Mythic Monday – Theseus and Misdirection

Theseus is one of the most famous of the Greek heroes.  He’s famous for the slaying of Procrustes, defeating Medea, slaying the Minotaur and “winning” Hippolyte.  That’s all well and good for a story, but we like to learn modern lessons from our stories, so it’s only natural that we should look at Theseus as a master of social engineering.

Oh, and as a word of warning, by the end of this post, you might not be liking Theseus very much.

The story commonly starts with a discussion of how Theseus is a son of both Aegeus (a king) and Poseidon (a god).  This is mythologically necessary for reasons of heroism, but it’s also important to know that since this can’t be true, Theseus starts his adventures by lying about his origins.  Then, of course, he goes around killing people.  Granted, they were bandits, but what’s interesting is how he dealt with them.

  • Periphetes killed people directly and Theseus killed him directly with a sword
  • Sinnis forced people to bend pine trees and watched them die when the trees sprung back up. Theseus killed him in the same way.  Then, of course, he raped Sinnis’s daughter and continued on his way.
  • Sciron forced people to wash their feet before they passed him, and when they bent over to do it, he’d kick them over a cliff. Theseus, of course, kicked him over the same cliff.
  • Then Theseus met Cercyon who he wrestled to death and then raped his daughter as well.
  • Best known, of course was Procrustes, who forced people to lay in his bed and either stretched or cut them to make them fit. Theseus, as one would expect, tricked Procrustes to lay in his own bed and cut him to fit. (It is unclear why Procrustes didn’t fit in his own bed.)

In each of these early stories, Theseus was careful to learn about his target before dealing with them.  This made it easy to trick them and then end their lives in an appropriately mythologically-just manner. 

Lesson One:  Know your target.

Then, later in the story, our “hero” (a.k.a. murderer and rapist) visits his father Aegeus for the first time and his father’s wife, Medea.  Medea knows that if Aegeus realizes who Theseus is, her own son will no longer be in line to be king, so she tries to have Theseus killed.  Though he could have handled the situation by simply telling Aegeus who he is, he prefers to bide his time and wait until his father recognizes his own sword (which he gave to Theseus’s mother to give to her son (daughters, apparently, don’t deserve swords)).  He chose an appropriately dramatic time to reveal himself, as Medea had just conspired to poison him.  So, when Aegeus recognized his son, Medea had to flee.

Lesson Two: Only reveal what you absolutely have to.

Lesson Three: Pick your timing carefully.

Now we get to the really famous part of the story.  Theseus travels to Crete where he aims to stop the minotaur from devouring fourteen kids each year.  He promises his father that he’ll change the sails from black to white if he succeeds.  Then he arrives in Crete where, in short order, Theseus befriends the king’s daughter Ariadne, gets her help to kill the minotaur, kills the minotaur, flees Crete with Ariadne, abandons Ariadne, forgets to change the sails and arrives home in time for his father to despair of having lost his only son (Medea’s son doesn’t count, I guess).  With the death of his father, Theseus becomes king.

So, in other words, Theseus befriends those he needs and then discards them as long as their usefulness is at an end.

Lesson Four: Say what you mean, mean what you say… only while you’re saying it, of course.

Of course the “oops I accidentally caused my father’s death, guess now I’m king” excuse wasn’t accepted by everyone, and soon the Pallantides attacked.  Theseus, of course, had a spy and was able to ambush their ambush, killing all fifty nobles (after which, the nobles learned the valuable lesson “let the non-nobles do the fighting”).

Lesson Five: Keep your eyes and ears open.

After this point, the story gets somewhat less linear and tends to focus on Theseus and women. Hippolyta, Helen and Phaedra are all abducted, raped or married (in various combinations thereof). Then, Theseus drives the centaurs out of the area for “getting drunk and molesting the women”.

Lesson Six: Double standards are OK.

Interestingly, Plutarch’s tale of Theseus focuses on the idea of democracy and how he turned the monarchy around and gave power to the people.  This, of course, involved abolishing all the local courts and making Athens the only and centralized government.  He then invited foreigners to live as citizens and divided the citizenry into three classes.  Lastly, he instituted the Isthmian Games (like the Olympics).

