Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us

    Zombies (the shambling, brain-eating kind, rather than the computer kind) are all the rage these days. They’re on TV shows and video games. There are even real-life zombie walks. For whatever reason, they’re the current, fun way we like to scare ourselves.

    It’s not surprising when people are looking to make a little fun mischief that they would pick zombies. There’s a point where hacking and playing come together, and we’ve seen this lately with zombies. People have hacked roadway signs to warn drivers that zombies are on the road ahead. Last week, we heard about the Emergency Alert System being hacked to warn residents watching TV news in KRTV in Great Falls, Montana that “the bodies of the dead are rising from their graves and attacking the living.”

    We read these stories and share them and laugh because it is clever and funny. But there’s a real danger here that’s no laughing matter.

    Critical Infrastructures Can be Compromised

    At its heart, what’s happening is that critical public safety communications infrastructure is being compromised and used outside its intended purposes.

    We can see some of the more dangerous results when critical public safety communications infrastructure is compromised in the form of “swatting.”  An instance of swatting is when people call the 911 system to submit false calls for help. Typically, these result in fully armed SWAT teams being sent to the houses of unsuspecting, innocent people. No one has been killed in these incidents, but that has more to do with good training and luck. The fact is that the system is being compromised in a way that is putting people at real risk by sending fully armed teams into situations they believe may require deadly force (and where their own lives are at risk).

    To understand the real risks in hacking highway signs and the Emergency Alert System, we have to focus on the fact that all the instructions we’re seeing are false but funny, and also absurd and implausible. We know it’s a joke and we don’t take action. But what happens when the instructions are false but plausible?

    Take the Halloween radio broadcast of War of the Worlds by Orson Wells on October 30, 1938 to get an idea of what can happen here. CBS Radio broadcast a dramatization of H.G. Wells’ War of the Worlds. They chose to do it in the form of a seemingly-real radio news bulletin broadcast. Even though there were announcements that it was a dramatization and even though the idea of an alien invasion may seem implausible to us, enough listeners found the fictional story (false information) to be plausible enough that they believed it and acted on it. The dramatized reading of a classic story caused panic.

    This didn’t cause widespread panic, but enough of a reaction to be noted and cause a discussion about the credibility of the radio (and the wisdom of using such a realistic format). The important lesson for us is that people will trust less plausible information to be real if it comes out of trusted channels.

    A Time to Realize and Understand the Risks

    The Emergency Alert System is designed to be a highly trusted channel. It is truly a piece of critical public safety communications infrastructure in that regard. That means that a compromise of it with malicious intent can lead to truly dangerous consequences. A plausible set of instructions that a catastrophic event has happened and urging mass evacuations can lead to deaths in the stampede. Instructions that local public safety officials have been compromised and cannot be trusted can impair the ability to restore order by undermining those officials authority.

    In cyber security, there’s an awareness of the risks to critical infrastructure in the areas of Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks. We’ve talked about best practices to secure these systems, and we believe it is high time to start understanding that public safety communications systems are also a key part of the critical infrastructure and need to be secured as such. Otherwise, in the future, we may not be getting fake messages about zombies: the faux announcements may take on the very real tenor of warnings about tsunamis, earthquakes, or preparing to protect yourself against a non-existent civil uprising.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    Comments are closed.



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice