icm2re logo. icm2:re (I Changed My Mind Reviewing Everything) is an 

ongoing web column edited and published by Brunella Longo

This column deals with some aspects of change management processes experienced almost in any industry impacted by the digital revolution: how to select, create, gather, manage, interpret, share data and information either because of internal and usually incremental scope - such learning, educational and re-engineering processes - or because of external forces, like mergers and acquisitions, restructuring goals, new regulations or disruptive technologies.

The title - I Changed My Mind Reviewing Everything - is a tribute to authors and scientists from different disciplinary fields that have illuminated my understanding of intentional change and decision making processes during the last thirty years, explaining how we think - or how we think about the way we think. The logo is a bit of a divertissement, from the latin divertere that means turn in separate ways.

Chronological Index | Subject Index

There is no fire brigade for the Internet!

About the need for a DIY approach to cyber-security

How to cite this article?
Longo, Brunella (2017). There is no fire brigade for the Internet! About the need for a DIY approach to cyber-security. icm2re [I Changed my Mind Reviewing Everything ISSN 2059-688X (Print)], 6.11 (November).

How to cite this article?
Longo, Brunella (2017). There is no fire brigade for the Internet! About the need for a DIY approach to cyber-security. icm2re [I Changed my Mind Reviewing Everything ISSN 2059-688X (Print)], 6.11 (November).
Full-text accessible at http://www.brunellalongo.co.uk/

London, 22 January 2018 - In 2016 this website was made unaccessible for almost an entire day. The interruption of service was due apparently to a cyber attack that could be considered, at first, just the nasty and unpleasant act of prankishness by a gang of cyber bullies. In fact, the only consequence of it was to produce a reputation damage, and with it a bitter disappointment and distressful experience.

The contents of the website consist almost entirety of the articles of icm2re that are, indeed, often quite hot! but with few megabytes of pretty much static, hand coded files I cannot figure out how they can be relevant other than for people interested in information and change management matters, though I do often talk about informed policies and governance issues. But there are no political, religious, racial discussions here. I have not been using any script server side or any content management system either, so that it is really difficult to imagine how interested it can be as a target for cyber warriors and penetration testers alike under any possible sensitive or technical point of view.

Online vandalism?

The problem encountered by anybody who was trying to access the website was due to an “unknown malfunctioning” consisting in this: the home page was redirecting to a white screen with a message saying "the website has been suspended”. Somebody called me at 9am to ask me what was going on and why my website had been suspended!

This was, of course, a situation in which saying that the website had not been suspended at all would be not only unproductive and useless but even self-defeating.

My provider’s was unable to address the issue that, to go straight to the point, went solved only when I myself, after six hours, decided to intervene from the technical side and then to give the Technical Support team simple instructions to prevent the problem from reappearing.

I could surely exclude any DOS attack - I managed to deal with denial of service issues in the past for customers’ websites. But what I found worrying at first was that any communication with the provider’s technical support was pretty much impossible, suggesting there could be an isolation strategy beyond the apparent prank message. Or the provider’s technical team was being hostage of an unpredicted chaos due to an upgrade or other mismanaged operational event?

For sure, the incident happened while I was waiting to report personal circumstances to the police - it could be therefore interpreted as a socially engineered manoeuvre that could distract me from my goals, acting as a deterrent or a deeply disturbing intimidation action.

From another perspective, there was indeed enough substance to hypothesise a situation of sabotage of my provider’s technical platform. In either cases, it was impossible not to think that the entire incident could be the manifestation of some degenerated and very inappropriate attention towards me by one or more individuals acting from inside the Civil Service, the Police or other authority who had deep and wide access to my personal data and was monitoring where I was and what I was experiencing.

In fact, I could not imagine any reason for a targeted attack against myself personally, nor there was any reason to suspect a nasty prank from anybody working within the provider’s organisation, although the first reaction was of course to blame the provider's customer service, especially because of the difficulties in communicating with them.

My phone calls to the support team were redirected to an answering machine that just said “invalid option”, preventing any connection. And after more than 5 hours there was no reply to the ticket for assistance I had opened via web / email neither.

Could that be the unfortunate result of an algorithmic governance control put in place on any of my accounts? Or just an exercise in cyber stalking and cyber war tactics? And how could I just alert my provider of the ongoing wrongdoing and be trusted in spite of the absence on any evident fault on their side?

From an administrative point of view there was no apparent anomaly in place, I could even login into my web control panel or dashboard with my administrator account credentials as usual and see that all my articles files where exactly were I was supposed to find them and were the server software was supposed to publish them, making them accessible by everybody online.

No anomaly at DNS level neither.

And nonetheless web users coming via search engines or typing the URL using any network and any browser were seeing the awkward message, hour after hour, while I was queueing here or there and dealing with major issues, reporting my circumstances to the authorities.

There is no fire brigade for the Internet

Once I finished dealing with my other priorities (police, local authority, appointment with another official, etc etc) that kept me busy until 3pm, I looked into the issue from the technical point of view and tried to figure out what type of problem could be affecting the platform up to the point of determining such weird, mischievous malfunctioning - and only on my website, not on other websites hosted on the same platform.

Truth was that I had required a couple of years earlier, for security reasons following a previous similar attack in 2010, some special configuration settings. The platform might have been under a major intervention of maintenance or re-deployment or automation that might have therefore overridden my tailored settings, that nobody had taken enough care to consider before carrying on other operations. Or they simply had had a malicious attack from unknown sources targeting just my website and they did not want to deal with such type of issue.

For sure, if we had the chance of communicating with each other we could at least exclude some of the hypothesis.

Since this was not possible, I turned to Nominet’s support team and I asked them if they could get in touch my provider and try to understand what was going on or if they had any other suggestion of what else I could do to resume a normal service for my website.

They seemed genuinely at a loss of words. I was told I should quickly change provider because there were no alternatives in their view and there was no further level of support offered in case of incidents like that one on their side.

The suggested, draconian, solution seemed to me quite agreeable for a long term strategy, but it would not help to resume the website straightaway because it would actually prolong its unavailability to the public for not less than other five days: I have had experience of changing internet provider for myself and for customers following disappointing technical performance or suspected malicious hacking in the past. It never comes easy because the old provider has to cooperate with the new one and there is a risk that the ongoing incident has also compromised, at the same time, the automated procedures that are in place for such transfers, causing further delays in solving the problem.

Secondly, as an industry that is now over 40-years-old, I believe internet infrastructure - such as networks and websites - should have more robust and reliable ways to count on when something catastrophic happens, like contents that suddenly disappear, are vandalised or communications are impossible.

The DIY approach to cyber-security

So I decided to look further into the matter and to analyse what was going on from the insider angle, using my own knowledge of what was likely to be the configuration of my hosting space on the Linux platform.

I reckoned that the trick should be in an executable file or other configuration settings the technical support team should be able to work off once and for all - and prevent from reappearing - once the reason of such issue was isolated and neutralised.

The problem was likely to be originated either by a cgi script redirecting to the prank message page “the website has been suspended” or just a simple rule in the Apache general server directives that was writing the unwanted message instead of showing the regular home page.

So I accessed my hosted space root and changed all the standard permissions in order to prevent any possible execution of cgi scripts (as I did not have any cgi-script at all to be executed, this decision would not affect at all my contents).

I also uploaded a copy of an older .htaccess file I had from a local backup of my own website and sent a message to the Technical Support team saying that such directives should not be changed for any reason, neither manually nor automatically, without my authorisation or their own manual supervision.

The website home page was then restored straightaway.

Lessons learned

There is no fire brigade on the internet. Technical knowledge of server side architectures, software directives and other configurations issues are almost unaccessible to small businesses, editors, content managers and other users in charge of the services provided by innumerable organisations and institutions that now rely on the web as the only point of access or delivery.

“Do it yourself” approaches to cyber security are always available to those who have at least an idea of what is likely to be the cause of an IT technical problem.

But the quantity and variety of technologies and systems the whole internet ecosystem relies on has become immense, for both end users and specialists. Each platform can interact with different generations of gateways, and be in itself a gateway to hundreds of different protocols, web services, devices. Further specialisation, in terms of application protocols, seems at the same time very risky and operationally inevitable - like for instance in the smart meters sectors or with various automation technologies for the built environment.

How can we ensure ourselves we have the minimum set of skills needed for a “Do It Yourself” approach to cyber security, and that such body of knowledge can remain consistent over time? Particularly with sensing computing applications and projects, you may end with the need to restart everything again and again - that is of course not realistic - and to not capitalise on any knowledge, that is in turn extremely frustrating and de-humanising, because leads to constant failures and risks of derealisation. I am thinking for instance of technologies relatively recent like SecondLife, Shaman, Tiny Web Services but the reflection applies to almost any product or technology in the internet ecosystem, starting with services that rely on very popular MySqL and APIs technologies.

I do not have an answer, but don’t put all your eggs in one basket! the slow pace of cyber security and law enforcement advances in internet governance on one side and the proliferation of standards and technologies for security on the other suggest that more and more DIY approaches are needed for the next future, and the less specialist you are the more likely is that you keep on having at least a clue on what is going on.

Keeping up with continuous professional development and stay vigilant does not harm anyhow. The key point for selecting the most relevant innovations and prioritise what to learn for cyber-security, at least in relation to the internet, seems to me understanding the impact of new technologies on the behaviour of the existing ones more than the new technicality in itself. How much the new theoretical knowledge or software tools changes or improves the overall dependability of the system they are supposed to be functional to? Is the new platform offering a difference in scaling or velocity?

Finally, there is always a big picture in your own context that does not necessarily work for others: you should take it into account if you aim at a better understanding of the security risks and the wider context impacting your own internet sphere and infrastructure.