I am a Certified Ethical Hacker (CEH); yes, there really is such a thing. Somewhere, someone decided that taking criminal hackers and using them to secure things of value was a plan with a tiny flaw. So, the intelligence community started training people who had yet to become criminals to battle the ones who had. It is one of my somewhat diverse set of training and certifications.
I am also a Certified Archivist and have been a member of SAA for a number of years. I understand the basic concepts of provenance and original order, how to process to the file level or institute MPLP, and assist researchers in finding what they need, whether I think it is what they really need or not. I also have a view of metadata that may be a bit different than that of the “average” archivist (if such exists.)
One of the things I do with “repositories or centers” of all types, is to help audit their security. By this I mean I work, mostly with one of several teams of other auditors, to see if we can bypass the security systems put in place to protect items seen as valuable by their owners, custodians, curators, — or people who may see value where these others do not. If we can discover and exploit vulnerabilities in the system, which includes human beings, by the way, so can the cyber-criminals. Hopefully by exposing flaws, they can be fixed.
Most of the security auditing work I do has nothing specifically to do with digital collections, even if the eventual goal is to verify or denounce security of digital material. The team that most often asks me to join it does so because of a) my social engineering skills (think phishing, fooling security guards, basically being a conman), b) my record of unusual ways to attack a stubborn object, and c) I am the fastest lock picker among us.
Overcoming physical barriers is part of a cyber-attack. Hacking a wireless mouse and keyboard is extremely useful, controlling cc camera-surveillance, disabling alarms (both onsite audio and calls to emergency personnel), and controlling environmental controls are tasks often only easily accomplished when the attacker is in close proximity, have been previously able to get close and hide surveillance tools, or acquire information that the target is unaware has been acquired. It is, however, possible to drive a point home if the double-locked room that holds a server also has an audit team business card sitting on the server, or a bank branch manager can only type “I will change my password every 3-6 months” no matter what keys he or she types on the keyboard.
Vendors build technology for users, and most users don’t want security badly enough to give up things they enjoy about technology. If I can get into your system, and many of the devices we use these days are very easy for someone to gain unauthorized access, I can activate your camera and microphone on your phone or tablet. I can access information you thought had been erased. I can put malware on a device that will drop onto a computer network at your repository. And now we have millions of little doors into our information systems that were designed to send out information but not to keep it secure.
In the past few years these little devices have provided the exploited vulnerabilities for major Distributed Denial of Service (DDoS) attacks, including one that shut down a major DNS system server that caused Twitter, about half of Amazon, and many “unnamed government facilities of at least significant importance” that accessed the networks through cc-cameras, baby-monitors, refrigerators (yes), microwaves (yup; laugh all you want), and other high-frequency radio wave or wireless signals broadcast from millions of everyday objects (commonly referred to as the Internet of Things IoT).
The point is, there is practically no place someone can try to keep secure or keep private that does not have vulnerabilities through cyber networks. Likewise, privacy is part of securing those networks. The networks of information and communication used in preservation and protection depend on computer technology. Physical environments are controlled by computers, and criminal hackers can do them in.
A Lab Demonstration Just for Archivists and Librarians.
So. When thinking about your repository and it’s need for information security, consider this exercise conducted during a Certified Ethical Hacker practice training exercise arranged for some of my colleagues and me. Our tasks were set up on a server running virtual machines that reacted in the same way as “real life” configurations. In fact, the virtual machines could have been used to replace the originals, which likely ran, at least in part, on virtual environments. We had a series of networks duplicated from real life on a server, run on several virtual servers. We conducted reconnaissance where we realistically could, and had a randomly determined amount information provided that represented things we would have ascertained with more time (the random amount provided for a percentage of any failures, and we felt it was actually unrealistically against us.)
We had determined several potential access points, including outside security lights controlled by sensors with passwords we were able to crack. One of the first things we did was hack the alarm and emergency communication devices, as well as block wireless signals. (Keep in mind that, although we were a small team, we had a variety of experience levels. By the end of our training, each of us could do this on our own, and had to prove it.) We later did several things that would give us continuous access to various points of the networks and keep control of parts of it in the future.
I noticed a location on the network (I didn’t know the physical location but didn’t need to) and got a very nasty idea. At my request, we did something else with the emergency response systems. There was an area that was a “virtual library”, as identified by the network connections. We had already deactivated alarm systems, including communication with first responders. We now accessed the environmental controls on a connected network node (so things could be shut down in an emergency), and set the thermostats connected to the library to maximum. We then started the fire suppression system, water sprinklers, to come on at (I believe) 11:00 P.M. Friday night, and after about 40 minutes, discontinued it for 10 minutes, restarted for 20 minutes, stopped for 10, and continued it the rotation until the early morning hours on Monday (I think 3:00 A.M.) Remember, we were causing the computers to exercise these instructions, but they were not connected to any actual equipment.
If this had been the original system that had been copied to this virtual server, and physically in the building where it was originally located, the library would have had constant drenching, with short breaks to let the water sink in where it could, while the temperature rose to the building’s maximum amount (upper 90s maybe), and stayed there for at least 3 days. The library might have had no digital collections, and in the eyes of many, if not most, archivists did not need to worry much about cybersecurity. Think about the condition of the library materials after this. What about 3-day weekends? Nasty stuff.
In less than 2 weeks I return to training. Hacking into control signals of drones, and using drones to hack where you can’t otherwise reach. I am quite pleased that the “good guys” were forced to use aggressive attack as a method of network defense.
Jim Havron, CA, CEH