Tuesday, August 07, 2007

Minneapolis Bridge Lessons for Digital Security

The Minneapolis bridge collapse is a tragedy. I had two thoughts that related to security.

  1. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bridge collapsed due to structural or design flaws, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 proper response is to investigate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 designers, contractors, inspectors, and maintenance personnel from a safety and negligence perspective. Based on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 findings architectural and construction changes plus new safety operations might be applied in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future. This is a technical and operational response.

  2. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bridge collapsed due to attack, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 proper response is to investigate, apprehend, proseceute, and incarcerate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 criminals. Redesigning bridges to withstand bomb attack is unlikely. This is a threat reduction and deterrence response.


Do you agree with that assessment? If yes, why do you think response 1 (try to improve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "bridge" and similar operations) is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 response to every digital security attack (i.e., case 2)? My short answer: everyone blames cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 victim, not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 criminal.

The NTSB is on scene in Minneapolis with law enforcement to figure out if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bridge collapse was caused by scenario 1 or 2. Why don't we have a National Digital Security Board investigating breaches? My short answer: it's easier to hide a massive security breach than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 destruction of any bridge, building, plane, or train.

13 comments:

hogfly said...

Richard,
I think if #1, They understated cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "minor things that needed attention". The bridge was reported to be about 40 years old and was last inspected in 2006.

Could this be a case of set it and forget it based on assumption that concrete construction couldn't fail in only 40 years because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 designers claimed it would have to be replaced in 2020?

Sounds a lot like security companies and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 misgivings of management when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security folks say "it's a minor risk if we leave it". Ooops.

It is an awful tragedy.

yoshi said...

Its #1. I work a mile away from it and my boyfriend witness cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 collapse. I also know one person in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hospital. Now that I am back from defcon I'll be walking over and checking it out myself.

Its not a cement bridge. It was a steel bridge. In fact it had many construction qualities about it that made it unique including one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 longer steel beam spans so cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y could avoid putting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 peers in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 water. So, imho, its a bad example.

But to your point - I was at defcon over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 weekend and it continues to amaze me how many people avoid using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 network because "its hostile" (i fail to see how its more hostile than an airports wifi but I digress). Both myself and peers happily plugged in and even vpn'ed to our respective companies networks to grabbed e-mail. Why did we do this? Simple because our defenses are sound. You can build sound, stable, and secure infrastructure that can withstand attacks. The problem is many don't.

Anonymous said...

Hi Richard,

It's JB - making a comment on your bridge post just to try to figure out how to get in touch with you. Remember me, I'm cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Alt-F4 guy...?

Hope you're doing well and would like a way to contact you directly. Email me at jabesnyder@hotmail.com and I'll reply.

Best,

JB

Anonymous said...

Going to your point of "everyone blames cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 victim," I would venture to guess that unlike a bank robbery which would make local news, most companies don't report many security breaches that involve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lost of confidential and valuable data. That's where hopefully efforts like Infragard facilitate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reporting and handling of cybercrime in a sensitive manner.

At this point, after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ft has taken place, my guess is that no one knows cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 company is a victim because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 party is too afraid or too ashamed to come forward. What do you think of laws that compel companies to report data cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ft or security breaches? Do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y work well? Also do you think that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se crimes are more widespread than reported, or has vendor hype in an attempt to sell security tools caused reporters to sensationalize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issue? Thanks.

Dan Weber said...

Going after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 perpetrator doesn't always work, especially if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are dead.

The US has pretty much avoided suicide attackers so far(outside of 9/11), but deterrence is hard to do against cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

I'm not sure what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 response is, because hardening a bridge seems nearly impossible. I think we need to just live with an attack every N years, like we deal with M thousand driving deaths every 1 year.

jbmoore said...

There may be no negligence involved,or cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 negligence may be with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bureaucrats and politicians who cut upkeep. The bridge failed completely and suddenly from looking at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 video. According to wikipedia.org, it had no redundancy. The failure could have been due to natural resonance. The contractors on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bridge who were removing concrete and resurfacing noticed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 harmonics. Then too, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bridge is in Minnesota. It underwent over 40 years of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rmal cycling and salt corrosion. Couple that with visual inspections that may have easily missed damage and you have what we've seen. You can't rule out number two though, because a contractor might have used substandard steel which would be criminal and not negligence.

Anonymous said...

http://p068.ezboard.com/bminnesotabridgecollapse

A board to discuss cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 collapse

Unknown said...

If my server gets pwned at work, do we really need to call in an oversight board? Eventually we would have to figure out how big is big enough to invoke some oversight review... It would help wiwth bridges because bridges are built publicly and used publicly, whereas companies are not always so public. Liability is a whole new ballgame, I guess.

What about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 costs of upgrading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bridge? Maybe it was outdated and new discoveries and technologies could have dramatically improved it? Then we get into talks about costs and risks, which isn't really fair in comparison to digital security because of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 human life factor. The same with Katrina and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 levees not being good enough for that 500-year storm. Risk was taken and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y failed on those odds...

I don't think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is any right answer unless you can answer cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 question: Do you work under cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 assumption that you need perfect security (craftmanship/safety) or do you work on some gradient of risk?

I read in one place that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were working on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bridge in recent weeks. It might be possible that work interrupted cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 integrity of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bridge, maybe maintenance or perhaps upgrades? Even Blackberry can tell us about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 possibilities for upgrades taking something offline for a moment...

(Sorry I'm not more cohesive in my response, sitting in a coffeeshop at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 moment...)

jbmoore said...

Yes, it comes down to risk, but $300 million and some proper oversight of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Corp of Engineers and its contractors would have been a lot cheaper insurance than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 $30 billion us taxpayers are paying for Katrina's mess. Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r example with Katrina is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 insurance companies contesting storm claims. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y don't pay your insurance claim when your mission critical app goes down due to a datacenter accident, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n your premiums were money down cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 drain.

Anonymous said...

Actually as JB said above, you really should have a way to contact yourself directly.

Most ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r security researchers do ... even ones that are better than you.

Richard Bejtlich said...

Anonymous,

Are you talking to me? If yes, what part about "Dedicated to FreeBSD, network security monitoring, incident response, and network forensics. Email taosecurity at gmail dot com." at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 top of my blog did you miss? And why cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 need to mention anyone "better than me?"

Tom Pick said...

As a resident of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 city who lives on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 north end and often works on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 south end, that could have been me. It did however take cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 life of an information security expert at one of my client companies. Peter Hausmann at Assurity River. There’s a piece on him here:

http://minnesota.publicradio.org/display/web/2007/08/07/hausmannobit/

So, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tragedy had a more direct link to network and information security than even Richard’s post imagined.

Anonymous said...

Nice post