I wrote this message in 1999, and it was not very well received by some; I do however, still stand by this posting and its comments. After September the 11th (2001) I hope that people may well think a little more about some of those "unthinkable scenarios" of which many people would have told me some of my advisories are. This mail was sent to a list of highly placed Internet people and has been edited slightly to remove it from the context of both the list and the times in which it was written. The writing in this message isn't polished since it was just typed straight in, but I do feel the message is still fairly valuable. Bunker Bunkum. -------------- This list has been slow recently, so I thought I would send some random musings of a security person. This one may well be a bit long, but if you have a good imagination and have access to anything potentially valuable, you may want to read it anyway. A few people don't understand why I have been moving further and further into the physical and "spycraft" side of security, rather than sitting on my arse taking more and more Firewall-1, Cisco and NT courses. Ok, so I am a bit of a weirdo which helps but that's not the complete reason ;) I got a phone call last night from someone who knows nothing about our industry, who has come up with a business proposition. He was aiming more at banks IT departments rather than the Internet ones, but I may have changed his business plan for him a bit. Incidentally, just because he knows nothing about our industry, doesn't mean he's thick - I know very little about his industry, and sometimes I feel I don't want to know even as much as I do! In close protection circles, there's a dodgy trick often used to get work. You get your own team of bodyguards, surveillence and counter surveillence people and you plan a hit on someone else's high profile client. You prove that their counter surveillence people didn't spot your teams, you prove with photographs that you successfully hit their client on a number of occasions and in theory, the existing team are shown to be so crap that they are sacked, and you get the contract. It's quite a costly operation in reality because the sort of clients that pay well usually have good protection but the thing is, it's worth it since people are willing to pay a lot of money when it's their life on the line. Internet companies are starting to run a lot of critical systems. Near root DNS servers are a hell of a juicy target for hackers, some of the e-commerce servers they run are big, lots of banks, and financial institutions are now running servers and traffic through ISPs. Now hackers aren't really bad people. I have never met a hacker who really has that much of an interest in stealing lots of money unless their strings have been pulled by someone else (eg: Citibank) so the electronic threat to these systems may well be less than people think - That's a good job really, considering the standard of most company's security people and security systems (if they have them at all!). Some ISP's are starting to realise there is a more physical risk and using "secure telehousing" - Everyone who has been involved with secure telehousing knows that this is an oxymoron in most cases so we now have companies who think that security involves buying up a surplus nuclear bunker and housing their secure servers in that. The industry is slowly starting to realise that it is at risk, it would seem, but does it have a clue where to start or is it just hoping a few metres of concrete will help? Now... We go back to the phone call. In the past, it used to be "trendy" to kidnap bank managers and get them to open safes and things. This is all a bit old hat, Banks now have duress systems and have taken a lot of the control off the people who are at risk of this sort of crime, anyway. ISP's (and telcos, oddly) don't. In the past, most criminals haven't had a clear understanding of the electronic world. The basic premise of the call was actually completely legal; it was asking if there was money to be made in this industry by doing a full scale threat analysis on some of the more financially useful ISPs, background checking their key staff, putting them under surveillence for a couple of weeks, checking on their family, the usual stuff; and then, planning an operation to take that ISP and its customers for as much as possible; if necessary using its staff under bribery or duress to help. Then, presenting the operation notes to the ISP in question, and saying "You, my boys, need a good security team". The comment on the bunker system, remembering that sometimes, people have to be let into that bunker, was (parahprased) "If I threaten to peel his fucking child, he'll do anything I fucking want him to do". Anyway, I have been mulling over this idea, like a lot of security propositions at this level, there's only a sense of ethics really between actually doing the operation and popping the whole dossier on an MD's desk... I was wondering what the Telcos and the ISP's would do if presented with one of these - Would they even take notice? Would any of you take notice? Do any of you even have, let alone know what a duress system is, and would it help? Seem far fetched? Next time you are bored, ask yourself what happened to all those exceptionally well trained KGB agents, etc etc etc, who now have no work, and ask yourself where most of the world's money is going to be in the future when they get bored of drugs. Professional security people, and professional criminals are now starting to take a huge interest in this industry which is mainly protected by dabbling amateurs, and if nothing else, it should make things more interesting. Michael. (C) Michael Lawrie, Thu 30/09/1999.