elsehow

Share this post

Part 3: Computers

www.else.how

Part 3: Computers

Part 3 of a series

Nick Merrill
Mar 21, 2023
Share

This post is Part 3 of a series: What Cybersecurity Is and Why You Should Make It Your Life. This series explains what it takes to become a cybersecurity professional, how anyone can become one, and why you should.

DALL-E: “An illuminated manuscript representing the world suspended in space, resting on top of an ancient person’s idea of what a computer might look like.”

Have you ever considered how deeply computers are entwined with your daily life? From the instant you glance at your phone each morning to the work emails you exchange throughout the day, computers are the invisible backbone supporting your life. (As we’ll soon see, they do more to help you than you know).

Thanks for reading elsehow! Subscribe for free to receive new posts and support my work.

But what if, one day, you discovered your personal information had been hijacked, funds drained from your bank account, or sensitive work data breached?

In this series on cybersecurity, we have yet to delve into the role of computers. This is intentional. Security is fundamentally a way of thinking about the world around us. But it’s time to dive into the heart of cybersecurity: the computers themselves.

What is a computer?

A computer carries out a series of steps.

1

Before computers were machines, they were people—and typically women. Even when early mechanized computers came around, women made the parts. Women knitted the computer programs that sent the Apollo astronauts to the moon.

Slowly, chip manufacturing and the labor market around it brought about a revolution: personal computing. Computers, which used to be room-sized, landed in the living rooms of middle-class homes in the Global North. With increasing miniaturization, these machines landed in the pockets of middle-class consumers in the form of smartphones. Today, miniaturization and manufacturing improvements have radically decreased the size and cost of computing even further. As of 2021, 67% of people worldwide have a smartphone.

Given the extensive influence of computers on our daily lives and the countless critical systems they control, it’s no wonder that cybersecurity professionals play a crucial role in protecting our society. Their expertise is not only vital for safeguarding our data, but also for maintaining the stability and security of the systems that we rely on every day.

What do computers do?

You’re using a computer now, and your smartphone is a computer. So people use them to do their jobs. But what else do computers do?

Computers support every aspect of society.

  • Every non-cash financial transaction in the world happens on a computer.

  • Computers manage traffic lights, monitor traffic patterns, and control public transportation.

  • Computers track the movement of goods globally. Everything you’ve ever bought in a store has been followed in a computer (probably several computers) from the moment it was manufactured to the moment you walked out of the store with it.

  • …and sometimes, even when you bring the item home. Some items have computers in them—smart home devices, like smart locks and smart lights, may be tracked by their manufacturer throughout their lifespan.

  • Computers also power medicine: they do surgeries, track and deliver drugs, and triage patients—depending on your health needs, they may even live inside you.

  • Computers run power stations, water treatment plants, and more.

  • Computers help grow your food.

So, water, food, health, money, and all of our communications are safeguarded by computers—and by extension, cybersecurity professionals. We need these dedicated experts to defend the systems that form the backbone of our lives. Their work makes our world run—it keeps us from chaos.

DALL-E: “A 17th-century Yamato-e scroll depicting an evil maid sleeping into someone’s quarters to tamper with their Tang dynasty-era computer.

What does it mean for a computer to be secure?

In “What does it mean to ‘be secure?’”, we discussed the notion of “barriers to attack.” There is no absolute security, but that we can make a system secure enough that the attackers we’ve thought about will likely not bother.

The same notion applies to computers. Our goal is to raise the barrier to attack when securing a computer.

One of the easiest ways for attackers to gain access to our system is through the internet, which we’ll talk about next time. But the internet isn’t the only source of threats.

Let’s now explore a practical example of a non-internet-based threat and the role cybersecurity professionals play in prevent it.

The Evil Maid Attack

One such example is the evil maid attack, a term coined by Joanna Rutkowska, the creator of Qubes OS. The idea behind this attack is that someone with physical access to your device (an “evil maid”) could tamper with or compromise its security. (A historical example: Carlos Gutierrez, the U.S. Commerce Secretary under George W. Bush, was targeted with an evil maid attack while in China).

