Changing the headline

When I think about security, I wonder about how things are affected by it. Simply from the appearance of something feeling safe, one might do a number of things: take a walk at dusk; let a baby pet a pit bull; use a zip line over a thirty feet drop over rocks. At one time or another, someone decided these things were OK to do so they did them. Without the appearance of something being dangerous, someone still might reflect on those risks and brave the consequences. You don’t have to be brave to do them, but knowing what you do can result in injury is one component that someone may or may not consider before doing anything.

I know a girl who rode a zip line in Vermont who fell onto a pile of rocks. She suffered a concussion that changed her ability to process loud noises. For a year and a half after the fall, she could not read or use the computer for more than minutes at a time. She could not be in the same room as two other people who were speaking in regular volume. Indoor lights bothered her, so she wore sunglasses during the day. Before her accident, she was able to process sound, read books, and log onto Facebook without experiencing illness or needing to wear protective eyewear. She could run, jump, and yell and she was like a wild animal, but her injury changed her, if for a moment.

I feel like people know so much nowadays, about the dangers of things. The risks involved in anything are so great. We know how in an instant all we thought to be guaranteed might vanish or somehow slip away. This is not unlike how when we use the computer, we assume things will be secure. The simple click of a button affords us this. Now and again I realize how with simplicity I rely on convenience to be there, technology never to fail, and people to go on how they did the day before and the day before that.

Because as people we are reliant on our past experiences to help predict future outcomes, since yesterday was somehow fine, I am confident that tomorrow will be the same way. This is a human error, how we can be so over-confident on the future based on past results. This is how people can do seemingly silly things based on the appearance of security, the mark of one day being measured by the prior day’s success. What we can see with our failed logic is a pattern that reads similarly to a gambler in a casino, or a thrill seeker in life. The measure of security is not from the precautions we have taken to assure we are immune to threat, but the ignorance of real attacks that might happen in the absence of any precaution whatsoever.

The inability for people who use wireless technology to protect their connection is a gamble that everyone takes. In a study published in the Communications of the ACM, Chenowith, Minch, and Tabor used a college campus to study the behavior (Chenowith, Minch, & Tabor, 2006, p. 135).  The study examined “wireless user vulnerabilities” and “security practices” in an attempt at measuring the users whose connections are not protected (Chenowith, et al., 2006, p. 135). The study also tallied the wireless devices “compromised by malicious applications”, such as viruses, worms, and surveillance software (Chenowith, et al., 2006, p. 135).

Our goal was to directly investigate how well wireless users are securing their computers and the threat level associated with wireless networks. Using a university campus wireless network, we performed a vulnerability scan of systems shortly after users associated to campus access points. The scans were performed using Nmap (www.insecure.org), a popular open source scanning tool. The results of the Nmap scans were used to determine the proportion of wireless users not using a firewall, the prevalence of malicious applications, and the proportion of users with open ports. (Chenowith, et al., 2006, p. 135)

The reason the surveyors used the population they did was its direct representation of use of wireless networks by the general population. Other than user authentication, there are no security measures (such as WEP) in place on the wireless network, although users agree at login that their system patches are current, that they are using an anti- virus program, and that they understand they are subject to university computing policies (Chenowith, et al., 2006, p. 135). If users desire additional security, they must provide it themselves (Chenowith, et al., 2006, p. 135). This environment of minimal network-level security and heavy reliance on user initiative makes the campus wireless network reasonably representative of public hotspot-based wireless networks in general (Chenowith, et al., 2006, p. 135).

Subjects for the study were authorized users of the campus wireless network. The total university population includes 18,599 students and approximately 2,100 faculty and staff. The university is a commuter campus with a non-traditional population of 15,779 undergraduate students (average age 26) and 1,663 graduate students (average age 36), with 54% female and 45% male (1% unspecified). Most students live off campus, and many have part-time jobs or full-time careers, often with one of several local high-tech firms. We view the non-traditional nature of the student subjects as a positive factor for the study as we believe it makes them more representative of the general public and workforce than traditional students would be. (Chenowith, et al, 2006, p. 135)

Since the study is a mirror of the real world, the results are used as a measurement of the steps people take or do not take to secure their wireless connections in the general population.

The results of the study are illuminating. The data of the Nmap scan shows that 304 computers (9.13% of the 3,331 computers) were not using a firewall (Chenowith, et al., 2006, p. 136). Even with a firewall enabled, systems can have open ports (Chenowith, et al., 2006, p. 136).

Since any open port is a potential security risk (Chenowith, et al., 2006, p. 136), the study measured open ports, and found 287 computers (8.62% ) scanned had at least one detectable open port (Chenowith, et al., 2006, p. 136). Of the 287 computers with detectable open ports, 189 (65.85%) had at least one open port with well-known vulnerabilities. Of the 287 computers with detectable open ports, 98 (34.15%) had no open ports with well-known vulnerabilities (Chenowith, et al., 2006, p. 136). Simply put, when a user had open ports, more than 65% of the time at least one of these was a port that posed an important security risk (Chenowith, et al., 2006, p. 136).

The most frequently open ports are also some of the most dangerous. The top three open ports were designed for file and print sharing across computer clusters and can potentially be exploited by attackers through null sessions. (Chenowith, et al., 2006, p. 136)

Individual systems can use “null sessions” (no username or password required) to establish connections between computers using these ports. It is well known within the security community that it is possible for an attacker to exploit null sessions and gain access to a system through one of these ports. (Chenowith, et al., 2006, p. 135)

Malware can do a lot of things, including keystroke logging, username and password detection, and online monitoring of web activity. What this does is allow someone else besides yourself to silently view and capture your personal information, including credit card accounts, personal emails, google search history, and social security number.

A total of 17 computers (0.5% of the computers scanned) had at least one malware application installed. Although a small number relative to the total number of wireless users, the existence of malware is important because any one of these infected systems may be used to launch attacks against the larger client population. (Chenowith, et al., 2006, p. 136)

Many infected computers had multiple malware applications present. Of particular interest, and somewhat alarming, is the presence of network monitoring and packet sniffing applications. Of the 17 infected computers, 12 also had at least one network monitoring/packet sniffing application. The most common network monitoring tools found were Nessus, Bigbrother, and Netsaint. (Chenowith, et al., 2006, p. 136)

Are the vulnerabilities in a system consistent within every user? No. However, on shared networks, the connection is only as secure as its most vulnerable link. In the cases where 17 computers were already infected with malware, these hubs were bastions for potential attacks on every other computer in all 3,331 computers. If everyone is as ignorant as the least protected user, then everyone is under threat of attack.

Is the technology worth the risk? This question is asked in a more meaningful way, especially when users who also carry work laptops and mobile devices with them outside of work expose their company to security breaches. The threat is real, but the question remains. Is it worth it? Do you feel lucky? I am reminded of so many things when I think about this risk, among them an episode of the NBC TV show 30 Rock. In one episode, Tracy Jordan (Tracy Morgan) and Jack Donaghy (Alec Baldwin) are talking about how to change the public’s perception of Tracy.

Jack:

Everyone thought Prince Hal was a drunken wastrel. But when he became king he transformed himself into a wise and just ruler. He changed the headline. That’s what you have to do, Tracy. If you’re open to it, I’m very good at giving advice. For instance, with your obit[uary] problem. You’ve spent years creating a certain public image, but you can change that. You just have to do what Prince Hal did.

Tracy:

You know something, Jackie D? That thing I said earlier about Prince Hal got me thinking. I have to change my headline.

Jack:

Yes, that’s what I just said. Now if I can help you…

Tracy:

No, no, no Jackie D. I don’t need your help. I’m Tracy Jordan. When I go to sleep, nothing happens in the world. (Gentlemen’s Intermission)

Sometimes we all want to be Prince Hal. If we go to sleep, nothing happens in the world. We are not at risk. Nothing bad happens. This is the same approach that so many take when securing their computers at home. If the risk never comes to bear, it all might be best left to chance.

References

Chenowith, T., Minch, R., & Tabor, S. (2010). Wireless Insecurity: Examining User

Security Behavior on Public Networks. Communications of the ACM, 53(2), 134-138. http://eds.a.ebscohost.com/eds/pdfviewer/pdfviewer?sid=043d2ad0-0c4c-47a3-b75a-0d0faef42c18%40sessionmgr4004&vid=1&hid=4210.

Gentleman’s Intermission. (2015). Retrieved from

http://www.30rockquotes.net/seasons/season_5/30rockquotes_gentlemans_intermission.cfm.