will be destroyed. Are you prepared?

An Interesting Everyday Example of Computer Vulnerability

Cyber, Vulnerabilities No Responses »

Jun 102013

An example of a car prowler opening a car with a mysterious electronic device. No-one yet knows how.

We’ve written before about the vulnerabilities and threats to our society posed by hackers wreaking mischief on our nation’s computer-controlled infrastructure.

The problem that exists is visualizing and comprehending the open-ended nature of such threats. Any computing device, no matter how simple, or ‘safe’ it might seem, including devices that we don’t even think of as being computers, is/are vulnerable to hacker attack.

It is one thing to guard against known threats and risks, but the open-ended concept of computer ‘exploits’ requires the people protecting and defending the computers to be as creative and imaginative as the attackers. Although we have some very clever people involved in helping our society become less at risk of computer attack, it is impossible to think of every form of computer attack.

Let’s look at another form of computer attack that, happily, in no way risks destroying our society and plunging us into the depths of a Level 3 situation. But we offer this to you as an example of how computer vulnerabilities can appear in unexpected areas, and in every area.

Specifically, here’s an interesting story about how common ordinary car prowlers across the nation are now making use of an unknown device that ‘zaps’ the computer control systems in some vehicles, causing them to unlock themselves.

The really interesting aspect of this is that both the police and computer security experts have no idea at all what the device is or how it works. Which is a polite way of saying that they also don’t know how to close the loophole that this mysterious device is exploiting, and for now, all they can lamely say is ‘never leave valuables in your car’.

The learning points from this real life example are :

Even the most unexpected devices (car door locks) have computers operating them and are vulnerable
Even the simplest of computers have security vulnerabilities
Most astonishingly of all, even if the experts know a vulnerability exists; they might not know what it is or how to fix it

As we said to start, this particular vulnerability isn’t going to cause society to collapse. But you have to ask the question – what else might also be vulnerable to computer attacks that are more essential to the ongoing smooth functioning of our society? The answer to that list is enormously long, and some of the vulnerabilities terrifying in scope and scale.

Truly, any day and every day there’s a possibility that an all-out attack on critical computer control systems might occur, plunging our society into a sudden and severe disruption and Level 2/3 event from which few people will survive.

Keep up with your preps!

Our Computerized Infrastructure Is Already Under Active Attack

Cyber, Vulnerabilities No Responses »

May 192013

The increasing sophistication of electronics obscures their increasing vulnerability to a hacker attack.

Many of the risks and vulnerabilities we have to consider are things that have not yet happened and which we hope might never happen. Nuclear war, for example. Or alternatively they are things that happen so rarely as to give us hope they might not recur during our lifetime – a massive asteroid strike, Yellowstone erupting, those sorts of things.

Very few things we consider are things which are actively happening at present, although perhaps that is definitional and a matter of degree. Maybe it is fairer to acknowledge that some pathways to disaster are already prepared, and we’re potentially heading down them currently.

For example, the risk of economic collapse is never far from the surface (particularly at present), and some type of medical problem – whether a super-flu bug or the consequences of super-antibiotic resistant bacteria – seems to be another type of risk that is of increasingly likelihood.

Furthermore, society’s evolution into an increasingly complex and interlocking structure of chained dependencies makes us ever more vulnerable in the event of any of these events occurring.

But most of these issues are topics for another time. Today, let’s focus on something that is very much ignored and overlooked by most of the mainstream media – the fact that we, in the west, are already locked in a deadly war that threatens our civilization as gravely as any of these other issues. We’re not talking about the global struggle against Muslim extremism. We’re talking about a battle with an enemy we can’t even identify. We don’t know who they are, and we don’t know where they are. We don’t even know if they are one (or many) organized groups, or just a random series of unrelated attacks by individuals.

We’re talking about the battle for our ‘cyberspace’. We don’t just mean what happens if your computer gets infected with a virus, although that’s for sure a bit of collateral damage of sorts. We mean the major battles that are raging beneath the chaotic surface of the internet, battles which usually go unnoticed and regrettably go unreported.

Here’s a case in point : This article in, of all unlikely places, a small regional newspaper/website in Montana, talks about a coordinated cyber-attack against the US earlier this month, known as OpUSA. Apparently it even had some moderate success, including taking down the ISP used by the reporter and more than a million other people (CenturyLink) for a couple of days.

As the reporter concludes,

virtually our entire world economy is now dependent in some way on the Internet, and if it is subverted by malignant forces, then heaven help us.

The only correction we’d suggest is to remove the word ‘if’.

You’d like another example? This time lets turn to a series of articles in the respected MIT Technology Review. Their headlines tell the stories, almost without needing to read the full articles. Protecting Power Grids from Hackers is a Huge Challenge is the headline in one. An earlier story on that theme is headlined Old-Fashioned Control Systems Make US Power Gris, Water Plants a Hacking Target.

Showing that such activity is not just theoretical is this article : Honeypots Lure Industrial Hackers Into the Open. That is an interesting article because it moves beyond the large theoretical element in the first two articles and points instead to a researcher who put up some dummy industrial control systems and found them immediately attacked and successfully penetrated by unknown hackers from no-one knows where.

The war is as much global as it is confined to the US. Here’s an interesting article about how earlier this year a person, as a hobby, collected data on some 310 million different devices connected to the internet.

His findings? The article discreetly says that many of the responses he received came from devices revealing vulnerabilities that would allow them to be readily taken over.

We should note that it isn’t just poorly configured computers that are at risk of takeover. The article mention government level computer takeovers (‘Red October’), as well as government sponsored intrusions (‘FinFisher’).

We ourselves have recent and personal experience with supposedly secure computers being taken over by we don’t know who, but at a level sufficiently severe to cause the FBI to contact us on their own volition and offer their help. Unfortunately, the bottom line appraisal of the situation by their experts is that nothing is 100% secure and a determined hacker will find a way in to just about anything.

There’s another dimension to this problem as well. In addition to the hacker attacks from shadowy individuals and organizations, might the key equipment that connects the essential backbone of the internet together contain deliberately engineered vulnerabilities hidden within them by government sponsored organizations? This worry is at the heart of the reluctance of many western governments, who are resisting the temptation of very low-priced internet routers and switchers offered for sale at low prices by the shadowy Chinese company, Huawei.

This is a vulnerability that is already surrounding us. Do you have a Lenovo computer, for example (Lenovo is a Chinese company that bought the IBM laptop business a decade or more ago)? Even if you have an American brand computer such as Dell or HP, where was it made and, more to the point, where were its components made?

Modern integrated circuits have as many as a billion or more transistors plus countless other resistors and capacitors. Who’s to know what might not be hidden in all of that?

Similar concerns have attached to allowing Huawei to supply equipment for wireless communication services. Let’s extrapolate a bit : Here’s an interesting – and totally speculative – thought. The amazing value new handheld transceiver radios that companies such as Baofeng and TYT are now flooding the US market with – who’s to know if they don’t have some type of remotely activated functions hidden inside them, too?

Some high-end two-way radios have a ‘Stun/Kill’ function which allows the radio to be ‘put to sleep’ via a remote command (ie, to be ‘stunned’) and also to be de-activated totally (ie to be ‘killed’). This is useful in a law-enforcement/security environment – if a radio is lost or stolen, you can remotely destroy it so as to protect the security of your radio communications.

How do we know there isn’t an undocumented function buried within these radios that could result in them all suddenly being de-activated upon receiving a special command signal?

The same is true of much of the electronics in most other things we surround ourselves with. Some risks are minimal and benign – it would be unfortunate if our television set destroyed itself after getting a special coded signal in a regular tv transmission. It would be more inconvenient if the new generation of internet connected refrigerators all failed. If the engine control computers in our vehicles also failed, then things start to move beyond inconvenient, and once we see the control systems for water, sewage, power, buildings, computerized manufacturing, and all the other things that are now computerized (the elevator in your apartment building or office) stop working, then we’re into the middle of a massive disaster.

Summary

The fact of the growing number of electronic type risks we are surrounding ourselves with is beyond question, and indeed, our governments themselves are sufficiently concerned as to sometimes refuse to buy lower priced equipment that, on the face of it, seems as good as or better than higher priced equipment.

The reality of the risks is underscored by the ongoing active probing attacks on our infrastructure every day. Some of this may be individuals having fun, some of it is uncoordinated, but some of it for sure seems to be sponsored by state level organizations.

When the time comes for such forces to decide to mount an all-out attack on our computerized infrastructure, it could literally all be over in less than 15 minutes. Almost before we realized we were under attack, sleeping ‘worm’ infections in control systems could be activated and the systems they control destroyed or disabled. Power generators and most other machinery could be destroyed due to being deliberately run too hot or too fast, nuclear power stations could be at risk of meltdowns and major radioactive releases, our grid could be in melt-down, and every computer controlled device, from industrial processes to the pumps at gas stations and the cash registers in our stores would all be disabled.

And then, for the coup-de-grace, the internet as a whole would come crashing down, with the backbone routers and switches all failing. The same would happen to wireless services and even to ham radio type gear too.

Life as we know it would come to an end in less time than it takes to read this summary.

Note, near the end of this article, the observation

It would be possible to adapt to an outage of one or two days with minimal long-term impact on GDP, according to Healy, thanks to backup generators and other measures. “Once you get more than about 10 days, then about 80 percent of economic activity ceases,” he said.

That’s an interesting observation. We have less than ten days from a major failure before our economy collapses, long-term, down to one fifth its present level. How would you manage with one fifth the food you currently eat? One fifth the water? One fifth the electricity and gas?

Remember that it can take two to three years to get a replacement major power transformer. Indeed, with a widespread nationwide attack, almost nothing could be repaired and restored to normal operation in ten days. It is almost a certainty that after a massive electronic attack, our society’s underpinnings would be down for not ten days but more likely ten weeks or ten months, maybe even ten years, and it could take ten decades for a recovery process to be complete.

In an earlier article, we quoted Los Angeles officials as saying people should prepare for a fourteen day period being ‘on their own’. The only thing wrong with that advice is the assumption that, on day 15, it will all magically be okay again. With a major national disaster, the only thing that will happen on day 15 is even greater misery than on day 14, and a growing realization that help will not be magically coming.

Which is, of course, why we are actively preparing for our own self-sufficiency.

Chinese Cyber-Terrorists Could Destroy Our Natural Gas Pipelines

Cyber, Energy, General, Vulnerabilities No Responses »

Mar 022013

The red dots are pumping stations on our national gas pipelines. The Chinese military may now have the capability to destroy a thousand of these simultaneously through only a few computer keystrokes.

Due to its current abundance and low-cost per unit of energy, the US is becoming increasingly dependent on natural gas.

Already, 30% of all electricity comes from power stations burning natural gas. Conversion programs to convert buses and trucks from diesel to natural gas are becoming increasingly popular due to the massive cost savings operators can quickly get from their investments. And if you have gas to your residence, you know that the cost of the gas has dropped over the last few years, while electricity costs have stayed the same or risen, making it more and more appropriate to use gas for heating your water and your house and on your stove top.

An interesting thing about natural gas is that most people perceive it as ultra-reliable and as close to guaranteed to be always available as possible. We’ve doubtless all experienced power outages from time to time, but when have you ever had an unexpected unscheduled gas outage? Probably never; indeed some people view their gas supply as so ultra reliable that their emergency generator uses natural gas as its energy source.

Unfortunately, while historically it is true that our gas supply has been ultra-reliable, today it is also true that the gas supply has become ultra-vulnerable to disruption.

Almost all the gas that is used somewhere comes from somewhere else, and travels from where it is extracted/processed to where it is consumed, by pipeline. For sure, pipelines are physically vulnerable – a stick of dynamite could destroy a segment of pipeline any time and any where, but doing so requires ‘boots on the ground’ – you need people to physically get explosives, travel to vulnerable/accessible stretches of pipeline, blow them up, then escape safely. None of that is impossible, but it is difficult and requires a substantial number of saboteurs if they are to have an appreciable impact on the supply lines.

We try to make it a little difficult for such attacks to occur; information on the exact location of gas pipelines and the related control stations is somewhat restricted.

But there’s an easier way, which the Chinese military have been preparing. This article reveals that during a six month period in 2012, cyber-attacks traced back to the Chinese military were detected on 23 pipeline operators (there are about 30 major pipeline operators in the US), and includes the explanation that with the information stolen and access obtained through these cyber-attacks, it would be possible to cause enormous damage, either sequentially or simultaneously, and with the attackers never needing to leave the safety of their bases in China.

The article gives the example of using the access gained to mess up control settings so as to cause a thousand pumping/compression stations to simultaneously explode. Destroying a pumping station is more serious than just knocking a hole in the side of the pipeline, and takes longer to repair.

Now think about the implications of this. Not only would we lose the 30% of our electricity that is currently generated from natural gas, but we’d also lose the use of natural gas sourced energy in industry and at home, too, massively increasing our demand for the electricity that would already have become seriously in short supply.

Most households with gas for heating and cooking use more energy from natural gas than from electricity, so household demand for electricity would more than double (in winter, not so much in summer). The same in many commercial applications, too.

As you may recall from the California electricity crisis back in 2000 – 2001, even a very small shortfall in electricity supply can be enough to massively mess things up.

Maybe this would not destroy our society entirely, but it would sure change our lifestyles substantially. And all it would take to cause this is a few keystrokes on a computer somewhere in China – and who’s not to say that other countries hostile to the US don’t have similar capabilities or haven’t been given the information obtained by the Chinese cyber-terrorists?

Implications

Our point is simply this. Scratch the surface of most of the essential underpinnings of our modern-day society and lifestyle, and examine the things we most take for granted, and you’ll find ugly exposed vulnerabilities that are growing rather than diminishing in size and scale and scope. Barbed wire fences and armed patrols might provide physical security for our nation’s critical infrastructure, but the preferred form of attack these days is not this old-fashioned method involving real people doing real things to real structures, it is a ‘virtual’ attack via computer, a form of attack that we seem to be much less able to defend against.

Your non-prepping friends probably have no idea that a branch of the Chinese military, deploying a team of cyber-terrorists, now has the capability to destroy our natural gas supply system, which is part of the reason they are not preppers. But you know, and hopefully you continue to prepare for and anticipate potential crises of all forms.

Oh – one last thing. If a cyber-attack were to be launched against the US, of course it wouldn’t be only limited to our gas pipelines. These same hacking exploits that created the pipeline vulnerability have been occurring regularly on other elements of our infrastructure, opening up vulnerabilities in many other parts of the fabric which binds our society functionally together.

The overwhelming impact of a cyber-attack would make Pearl Harbor look like nothing more significant than a gnat on an elephant’s rear. A full-out cyber-attack would destroy just about everything we need to survive currently – energy, water, food, sewer, communications, you name it. Such an attack, from start to finish, would take less than five minutes, and would have no prior warning at all.

Be prepared. Be very prepared.

A Banking System Failure – A Slow but Sure Descent into a Level 1/2 Situation

Cyber, Economic, Economy post EOTW, Social, Vulnerabilities No Responses »

Dec 252012

What happens if your credit and debit cards stop working?

The concept of a banking system failure is often thought of generically, together with other concepts such as, at the present, the ‘fiscal cliff’, and past things such as the S&L crisis, the mortgage crisis, over-paid greedy investment bankers, and other vague and hard to completely comprehend concepts that while clearly not good, generally have no immediate impact on us directly.

Yes, it is true that all of these issues represent downsides to our current financial system, but few of them are, of themselves, potentially catastrophic. So let’s instead consider a risk which could indeed be catastrophic, and depending on its duration, could plunge the nation into a situation that might start at Level 1 but which could quickly become Level 2 (hopefully not reaching Level 3) (definitions here).

Think about this – what would happen if your credit and debit cards stopped working? How much cash do you have in your pocket? How would you get some more?

What would happen if the computers controlling the nation’s banking system were attacked and disabled? With all banking records and processes now being computerized, there’s clearly the potential for disaster if the computers stop working, and who wants to be the first to say that would be impossible?

The immediate problem would be that we’d all run out of cash. How much cash does your family have in total? How long would that last you – a couple of gas fill-ups, a few trips to the supermarket, and that’s probably much of it gone.

Maybe you think you could write a check. But who will accept a check when the bank is unable to accept it, process it, and transfer the money from your account to someone else’s account. Without their computer systems up, the bank won’t even know how much cash is in your account, so neither you nor someone you paid with a check could walk into your home bank branch and ask for it to be converted to cash while waiting.

So, at an immediate level, commerce would grind to a halt.

The Problem Extends All the Way and Back to You Again

Now, let’s think about the derivative levels. It is one thing for you to run into difficulties when trying to buy $50 worth of gas or groceries. But what happens when the gas station or supermarket then needs to place an order from their suppliers for $50,000 of product? How do they pay for that?

This question repeats up the distribution chain, and then loops around right back to you. Your employer somehow makes money by delivering a product or service to someone else. When that someone else can’t pay your employer as they usually do, how can your employer in turn pay you the weekly/monthly wages/salary you normally get?

For that matter, even if they could pay you, how would they do that? With a bank auto-transfer? Not possible when the bank computers are down. Maybe with a check? That’s not going to do you much good either, is it! Could you take your $3000 check to the gas station and say ‘take one tiny corner of my check to pay for a tank of gas’?

And what happens when the farmers don’t get paid for the crops and livestock, and can’t afford to then buy new seed, animals, food, fertilizer, and so on?

What happens when the oil refineries no longer have money to buy raw oil from the Middle East or wherever? When we can’t even pay for natural gas from Canada?

Part of the problem is that our economy is essentially cashless these days; indeed, cash has become so obsolete that many financial institutions have stopped reporting on or analyzing the actual amount of currency in the economy. This measure – referred to as M0 – has been an ever decreasing percentage of the total ‘virtual’ money that our economy uses – here’s an interesting chart showing the increasing discrepancy between M0 and broader definitions that include successively more and more virtual money.

The difference between M0 and all the other types of ‘money’ is that only M0 has a physical form – banknotes and coins. The rest is nothing more than entries in computer systems, perhaps duplicated in the form of fancy ‘certificates of deposit’ and such like.

An outage of the banking system computers means an outage of the rest of this money, too.

Is This Likely or Unlikely?

So, how likely is it that the banking system could suffer a sudden catastrophic failure? As a random event from nowhere, very unlikely.

But as an outcome of a skillfully designed and directed computer hacker attack – that is an appreciable risk. Don’t just take our word for it. Instead, consider this article which quotes US Defense Secretary Leon Panetta who says, in October, that foreign hackers have the potential to take down our nation’s power grid, financial networks, and transport systems. He said that such an attack could ‘paralyze and shock the nation’, and further pointed to exploratory attacks against banks earlier in the year. He terms this a potential ‘Cyber Pearl Harbor’.

His solution is, in part, to seek authorization to mount pre-emptive attacks against potential cyber-aggressors. Maybe that is a good thing to be able to do, although we’re actually not too sure about that. Most of the major cyber-terrorism sponsor countries (ie Russia, China, Iran, North Korea) are nuclear powers, and depending on what form our pre-emptive attacking might take, these nations could choose to respond in ways that could have even worse consequences than a cyber attack.

In addition, how do you pre-emptively attack when the source of the cyber-aggression isn’t a nation/state, but rather a shadowy group of individuals, possibly living in our very midst, or else distributed randomly throughout the rest of the free world.

Remember, there’s no such thing as distance when it comes to attacking computers on the internet. It is as easy to take down a computer (electronically) from the next room as it is from the far side of the planet. And – paradoxically – mounting a cyber-attack is a very low-tech process. All the hacker/attacker needs is a simple laptop computer and a modem or internet connection.

So, much as Secretary Panetta might wish otherwise, the reality is that he most likely either won’t or can’t do anything to pre-emptively take-out cyber-aggressors prior to them in turn taking out our computer-based infrastructure. And the only surefire defensive measure is to isolate the computer systems that are being attacked. But that ‘cure’ is worse than the problem – isolating the computer systems means no more external sources of inputs and no more external outputs, either. No more computing network. No more banking system.

How to Prepare for a Banking System Failure

You might think that the obvious solution is to keep a large supply of cash on hand. But that is not an adequate solution, because it only addresses one part of the problem.

Just because you can pay the gas station $50 for the tank of gas you need doesn’t mean that the gas station can in turn pay the refinery the $50,000 it needs to pay for its next shipment of gasoline. The same at the supermarket, and everywhere else.

Rather than stock up on cash, your solution is better to stock up on goods, so that you can survive for an extended period without needing to spend money, in any form, on additional supplies.

You also need to assume your utilities will deteriorate in service – raw materials will be hard for the utilities to source, and if they can’t pay their employees, they’ll start to suffer absenteeism, made worse by the need for employees to start to focus full-time on their own immediate survival needs. Similarly, the food and other essential supplies at your normal retail purchase points will become in gravely short supply or disappear entirely.

If the banking systems aren’t up and running again within a day, we’d view the situation as making it prudent and sensible to bug out entirely to your retreat.

The World’s GPS Network is Vulnerable to Take-Down by a $2500 Device

Cyber, EMP, Other, Vulnerabilities 2 Responses »

Dec 162012

Our amazingly convenient and increasingly essential GPS service is also terribly vulnerable to five different forms of attack.

We offer this report to you not as an example of how the world as we know it might end, but just as another example of how the more sophisticated the systems and services we surround ourselves with, the more vulnerable we become. The convenience they offer us blinds us to the added degree of dependence on which our lives and life styles are based.