A successful attack can embed itself so deeply in a computer that it may become difficult for a user to tell whether the computer is compromised. Another attack invented by Joanna Rutkowska, the Blue Pill attack, traps the user’s machine in a virtual machine. A virtual machine is a program that behaves like a computer, enabling you to run multiple operating systems on a single physical machine. It allows you to install and run different operating systems and applications affecting the host machine. This provides a convenient and isolated environment to test software, experiment with different configurations, or run legacy applications.

Now, imagine that an attacker installs a virtual machine on your computer, and in that virtual machine, they run… the exact operating system you currently run. Outside of that operating system, The Attacker can see everything. Inside that virtual machine (that is, from the user’s perspective), everything appears normal. Unbeknownst to the user, The Attacker operates behind the operating system, creating the illusion of a normally functioning computer. The user cannot see outside this illusory environment, making it impossible to use the computer to inspect itself—hence the term “blue pill.”

Our goal in securing computers is to understand our attack surface area—the things attackers could attack. Once we understand that surface area, we can raise barriers to the attacks we care about.

For example, we might airgap a computer by keeping it disconnected from the internet and any other untrusted device. An airgap shrinks our attack surface area; we need only concern ourselves with attacks that can be carried out with physical access, like evil maid attacks.

Our goal in securing computers is to understand our attack surface area—the things attackers could attack. Once we understand that surface area, we can raise barriers to the sorts of attacks we care about.

DALL-E: “An ancient Mayan statue depicting a hacker, photorealistic painting.”

Exercise: Assessing your device’s vulnerabilities

Now it’s time to put your newfound knowledge to the test. Pretend your personal computer (or phone, if you don’t have a computer) is air-gapped. Let’s figure out what havoc an evil maid attack could wreak on your device.

You may want to consult the CVE database. Common Vulnerabilities and Exposures (CVE) is a database of publicly known cybersecurity vulnerabilities and exposures. Each vulnerability in the database is assigned a unique identifier number, and a description of the vulnerability is provided, along with information about how to mitigate or patch the vulnerability. A CVSS (Common Vulnerability Scoring System) score ranks the severity of vulnerabilities from 0-10, with 10 being the most severe. CVEs are important because they give The Defender an idea of what software they should patch—and give The Attacker an idea of what software they might try attacking!

Look up attacks for software you run, like your operating system, web browser or mail client. For example, here’s a recent (as of this writing) attack against Microsoft Outlook with a very high CVSS score. I found it by searching “Microsoft Outlook” and following the link to Microsoft’s site. Are you running Outlook? If so, are you running this version, or have your upgraded?

Reflect on your findings

  • What’s the worst vulnerability you found?

  • How might The Attacker use that vulnerability?

  • What might The Attacker want to achieve by using that vulnerability?

Try to connect these attacks to any attackers you thought about in earlier series.

By engaging in this exercise, you’ve taken the first step towards understanding the importance of cybersecurity and the role of professionals in this field. Their expertise and vigilance are vital in protecting the complex digital world that we all depend on.

Jargon review

Here’s the jargon we introduced. Like last time, don’t worry about strict definitions—we’ll build an intuitive sense for these terms. If you don’t remember encountering these terms, refer to the post to see how I used them.

  • Evil maid attack

  • Virtual machine

  • Attack surface area

  • Airgap

  • CVEs

  • CVSS score

1

In Attacker & defender, we mentioned ‘systems:’ configurations of people and technologies that are supposed to work a certain way. Cybersecurity, as opposed to any other kind of security, concerns itself with cyber systems—systems that involve computers—which leads us to Steve Weber’s deliciously recursive definition of cybersecurity: “anything at the intersection of humans and technology important enough to be called ‘cybersecurity.’”

Share
Comments
Top
New
Community

No posts

Ready for more?

© 2023 Nick Merrill
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing