Fudge Computer Security
"The grey hat tried to red team my network, but he fell into my iron box! Naturally." -- Agent John Brown, cyber-security
Fudge Computer Security offers simple and comprehensive rules to help you roleplay plausible computer security adventures. Even if you know very little about computers, this article will help you understand how computer security works so that you can feel more in control. It offers both Basic and Advanced rules so that you can start playing right away, or customize to your heart's content.
To find out about grey hats, iron boxes and more...
Introduction
Fudge Computer Security is a guide to gamemastering roleplaying games in which computer security is featured, as well as a guide to roleplaying a computer cracker or a computer security operative. Adventures can take place in the present or in the future. The projected audience are gamemasters and players that know the basics of computers (e.g. know what files, programs and operating systems are), and want to learn more about how to run (and participate in) plausible computer security adventures.
Readers should be able to use Fudge Computer Security to learn some new computer security terminology (a glossary is included at the end) and then apply the Basic system to quickly handle security situations. Readers can then pick and choose which Advanced features to use -- if and when they want to use them.
These rules are written in Fudge terms both for the benefit of the Fudge community, and so that they can be easily converted into any other game system.
Why Is Computer Security Important?
"An internal IBM study regarding the potential market for a computer called the Tape Processing Machine (a prototype of which had been completed by 1951) estimated that there was a market for no more than 25 machines of its size. Two years later, IBM developed a smaller computer for business use, the Model 650. When it was announced in 1953, those who were backing the project optimistically foresaw a market for 250 machines." [1]
In the early days of computing, computers were toys for universities, the government and large corporations to play around with. Sure, they could be used to help with business data processing, banking, sales, inventory control, etc, but in the 1950s nobody seriously considered that computers would ever amount to anything but a time-saving device. They were sterile, mathematical machines understood by a handful of experts. There simply weren't enough experts to go around, and hence there was a significant practical limit on the number of computers that the world could maintain.
Today, more than fifty years after the dawn of computing, computers and networks are used in the management and operation of every part of our countries' infrastructures, including nuclear power plants, dams, electric power grids, air traffic control systems, and stock markets. Computers are critical to the day-to-day functioning of companies, governments, and militaries. They manage payrolls, track inventory and sales, and help with research and development. Computers and networks are used every step of the way in bringing food to your table and electricity to your home. Most people in the developed world use telecommunications (such as the telephone, email, etc) every day, and today these are all enabled by computers.
Without computers life as we know it would grind to a halt. Computer crackers, whether they're hackers, criminals, military adversaries or terrorists, pose a very real threat to society as we know it.
What Can Go Wrong with a Computer?
There are three basic things that can go wrong with a computer system [2]:
- It can become unavailable or slow, making it impossible for useful work to get done (lack of Availability).
- It can become corrupted, so that it does the wrong thing or gives the wrong answers (lack of Integrity).
- It can become leaky, giving access of confidential materials to unauthorized users (lack of Confidentiality). Confidentiality, Integrity and Availability (often abbreviated to CIA) are the three main security requirements. There are two reasons why the CIA requirements might not be met, and why computers might fail:
- By accident.
- On purpose.
By far the most dangerous of these two causes is the second. While accidents can cause tremendous damage, it's always limited in scope because it's straight-forward to determine what happened and to fix it. Fixing the damage caused by a lightning strike may be expensive, but it's easy to know what to do (e.g. "We need to replace the server's hard drive because it got fried.") and once you're done you know that everything's okay. On the other hand, deliberate damage may never even be noticed, let alone corrected. This is because crackers are devious, while accidents are not.
What Makes Computer Cracking Fundamentally Different from Conventional Crime?
The main difference between computer cracking and conventional crime is intrusion detection. In conventional theft, damage is easy to ascertain. For example, in the case of house burglary, perhaps the robber broke your window, kicked down your door, or picked your lock. In any case, even if how he got into your house isn't obvious, it's easy to notice that your television is missing, or that he hurt your pet cat, etc. Computer crime is more like identity theft. You can think your identity is secure, when meanwhile someone in another country is very effectively pretending to be you, potentially accumulating debt or committing crimes in your name.
With computers, you may never know that you've been robbed. Secret files can remain on your hard drive and still have been stolen from you. Someone can crack your computer and not even do anything obvious. Instead, he may leave a back door so that he can more easily break in whenever he feels like it in the future. A cracker may repeatedly make strange attacks against your system that seemingly have no effect, but you can never be sure if he's just trying to rattle you, setting you up for a fall, or already owns your system, and he's just sending it commands. An entire country's emergency response system could be compromised right now without its security people even knowing it. That's a scary thought, isn't it? You can prove that a system has been cracked, but you can never prove that it hasn't been cracked.
White Hat, Black Hat... What's the Difference?
In terms of knowledge and capability, there is very little difference between crackers and security personnel. The only real separation between the opposing sides is intent. The black hat wants to break into a computer system, while the white hat wants to stop him, sometimes by cracking the black hat's system! Both the black hat and the white hat will apply virtually the same knowledge and tools to achieve his goal. This amazing similarity between the two opponents means that switching sides is very easy. The hat metaphor is very appropriate -- becoming a bad guy (or vice versa) is as easy as changing hats. The ease of switching sides has special relevance to the security community, where the threat of an evil insider (a sleeper agent, a mole, etc) is a classic scenario. It's said that one evil insider can do as much damage as 10,000 enemy soldiers, and this may very well be true.
One of the few elements that separates black hats from white hats is that having powerful hardware and software is not a big issue for crackers. Crackers can, and do, perform successful attacks with ordinary home computers using programs they wrote themselves for free, which means that a black hat could potentially be anyone with a computer and the knowledge of how to use it. Imagine the consternation of an investigator who has a billion suspects to choose from in a computer crime case. Furthermore, for a computer cracker, one lucky break is all it takes to penetrate a system's security. It doesn't matter if it takes a hundred tries to break into a system (assuming that you don't get caught) -- it's getting in at the end that counts.
In sharp contrast to computer cracking, security is very expensive. A network security officer needs expensive hardware, software and a big paycheck to do his job properly. Without good hardware, a large LAN won't work properly. Good security software makes a security officer's job easier (imagine the difference between a conventional security guard that has a bank of remote camera monitors to look at, and one that doesn't), and also makes a cracker's job more difficult. The harder it is for a cracker to break into a system, the longer it will take him, which gives a security officer a better chance to catch him and stop him. Finally, a poorly payed security person is an unhappy security person, and the last thing a secure network needs is insiders letting in bad guys. Hence, running a secure network is costly. Finally, the stunningly irritating part of being a white hat as that all you need to do is screw up once for your system to be compromised. In other words, the white hat needs to be lucky every time, while the black hat only needs to be lucky once. Also, you can never prove that your system has no vulnerabilities, you can only prove that it does have them.
Basic Computer Security Rules
In Fudge Computer Security, there is only one main skill: Computer Security. This skill is used by both crackers, to break into systems, and by security analysts, to prevent crackers from breaking into their systems. By default, a person has no ability at Computer Security -- it must be learned to be used, but it can be learned by anyone.
In terms of granularity, the Basic rules will deal with whole computer systems (which could be one or more computers). For example, we could consider attacks against an entire organization's internal network (often called an intranet), an important person's personal computer, or even an attack against the entire Internet.
What Can Get Attacked
In general, any computer system that the cracker can reach can be attacked. This usually means computer systems to which the cracker's computer is connected via a network, but it can also mean any computer the cracker can get physical access to.
Network computers are usually either a client or a server. Servers have open network connections, and await client connections so that they can provide them with content or services, like file downloads, or email. Servers are easy targets. It's like being on the phone all the time, where so long as you're on the phone you're vulnerable to attack! Clients, on the other hand, don't necessarily have an open network connection by default. It's only when they contact a server that they become vulnerable (and hence, to complete the analogy, when they pick up the phone). In peer-to-peer networks, everyone is a server, and thus everyone is vulnerable!
It's very important to note that clients make calls to servers, and never the other way around. A pure client computer cannot be called -- and hence cannot be attacked unless it makes itself vulnerable by connecting to a server (and even then it's only vulnerable to that server). Networks like the telephone system are peer-to-peer since everyone can call each other.
Example 1: The cracker Charlie is looking for a victim. He finds Alice's server on the Internet, which she uses to share files with friends. He is able to attack her computer so long as she keeps it on and connected to the Internet.
Example 2: Cyber-police officer Bob is looking for Charlie. Unfortunately, since Charlie is using a pure client computer, he is hard to attack. Bob creates a special server (a honey pot, see the glossary) and tries to fool Charlie into attacking it. Charlie takes the bait and attacks Bob's special server -- now Bob can attack Charlie through his server.
How the Attack Is Made
The mechanisms crackers use to break into systems are complex and interesting. However, in the Basic system we will gloss over most of it and simply deal with a few simple elements. In general, attacking a system is a three-step process:
- Obtain a normal user account on the system
- Obtain a superuser account on the system
- Do your evil deed
To attack a system, a cracker makes an unopposed roll of his Computer Security skill, with the difficulty being the defending system's Computer Security level (see following sections for more on this). If the cracker wins this roll he gets a normal user account on the system. If he succeeds by 3 or more then he gets a superuser account right away. If he fails then nothing happens.
Once a cracker has a user account on a system, he can attempt to upgrade it to a superuser account. This requires another Computer Security roll (same difficulty), but this time the cracker gets a +1 bonus (it's easier to upgrade once you're already on the system). Success means the cracker now has a superuser account, while failure means that nothing happens and he keeps his regular account.
Apply the following modifiers to the cracker's Computer Security rolls:
| Situation | Description | Modifier |
|---|---|---|
| Unfamiliarity | Cracker is unfamiliar with the system and how it works | -1 to -3 |
| User Account | Cracker already has an account on the system and wants to upgrade to superuser | +1 |
| Familiarity | Cracker is familiar with the system and how it works | +1 |
| Insider Knowledge | Cracker is an insider with intimate knowledge of the system | +2 |
| Back Door | Cracker has a back door on the system | +3 |
| Physical Access | Cracker can open the computer case or access its disk drives | +3 |
In general, for Familiarity, Insider Knowledge or Back Door the cracker can get either a +1, +2 or +3 bonus, but not all three. The Physical Access bonus only counts if the cracker can access the computer case and mess around with it. In the case of physical access to a terminal where only a monitor and keyboard are available, the cracker gets no bonus since it's no better than network access.
What Can Crackers Do Once They're In?
Once the cracker has a superuser account, he can do whatever he wants with the system that it is capable of doing. For ordinary actions (that a superuser could normally do on the system) no Computer Security roll is required (although the GM may require rolls against other skills). If the cracker wants to do something fancy that pushes the system's capabilities, require a Computer Security roll at a GM-set difficulty.
For regular computers, ordinary actions might mean reading or modifying files, or formatting the hard drive. Fancy actions requiring a roll might include damaging the operating system (i.e. crashing the system), creating a back-door, etc. Generally speaking, it's not possible to cause physical damage to computer completely through software. The exception is for moving parts like hard drives and CPU fans, which the cracker may be able to trick into burning themselves out or turning off.
On more specialized computer systems, especially ones that manage vehicles or facilities, the possibilities are much greater. Depending on what kind of computer the cracker now has control over, he could potentially steal money, steal people's credit card numbers or identities, cause a city-wide blackout, crash a plane, cause a nuclear meltdown, or even start a nuclear war! Needless to say, the computers running critical infrastructures are going to be very secure, and are almost certainly not connected to the Internet, thus requiring the cracker to actually go to the facility in order to compromise it. On the bright side, dangerous systems like nuclear power plants are designed to avoid meltdown, and their security features may make causing one difficult or impossible, requiring a roll at a very high difficulty.
Protecting a System
In general, the best defense for a computer system is to: (1) Not connect to the Internet, (2) Not connect to any other computer at all, (3) Be hidden away under lock and key. Unfortunately, some or all of these options may not be possible, because communication is usually desirable, and often necessary. For example, an online merchant cannot simply choose to disconnect his servers from the Internet in order to protect his customers' credit card data -- if he were to do so he wouldn't have a business anymore!
A System's Security Level
Computer systems have a Computer Security skill rating equal to the average Computer Security skill of the people managing it. Computer systems might come with a built-in minimal level of security, but if it is not kept up to date it is less useful (consider this to be low-quality in the table below). Apply the following modifiers:
| Situation | Description | Modifier |
|---|---|---|
| Low-Quality | Computer system uses low-quality security software | -1 to -3 |
| Common Software | Computer system uses a very common operating system or network software | -1 |
| High-Quality | Computer system uses high-quality security software | +1 |
| Active Monitoring | Security personnel are actively monitoring system activity | +1 |
| Red Teaming | Computer system regularly undergoes red team attacks | +1 |
The inherent complexity of cracking into computers means that all systems have a minimum Computer Security level of Poor.
Example 1: David has no computer security skills to speak of. His operating system comes with a Computer Security skill of Mediocre. However, David has never updated his system's security since he bought the computer years ago (-3 penalty), for a total of Terrible-1. Hence, David's computer resists intrusions with a Computer Security skill of Poor (the minimum). Essentially, David's operating system's security is less than useless.
Example 2: An online merchant runs an Internet website (i.e. a server). He has hired several security analysts with an average Computer Security skill of Good. He is using an off-the-shelf security software package that he keeps up to date (no modifier), but is using a very common operating system to run his server (-1 penalty) for a total Computer Security level of Fair.
Example 3: A high-security military facility is running a LAN that is not connected to the Internet. The computer rooms are locked behind steel doors, and their network wires are embedded in thick concrete. The security analysts running the system have Great skill overall, are using high-quality security software (+1), actively monitor the system at all times (+1) and regularly undergo red team attacks and fix any vulnerabilities exposed (+1). Assuming someone could gain access to the computers (a difficult proposition), they would have a Computer Security level of Superb+2 to contend with.
Other Defensive Measures
As previously mentioned (under How The Attack Is Made), there are no intrinsic consequences to the cracker when he fails to break into a system. Hence, it's up to the security team to create consequences.
Detection: Ideally, a security team should be able to find out when their system is being attacked. They can either install detection software (less effective, assign it a low Computer Security skill) or try to detect attacks themselves (but only if they're actively working on it). Every time a cracker fails in an attack against the security system, it gives an active defender a chance to detect it. The defender can make a Computer Security roll at a difficulty equal to the cracker's rolled result. Success means that the defender has detected the intrusion attempt and can act appropriately. This might mean shutting down the server, for example, or in the case of a sophisticated defender it could mean running a trace (see below). Detecting attacks (even successful ones) against otherwise unused systems, such as an iron box or a honey pot, is trivially easy.
Tracing: Crackers are not fools and they have a variety of techniques for avoiding traces, including routing their attacks through other computers and even other countries. Running a trace pits the white hat's Computer Security skill in an opposed roll against the cracker. Success means he now knows where the cracker is, failure means he does not. Failing badly (by 3 or more) means getting false information. The security expert should get a bonus to his roll if the cracker fell into an iron box or honey pot (anywhere from +1 to +3 depending on how badly the cracker fell for it).
House cleaning: Regularly looking over communication logs or security cameras is boring and time consuming, but it can also be life-saving. For compromised systems, every once in a while (say, once a week) allow a security analyst dedicating time to house cleaning to make a Computer Security roll at a GM-set difficulty. Success means that a previous intrusion has been discovered, and some idea of what happened has been determined (depending on how well the roll was made). Back doors, once detected, can be closed (or worse, turned into an iron box).
Advanced Computer Security Rules
In this section I will add some advanced, optional rules. They are there mostly to give you additional ideas and things to think about.
In the advanced rules, the GM can put a finer focus on computer cracking, and handle attacks on a computer-by-computer basis if desired, if the extra detail would make events more interesting.
Exploits and Vulnerabilities
This section gives a little more detail on how cracking works, in case you want to add more detail into your games.
A cracker cracks by writing a computer program (exploit) that will take advantage of a security bug (vulnerability) in the target system. Once a vulnerability becomes known, a bug fix (patch) is usually created in order to patch the hole. Of course, there are always more bugs in software. Exploits, like vulnerabilities, are very specific to a particular version, or range of versions, of a particular program.
Against targets that take security seriously, an exploit will only work once if the intrusion is detected. If the intrusion isn't detected, then the exploit can be used again. Often, however, this won't be necessary. Once the cracker has gotten into the system once, he can leave a back door and get back into it again much more easily.
On the other hand, an exploit could be used constantly for months against insecure computers -- such as home computers.
How does a cracker find vulnerabilities?
- Script kiddies just download ready-made exploits -- they don't bother finding vulnerabilities.
- Crackers can join cracker communities where they discuss vulnerabilities and broadcast newly found ones.
- If the cracker can obtain one of the security programs used on the target system, then it can be reverse-engineered and analyzed for vulnerabilities. This requires a Computer Security roll at a GM-set difficulty. Success means a vulnerability is found and an exploit written. Failure means the cracker must keep looking or find a different program or target.
- If no copies of the system's security programs can be found, then vulnerabilities can be found by actively testing the system's security. This counts as Unfamiliarity and results in the -1 to -3 attack penalty described under How The Attack Is Made. This is the riskiest way to find vulnerabilities.
Local Area Networks
Local area networks are generally built upon the trust model.
Trust is a fundamental question of computer security. Unfortunately for the paranoid, you have to trust somebody. Trust is simply too efficient. Take for example the special trade relationship that Canada and the US enjoy: because these two countries are peaceful, trustworthy neighbors they have the luxury of being able to apply very few security controls on their trade. This means that there's tremendously less money and energy wasted on security between the two countries, and consequently there's a significant economic advantage for both countries. Similar parallels can be made for many European countries and lots of other countries across the world.
The trusted country analogy applies very effectively to computer security. When you trust a particular computer or a particular network, it means that you can apply far less security in defending against that trusted entity. Less security means lower cost in terms of time (for the users and the security experts), hassle, and money.
Thus, when creating a secure computer network, it's important to know exactly who you trust and who you don't trust. Trusting nobody or trusting everybody are not viable options. Not trusting someone you should trust wastes valuable money and resources that should be spent elsewhere, and yet at the same time trusting foolishly may lead to disaster.
The point of all this is that internal networks are generally designed with a very secure exterior (e.g. a firewall machine) that protects a trusted interior network (e.g. intranet) from an untrusted exterior network (e.g. the Internet). Assuming that the model works and that a cracker is unable to break past the gate, then the internal network is both convenient and secure. Thus, the trick for the cracker is to break the trust model by compromising the internal, trusted computers.
There are two main ways to break the trust model. The first is by creating a new connection from an internal trusted computer directly to the exterior network, thus entirely bypassing the secure gateway. One technique is to install a modem on an internal computer. The second method of breaking the trust model is to infect an internal computer with a Trojan horse, so that its own trusted users turn the computer against the network security, breaking it down from the inside. One technique for this is to trick a user on the internal network into running a Trojan horse program (e.g. on an innocent-looking music CD) that then can easily attack the internal network gateway from the inside.
Zombies
Once a cracker has control of a system, instead of adding a back door he can instead opt to turn it into a zombie with a successful Computer Security roll. A zombie computer is better than a back door -- the cracker can automatically break into a zombie system (no roll required) whenever desired.
Zombies are often created automatically by viruses or worms, thus helping the cracker quickly amass an army of zombies.
Crackers can use zombies to perform distributed attacks by programming each zombie to attack independently (see Denial of Service). He can also use them to create a distributed supercomputer to crack codes and do other fun stuff.
The downside of zombies is that it's impossible to make a computer system that's actively monitored by a security analyst into a zombie -- the attempt is automatically noticed.
Man-in-the-Middle
A man-in-the-middle attack is when a cracker intercepts communications between other computers over a network. For example, Alice and Bob are trying to communicate, and Charlie the cracker gets in the way. Essentially, a man-in-the-middle attack means that Charlie has tricked Alice into thinking he's Bob, and Bob into thinking he's Alice.
Executing a man-in-the-middle attack requires the cracker to make an opposed Computer Security against each of the intercepted people's Computer Security skills. Only if the cracker succeeds against everyone the move a success, otherwise the cracker is discovered.
At its most basic level, this attack can allow the cracker to listen in on communications. Even worse, it can allow the cracker to block or modify communications at his leisure.
Sniffing
This is when a cracker compromises the network backbone (i.e. the computers and machines running the network). Since the cracker has gained control of the devices through which communication is being transferred, the cracker can read, modify or delete these communications.
To execute this attack, the cracker needs to break into the network backbone itself. This requires a Computer Security roll with a high difficulty.
The result of this technique is similar to the man-in-the-middle attack. Except that the more insecure the network is, the easier this attack is to execute relative to man-in-the-middle, and vice versa.
Needless to say, whoever normally controls the network can sniff whatever communications he wants without needing to make a security roll.
Finally, a form of sniffing called wire tapping is also possible. This involves adding a small monitored connection to the physical wires of the network. While this method only allows reading of communications, it can be very effective since it's very difficult to detect!
Denial of Service
Denial of Service (DOS) is an attack aimed at swamping a server with garbage communications so that it can no longer do useful work (i.e. so that it can't sort real requests from clever fakes). It specifically attacks the A part of CIA: Availability. To accomplish this the cracker makes a Computer Security roll against the Computer Security level of the affected system. Success means that the system has been swamped and is effectively shutdown for a few hours.
A Distributed Denial of Service (DDOS) attack uses an army of zombies to even more effectively swamp a system. These give a +1 to +3 bonus to performing the attack, depending on the number of zombies involved (hundreds, thousands, millions).
On the defense side of things, DOS attacks are automatically detected, but traced normally (i.e. only if the cracker makes a mistake). The defenders can get a +1 to +3 bonus if they have access to configuring the network backbone (i.e. the medium over which the communication takes place), depending on how much control they have.
Sophisticated Superuser Accounts
Most regular operating systems use an all-or-nothing approach to administration. Either you're the administrator or you're not. Either you can do everything (superuser) or you can do almost nothing (user).
Some operating systems use more sophisticated schemes where a certain type of user might have certain administrator privileges but might not have others. What's more, the system can be designed so that multiple superusers must work together to make something major happen. This is analogous to the bank vault that requires two keys to be inserted and turned at the same time.
These sorts of precautions will inevitably make cracking the system more difficult, as the cracker must either break into more accounts to control the system, or must call upon the aid of other crackers. However, fancy operating systems like this will never be mainstream -- this is something likely to remain in the domain of governments and huge corporations, at least in the near future.
Worms and Viruses
Worms and viruses are programs that crackers can write to break into systems automatically. Worms and viruses have a vector and a payload. The vector is the method of transmission, which is some sort of vulnerability (often in email programs or servers). This is what allows the virus or worm to infect the system. The payload is what the virus or worm does, aside from propagating itself. A typical payload is turning the infected computer into a zombie, or installing spyware for detecting what the user is doing and stealing personal information and passwords.
Worms and viruses are hard to create, and even harder to anticipate or control. Creating one requires a Computer Security roll at a -1 penalty for a virus, or a -2 penalty for a worm. Success creates a virus or worm with a skill level equal to the rolled result. Normally viruses and worms are built with a particular purpose in mind, even if it's just mischief. The GM can use the virus' or worm's skill level and his intuition to determine some likely outcomes of the infection.
World Backgrounds
There are a variety of settings where computer security roleplaying may take place. A campaign's setting properties will have a huge impact on computer cracking.
Technology
Contemporary
- The de facto worldwide computer network is called the Internet. There are a lot of unofficial names for it too, but we'll stick to the official name to avoid confusion.
- Computers control many systems across the globe, but in a patchwork fashion. The developed world is almost entirely run by computers, whereas so-called third-world countries have very few computers. Human brainpower, unaugmented by computers, is still the tool of choice for many applications.
- Most personal computers and supercomputers are connected to the Internet in some fashion. Most other computer systems are simple and specialized devices that are not connected to the Internet or to each other (e.g. temperature control in your home, a car's onboard computer).
- Many essential communication services (webpages, telephone, military communications, etc) are at least partially routed through the Internet. The collapse of the Internet would cause widespread communication problems, many businesses would go out of business and many hobbyists would be very unhappy, but it wouldn't necessarily prevent society from functioning.
Future
- The worldwide computer network is called Cyberspace. If you prefer to call the worldwide network something else, feel free. Alternate names include the Matrix, the Maze, the Lattice, the Labyrinth, the Environment, the Sphere, etc. Let your imagination be your guide.
- Computers either directly control or are involved in every aspect of human endeavor. Embedded systems, computers contained in other objects, are the norm. From computer-controlled houses to computer-controlled clothing, everything a person does, wears or touches involves computers. Wearable computers are extremely common. Expert systems help doctors, lawyers, etc make their daily decisions.
- Nearly all computer systems are constantly connected to Cyberspace and to each other. Your toaster talks to your shoes, who consult with your stock portfolio.
- If Cyberspace ever fell, it would take civilization with it.
Type of Society
Modern (Contemporary or Future Technology)
- Security is not taken seriously.
- Security issues and costs are not well-understood, so it's difficult for companies to know how much money to spend and on what kinds of security. Many organizations don't use the best practices available, meaning that security across a society will be a patchwork of effective and ineffective solutions. This makes attacking the society as a whole relatively easy.
- The fact is that the Internet was originally made by scientists for scientists, all of whom trusted each other. There was no provision for "bad guys" in the protocols that were developed. Hence, the infrastructure of the Internet itself is not very secure, making it easier for crackers to play dirty tricks on their victims.
- Companies regularly hide the fact that they've been successfully attacked, because they don't want public confidence in them to be undermined. This leaves organizations open to blackmail from enterprising crackers. Hiding information also has a much more serious consequence: this prevents researchers from obtaining accurate statistics on security, thus perpetuating general ignorance of security issues.
- Security on the level of the home-user is poor. Home users and companies are not responsible if their servers/computers are used as go-betweens in an attack.
Ideal (Future Technology)
- Security is taken seriously.
- Security at organizations conforms to the known best practices. This means that a society's security will provide a united front against attackers -- the fact that each potential target is secure will make attacking the society as a whole difficult.
- The Cyberspace infrastructure has had its major security holes fixed. This makes it more difficult for crackers to perform dirty tricks, and consequently makes everyone more secure.
- Like modern airports that always report collisions and near-misses alike, companies will always make successful attacks public (to the relevant agencies, at the very least). Failure to do so can result in the government levying serious penalties against the company. It's thanks to this policy that best practices are well-understood and disseminated across the society, since researchers and policy makers have access to large volumes of accurate information on which to base decisions.
- Software (even user-level software) is relatively secure. Companies and individuals are liable for damages if they were negligent and their computers were used as go-betweens in a crack attempt (i.e. it's criminal negligence to have an insecure computer).
Oppressive (Future Technology)
- Security is only allowed for the elite. This usually means the rich and the powerful, such as the government and corporations.
- Since paranoia is the rule and information sharing is non-existent, corporations have no idea how much money to spend on security. Therefore, they spend as much money as they can afford to on all levels of security, in an attempt to minimize the risk of attack. Society is two-tiered: the weak half is extremely easy to attack, while the strong half is very difficult to attack.
- Corporations never let others know when they've been successfully attacked. Not only would this provide free research data to their competition, but it would be showing a sign of weakness that would surely be exploited by their enemies. Best practices are unknown, as each company does its security research independently of everyone else. Thus while security as a whole among the elite is very strong, precise security implementations will vary greatly from organization to organization.
- The average home user has no security on his computer. It's illegal for individuals to own, purchase or sell security components. Learning about security and cracking is illegal unless you are one of the elite, or you work for them. In fact, the elite will be able to take over a home computer at any time and for any reason. Big Brother is most definitely watching you. Obviously, home users are not liable if their computers are used as go-betweens in attacks -- instead, they're liable if their computers can't be used as go-betweens!
Glossary of Terms
Please note that the definitions given in this glossary are accurate within the context of computer security. Many of the terms have alternate (but equally valid) meanings. For instance, the term hacker originally meant "someone who makes furniture with an axe", and yet hacker is used here with a completely different connotation.
Most of these entries were adapted from [3].
- Back Door
- A hole in the security of a system deliberately left in place by designers or maintainers. This could be for sinister reasons (e.g. to allow the designer to easily crack the security at a later date) or legitimate ones (e.g. to allow service technicians easy access). A back door can also be created after the fact by a cracker, for later use. A Trojan horse usually serves as a back door into a system.
- Black Hat
- A cracker. The term originates from formulaic Westerns where the bad guy always wears a black hat.
- Breaking in
- The process by which a cracker gains illicit access to the superuser's account on a computer or network.
- CIA
- The three main requirements of computer security: Confidentiality, Integrity, and Availability.
- Client
- A computer that connects to a server for the purpose of receiving content or services.
- Cracker
- A person that electronically breaks into computer systems. Coined circa 1985 by hackers in defense against the journalistic misuse of the term hacker.
- Exploit
- A cracker program that takes advantage of a vulnerability.
- Firewall
- Either software or hardware whose purpose is to monitor communication channels (both incoming and outgoing), and possibly direct or block traffic if necessary. This is usually a network or computer's first line of defense.
- Firewall Machine
- A firewall machine is a dedicated computer (i.e a computer that does nothing else) that combines the concepts of the firewall and the proxy, and is used to service outside network connections. The idea is to protect a cluster of more lightly protected machines, which are hidden behind it, from crackers.
- Grey Hat
- Someone with cracker skills that operates within the law. His skills could be used for red teaming, or to crack electronic locks under legal pretense.
- Hacker
- 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary. 2. A person who enjoys programming, and/or is good at programming quickly.
- Honey Pot
- A computer designed to attract crackers so that they can be observed in action. It is usually well isolated from the rest of the network, and carefully monitored. Different from an iron box in that its purpose is to attract, not merely observe.
- Intranet
- A large LAN, usually refers to an organization's private, little Internet.
- IP Address
- A number that uniquely identifies a particular computer on a network. The "IP" part stands for Internet Protocol, although this is a misnomer, since IP addresses are used on LANs too.
- Iron Box
- A special environment set up to trap a cracker logging in over a remote connection long enough to be traced. May include a modified operating system restricting the cracker's movements in obscure ways, and "bait" files designed to keep him interested and logged on.
- LAN
- An acronym that stands for Local Area Network. In other words, a collection of interconnected computers which is entirely located in one area (typically a single building). For example, a corporate intranet.
- Mockingbird
- Software that intercepts communications (especially login transactions) between users and hosts and provides system-like responses to the users while saving their responses (especially account IDs and passwords). A special case of a man-in-the-middle attack.
- Network
- Two or more computers connected together so that they can communicate with each other. This connection is typically made by telephone, network cable, wireless connection (radio), satellite uplink or (less commonly today) fiber optic cable.
- Patch
- A temporary addition to a piece of code, usually as a quick-and-dirty remedy to an existing bug. A patch may or may not work, and may or may not eventually be incorporated permanently into the program. Patch can be used as a noun or a verb.
- Peer-to-peer
- A communication system in which each participant (a peer) acts as both a client and a server.
- Phage
- A program that modifies other programs or databases in unauthorized ways; especially one that propagates a virus or Trojan horse. A phage could, for example, modify a police database to remove one particular person's criminal record.
- Proxy
- This is the gateway to a network. All communications to and from the network must pass through the proxy. This protects a network by creating only one point of entry that needs to be thoroughly secured. It has a side benefit of making any communications from the inside of the network appear to be coming from the proxy -- thus making it more difficult for crackers on the outside to know which particular internal computer a specific piece of information is coming from.
- Red Team
- A group of one or more grey hats whose job is to crack a network's security, with the permission of the network administrator (or his boss). The goal of this is the eventual improvement of the network's security by revealing vulnerabilities.
- Script Kiddy
- Someone that does mischief with programs written by others. Script kiddies usually have a minimal impact on secure networks, but given a very effective exploit, a script kiddy could do as much damage as the genius cracker that wrote the exploit.
- Server
- A computer that leaves one or more communication channels open, in the hope that clients will connect to it so that it can provide them with content and/or services. Servers are the computers that are the most vulnerable to computer cracking.
- Superuser
- The administrator of a computer system. Typically, the superuser has all of the powers of an ordinary user, plus much more. Superusers typically have (at the very least) the ability to create new user accounts and edit or delete their accounts.
- Tiger Team
- Similar in concept to a red team. Tiger teaming is when a facility's physical security is tested by a team of good guys.
- Trojan Horse
- A malicious security-breaking program that is disguised as something benign, such as a screen saver, or a virus scanner.
- User
- An ordinary user of a system. For example, a person with an email address at yahoo.com, or a website at geocities.com.
- Virus
- A cracker program that searches out other programs and infects them by embedding a copy of itself in them. When these programs are executed, the embedded virus is executed too, thus allowing the virus to propagate itself. While a virus can be benign, in the sense that all it does is waste system resources by propagating itself, viruses usually carry a payload and transform infected files into Trojan horses. This normally happens invisibly to the user. Unlike a worm, a virus cannot infect other computers without assistance.
- Vulnerability
- An error in a software's design or implementation, or a failure in a software's operation that can be used for breaking security or otherwise attacking a computer (usually over a network). In other words, a bug that a cracker can take advantage of.
- WAN
- An acronym that stands for Wide Area Network. In other words, a collection of interconnected computers that spans a large area (such as an entire country or the entire world). For example, the Internet.
- White Hat
- The opposite (and counterpart) of a cracker. A security operative who aims to protect a network from unauthorized intrusion. The term originates from formulaic Westerns where the good guy always wears a white hat.
- Worm
- A cracker program that propagates itself over a network, reproducing itself as it goes. Unlike a virus, a worm doesn't need outside assistance to operate. Being autonomous makes a worm much more dangerous, but also much more difficult to control and anticipate. Worms typically crack into low-security computers via a common vulnerability and then turn the computers into zombies.
- Zombie
- A computer, especially a home PC, that has been cracked and taken over by a cracker "master," who may control hundreds, thousands or more zombies. The image that comes to mind is of a veritable army of zombies mindlessly doing the bidding of a necromancer. Zombies offer computing resources that crackers can take advantage of, such as for performing attacks, or the cracker can simply steal those resources for himself. As a side-benefit, attacking through a zombie helps a cracker mask his identity.
References
- Ceruzzi, Paul. "An Unforeseen Revolution: Computers and Expectations, 1935-1985." Technology and the Future. Ed. Albert H. Teich. 8th ed. New York: Bedford/St. Martin's, 2000. p 192
- Computer Science and Telecommunications Board. Cybersecurity Today and Tomorrow: Pay Now or Pay Later. Washington, D.C.: National Academy Press, 2002. http://www7.nationalacademies.org/cstb/pub_cybersecurity.html
- The Jargon File (The New Hacker's Dictionary). http://www.catb.org/~esr/jargon/