Back in the ‘good old days’ – ie before ubiquitous GPS, people would go places based on maps. Remember the annual Rand McNally books of maps? And remember how they’d pressure us into buying a new one every year, due to ‘50,000 changes since last year’s edition’ or something like that? Remember also buying (or being given!) maps at the gas station?

Do you even have a map book now? For many of us, the answer is no.

Now – here’s the thing. Your map book was failure-proof. Apart from leaving it behind, or the dog eating it, it couldn’t fail, right? Maybe it wasn’t the most convenient way to navigate your way from Point A to Point B, but it always worked.

If we go off-road, we might formerly have augmented our maps with a compass as well. A compass relies on the earth’s magnetic field, and although there are some thoughts that the magnetic field could flip around some time in the next some thousands of years, for our lifetimes, it is probably safe to say the earth’s magnetic field is about as reliable a thing as the sun rising in the east every morning and setting in the west each night. Apart from the compass itself breaking, the underlying principle of compasses is 100% reliable, and compasses themselves are relatively easy to repair or improvise in an emergency. A compass is a perfect low tech device that relies on nothing external to operate. It doesn’t even require any electricity.

Nowadays, maps and compasses have been superseded by digital GPS units that rely on signals from satellites in space, 12,000 or so miles away that the units use to calculate their position, their heading, their altitude, and their velocity. Unfortunately, those signals are vulnerable to interference, and the receiver units are vulnerable not only to jammed signals but also to fake signals that can upset their logic and calculations.

This article tells of how researchers at Carnegie Mellon University created a device that cost no more than $2500 to build, and which caused every GPS unit it then broadcast a signal towards, to crash and cease operating.

Puzzlingly the article’s lede says that up to 30% of GPS receivers could be taken offline by one of these units. The puzzle is – where did the ‘up to 30%’ come from, when every unit tested was made to crash? Shouldn’t the article say ‘100%’? Or would that be too frightening for the general public?

Maybe the 30% figure means that a single 45 second broadcast from one of these $2500 devices would disable 30% of all GPS units, everywhere on the planet. In other words, position the device in the center of the US, turn it on, and in less than a minute, every GPS receiver in or above the US, or in the waters around the country, will crash.

Never mind. The purpose of our commentary is simply to point out how something that has become so ubiquitous and almost essential (not so much for our navigating between home and work each day, but for ships at sea and airplanes in the sky, especially if flying through or above clouds) and also now very much taken for granted, is also something terribly vulnerable to electronic attack.

Indeed, there are five different vulnerabilities that GPS units suffer. The first is an attack on the GPS satellites. If an enemy power was able to destroy some or most of the satellites, our receivers would no longer have enough satellites to lock onto and calculate a reliable position from.

The second vulnerability is from EMP attack – an EMP pulse would likely destroy the electronics in most GPS receivers.

The third vulnerability is having the GPS signal jammed. That is very easy to do. The GPS satellites have very weak radio transmitters which are also far away from the receivers (about 25W transmitters, which are 12,000 and more miles away from the receiver), and so stronger transmitters that are closer can easily obscure the ‘real’ GPS signal and confuse the receiver as to where it is.

The fourth vulnerability is GPS spoofing. Instead of just jamming the real GPS signal with random jamming ‘noise’, a sophisticated enemy can replace the weak real GPS signal with a stronger overriding fake GPS signal that makes the GPS receiver think it is somewhere else. This type of technique has been used by terrorist cells to take over our reconnaissance drones.

The fifth vulnerability is sending confusing signals that cause the micro-processor inside the receiver to crash – the vulnerability the article discusses.

Note that the researchers concede that a determined attacker faces no huge obstacles (to mounting an attack that would cripple the world’s GPS).

Implications for Preppers

This teaches us two things. The first thing is that we can’t take anything for granted. Although GPS seems stable, mature, and ultra-reliable, it has five different forms of vulnerability which could be exploited at any time. Sure, losing GPS across the country won’t threaten a plunge into a nightmarish level 3 situation, and we’re not suggesting it would. But if something so stable and certain and safe as GPS is actually totally vulnerable to attack, what else is out there that could also be similarly vulnerable?

The second teaching point here is that as preppers we need to have backup systems and solutions that are low-tech rather than high-tech. An EMP type attack is a real danger, and if such an event were to occur, we – and the rest of the country – would suddenly find that 95% of our electronics had failed.

Are you prepared to convert your existence to one with no electronics and no electricity? Unless and until you can say ‘yes’ to that, you’re not truly prepared.

Older Entries