Lesson Seven: Take power for yourself, but make it look like you’re giving it to others.

Lesson Eight: Calm suspicions by leveraging efficiency.

Lesson Nine: Always have a distraction handy to point to.

So there we have it.  Nothing special involved here at all, just straightforward psychology, the same techniques that have been used for thousands of years.  These days, of course, it’s easier to know your target (1), what with everyone revealing (2) so much on the Internet.  One can leverage real-time technologies like RSS and IM to create the ideal timings (3).  This timing can be used to push people into believing what is said (4).  Then all one has to do is sit back and observe the reactive behavior (5).

Of course, most attackers wouldn’t worry much about ethics (6), but would be careful to cover their tracks (7).  Then, if they get in too deep and run the risk of being discovered, the careful social engineer can simply pick out another problem and give you advice on how to solve it (8,9).

You may think this is far fetched, but it happens all the time.  It’s not about the technology.  If they can get there with social engineering, they will.  It’s often easier and leaves fewer traces.  Remember, attackers are about the end goal.

Lesson Ten:  It’s good to be king.

Site Review – Scribd

Scribd isn’t as well known as many other sites, but what it does, it does quite well.  Simply put, it’s a way to share documents via the web.  The documents can be in various formats, and the site automatically converts them for you.  Once you’ve uploaded a document, you then get the ability to embed it in different sites and download it in different formats.  It’s a nice and easy way to share documents.

Pros:

  • Easy to use
  • Free
  • Shifts the bandwidth for hosting large files to someone else

Cons:

  • Requires Flash and therefore may not work well on all platforms (there have been problems with Linux in the past)
  • It’s weak on the social networking
  • Only two levels of document security: “public” and “private”
  • Search doesn’t allow you to search by licensing

The same caveats about security apply to this site as others.  In short, you have no way to guarantee that people will use your documents according to the license terms you set, and you have no guarantee that others have the rights to upload the documents that they do.  So, be careful building a business model around this site.

However, like many other “Web 2.0” sites, the ease of use of this system makes up for some of the legal ambiguity.  Moreover, since it doesn’t support many of the social networking features (pretty much just comments), there’s little risk of social engineering here.  In fact, the biggest risks would be getting malware from downloading the original and trusting information that you shouldn’t.

Malware

The way that Scribd works, you upload a document and they automatically convert it into other formats.  It is highly unlikely that malicious applications would survive an automated conversation between formats, but if you download the original, you might be at risk.  You can avoid that one pretty easily by just viewing the document in the built-in viewer.

Trusting Information

This one is a risk pretty much all over the Internet, but it can be a bit trickier here.  For those in the security field, consider this as a variant of cross site scripting.  For those who don’t know what I’m talking about, just bear with me.

See, it’s very easy to make an account.  You pick your name, you build your profile, you upload your docs.  It would be very easy, for example, for an attacker to pick a moderately known public company and create an account for them.  Then, they’d pull down the latest SEC documents and press releases and upload them to the site.  Then, they would simply need to fabricate a press release or similar document that would indicate a change in stock price.  Once that’s there, the easy sharing nature of Scribd becomes it’s weakness, as it would be trivial for the attacker to post a link to the document and embed it in a different context (be it an email or on a website somewhere).

With this sort of attack, the target is duped into believing the information is accurate and then provoked into a predictable response (often, a “buy stock” or “give me your credit card” response).  It would be important to verify any information before acting, especially if it’s marked as “urgent”.  The Internet allows us to share vast amounts of data very quickly.  This puts social pressure on us to react similarly quickly, and that is exactly what an attacker relys upon.

Conclusion

I use Scribd, albeit not a lot.  I think it fills a need, but my content is increasingly in non-document forms, so Scribd doesn’t really apply much.  If you are still writing for the print format, but want to share that work via the Internet, Scribd is a great tool.  Get an account, become familiar with the system so you can recognize when it is used outside of the main site.

As always, view all emotionally charged content as suspect and verify it before you act.

Small Business Defense – Antimalware

As many have noted before me, antivirus is dead.  However, let’s clarify a few things.

First of all, you are more likely to get hit with a virus if you don’t have antivirus than if you do, so it’s not exactly useless.  Second, you can get antivirus systems for free (Windows version here) so there’s no economic reason not to run one.  However, if you go into the process thinking that if you install an antivirus system, you’re done, then you’re making a mistake.  Antivirus may not be dead, but your system will be.

See, the way that antivirus works is by maintaining a set of signatures, or unique identifiers for a piece of malware.  This worked well enough twenty years ago, but these days, the people that write malware are pretty good at making each one have a unique signature.  So, these things can change and morph faster than you can keep up.  However, you’ve got to do something, right?  What are your options?

Ignore The Problem

My mother used to tell me that if I ignored the mean kids, they’d stop teasing me.  She was wrong.  In the same way, ignoring this problem will not make it go away.  Instead, it will likely create a situation where your systems get infected and then spread that infection to your customers and partners.  I hope that we can agree that this is no solution.

Host-Based Intrusion Prevention

Many of the traditional antivirus vendors have started rolling host-based intrusion prevention systems (HIPS) into their products.  These systems shift the problem from scanning the entire system to looking at what actually runs.  These systems can detect common security flaws and prevent malware from accessing them.  With some vendors, they are combined with application blacklisting, so you can use the same system to prevent employees from running games or installing browser plugins.

Perimeter Control

In the past, we’ve used a firewall to prevent access to internal systems.  Some people are trying to extend this idea and pushing extra capabilities onto these network devices.  The logic is that if you control where your people can go (web filtering) and what can come to them (email filtering), you can block malware at the edge of your network.  It’s a nice theory, but given that you also would have to deal with USB drives, MP3 players, CD/DVDs, wireless networks, etc etc, I have my doubts that this technique will be effective.

Application Whitelisting

As many people do, once they’re told that something’s not working, they go to the opposite extreme.  In this case, instead of building a blacklist of “bad” applications, they try to identify some known “good” applications and only allow those to run.  While I’m not a fan of extremism, it seems to be working in this case.  Bit9 seems to be the current leader in this space, but it’s only a matter of time before there are others.  The one caution here is in relying on only this technique, as if anyone uncovers a flaw in the technology that prevents the non-whitelisted applications from launching, they can then launch anything they want.  Also note that, depending on your organization, it might take a long time to define the “good” applications.

Loss Detection

One thing I recommend is to recognize that your system will probably get compromised eventually, no matter what you do.  If you implement a system that can identify your important data and let you know when it detects it somewhere where it’s not supposed to be, you can at least know that there’s a problem.  Small comfort, I know, but it’s better than not knowing, right?

Combination

Every organization will have a different set of needs and will need a different solution.  However, there are a large number of businesses out there that would likely benefit from the following type of solution:

  • Application Identification – Take the time to identify which applications are required for business.
  • System Imaging – Build a standard “image” of all applications that a system should have and deploy to all computers.
  • Application Whitelisting – Install a product like Bit9 (there are others) to prevent anything non-approved from running.
  • Antivirus – Install a product like ClamAV (free) or Sophos (pay) to serve as an additional layer of defense… especially if you have laptops.
  • Document Repository – Use a centralized document repository to keep all of your documents and log who accesses them when.
  • Operations: Applications – On a regular basis (monthly is good) patch all applications in your image, update the application whitelist and push the changes out to all systems.
  • Operations: Data – On a regular basis (monthly is good, quarterly is acceptable, yearly is not), review the access logs on your repository and make sure that things are reasonable.

There is a lot more that you can do, and if you have servers, a lot more that you should do, but as you’re likely not doing the above yet, hopefully this gives you a good place to start.

Small Business Attack – Malware

It’s interesting how business awareness lags actual security threats.  I was having a conversation recently with someone who said something like “yeah, we get by a virus about once a month, but we clean it up and keep going”.  This took me aback as I realized that there are a significant number of people out there that don’t view malware seriously.

This is our fault.  For years, we’ve been classifying threats and discussing their differences instead of focusing on their similarities.  If you’ve touched any IT in the last decade, you’ll recognize the following list of words:  virus, worm, trojan, spyware, adware, malware.  You’ve probably been told that your antivirus application will take care of it, so you run it and get on with your life.  Well, I’m sorry to break it to you, but you’ve been lied to.

We’re at the end of what antivirus can do.  We’ve also reached the point where malware (malicious programs) have moved from being annoying to being evil.

Back in the day, malware would spread from system to system and slow things down.  Sometimes, they’d delete files.  That was then.

Today, people are using these systems to create what are known as bot armies.  Once they take over your computer and add it to their armies, they can do anything they like to your computer.  Like what?

Basically, if you get infected with malware, the attackers can get anything they want from you.  Any file you have, any site you browse to, any email you send or receive.  It’s all theirs.

It’s more than a nuisance.  What are you doing about it?

Security lessons from Nature – Fire ants and lizard evolution

Borneo is a fascinating place.  It is a land of edible birds nests, dragon’s blood and gold.  Oh yeah, and don’t forget the parachuting cats (pages 29 and 31 are best, or, if you prefer, there’s a boring version.)  But as much fun as the cat story is, I’d like to talk about ants instead.  Ants, lizards, and the economy.

The news about the US economy isn’t all that good… depending on what “good” means.  I personally have my doubts as to whether ever-increasing growth is a good thing.  When that happens in a population like Borneo, we call it an epidemic (malaria) or an infestation (rats).  When it happens in a person, we call it cancer.  When it happens in the stock market, we call it “business as usual”.  Methinks that there’s a misunderstanding somewhere, but I’ll let the economists handle that.

As I look at the news over the Internet and I hear from my friends, I’m seeing companies failing and people being laid off/let go/fired.  Whatever terms you want to use, it’s pretty awful for people whose jobs are on the line, as they are in a position where they don’t have control over their own lives (much as if they were fighting malaria or cancer, actually).  It is not surprising that the phrase “job security” would be bandied about right about now.  For years I’ve been told “there’s no such thing as job security” and that I should “work to put myself out of work”. This doesn’t make much sense on the face of it, but when you get down to it, it’s all about control.  In a lot of businesses, the bosses are in control and the employees do what they’re told.  In others, the bosses and the employees work together to build something better.  The former model is hierarchical and the latter model is cooperative.

Which brings me directly to ants and lizards.

See, in an ant society, you have very strict roles.  The queen’s job is to lay eggs.  The drones’ job is to mate with the queen, which sounds like a nice job, but they then have to die (always read your employment contract).  Then you have the workers which, well, work.  Then, some species will also produce soldiers who protect the nest.  The model works well, and the ants are able to build very complex structures and societies within it, but the queen has all the control.

Lizards, in contrast, just sorta hatch and spend the rest of their lives eating things and laying about on rocks.  Each lizard has their own autonomy and is in control of their respective lives. No one talks much about lizard edifices.  Outside of science fiction and Minnesota, no one talks much about lizard societies.

But you know, they should… because the lizards are winning.

Recent developments on the fire ants vs lizards front has led to lizards evolving longer legs and faster speed.  In contrast, the ants on Borneo are blowing themselves up.  As with much in live, it all comes back to Borneo.

See, in Borneo, the ants are required to be suicide bombers because each suicide also takes out one invader.  Taken as a whole, allowing harm to come to a few workers here and there keeps the colony safe and stable.  Seems a bit like laying people off to keep the company afloat, doesn’t it?  In contrast, the lizards who have learned to run away from threatening ants have survived and become successful enough for them to produce children that are even faster.  They can escape the ants.  They might even be able to escape parachuting cats (short version here if you skipped the earlier links).

It seems that, unless you’re independently wealthy, you have a choice to make.  You can be an ant and lay your job on the chopping block to help out your company, or you can be a lizard and scurry from project to project, moving so fast that the other ants can’t keep up.  Your company may or may not survive, but if you’re fast enough and good enough, you’ll likely land on your feet (like a parachuting cat, actually).

Security is an active pursuit. Your IT systems won’t stay secure if you just lock things down and then ignore them.  Your job won’t stay secure if you sit around and hope for things to get better.  Your business won’t stay secure if you wait for an outsider to fly over your island and drop cats on you.

Now is the perfect time to be a long-legged lizard.

Other Sites: Business, Photos/Conservation

Get the feed (RSS):



Josh More - Entropologist
Expert in removing chaos from
I.T. and business systems.