Well, 2021 certainly got off to a start. There’s a lot to be said about the coup attempt in the US. A lot of that has already been said by people far more qualified than I am to talk about it. But, I’ve worked as a programmer for over 15 years now and I do have a little bit of an idea about information security. So this is my explanation of some of the myriad ways that the rioters compromised information security, whether they meant it or not. While this post is about what happened at the US Capitol on January 6th, the basic concepts apply to basically anywhere with limited access that gets breached by a mob of people. Other countries’ legislatures, corporate headquarters, etc.
I’m going to approach this from a story building perspective, instead of what actually happened, because there’s a lot that we are unlikely to ever know about what happened from an information security viewpoint. But, as a science fiction writer, I can imagine a lot.
Items of note
From the point of view of information security, the most terrifying thing about this intrusion is that there were a lot of people there. And not one of them was supposed to be there. Despite all the video and pictures that were taken inside, I doubt that anyone is ever going to know who all got inside last Wednesday. I don’t know if there is any kind of CCTV inside the Capitol, but if there isn’t, it’s just not possible to know all of the people. This is especially true if there were people there who knew how to be inconspicuous.
This could be, say, a spy for a hostile government. Perhaps a whistleblower who wants to publish some awful shit the government has done. Or an anti-government person who just wants to see the entire thing burn for the lulz. For a corporate headquarters, it might be a whistleblower or a corporate spy, or even a disgruntled former employee.
There are ways to monitor web traffic. It’s easier if you have access to a computer or network devices, both of which the mob had access to. There are things about the size of your middle finger that can create and transmit most wireless traffic. They can also log events in the network. That means that they can create a record of every website accessed and all that good stuff. And it’s not even that difficult. Hell, even I could create one of these devices. Most of what’s coming, I don’t know how to do. I have very limited skills in this area. But even I know how to create one of these devices. I can guarantee that there were at least a couple dozen people in that mob who could do the same. And I’d be willing to bet there were people who could do worse.
Here we go with the essentially unfettered access again. Sure, they didn’t have passwords or access codes. That doesn’t matter much if you have the capability to insert a device into a computer that allows you to control how the computer starts up after shut down. You can leave a device with an auto-install malware into a machine to create a backdoor. That malware could be basically anything. A keylogger that logs every stroke on a keyboard and sends it somewhere, giving the attacker passwords and usernames, everything. Ransomware that will lock the computer unless, for example, you pay something. When the data can be things like troop movements, the payment can also be all kinds of things. Or just something that sends a backup of your entire computer to an undisclosed location for someone to peruse.
The final piece of infosec fail that I can come up with is the taking of components or entire computers. There are reports that the rioters took several hard drives and possibly also laptops from various offices. A lot of the rioters carried some form of a backpack. There were so many eye-catching individuals in that crowd that someone walking away with a computer wouldn’t even register. There are ways to get data out of a computer even with encryption. It just requires enough time with that computer unless there’s a self-destruct mechanism in your encryption. I don’t know whose computers the rioters stole. But it’s not out of the question that someone, or several someones, walked away with the nation’s secrets. If it were a corporation, perhaps they might have walked away with R&D data, financial plans, or internal corporate strategy.
The thing with an intrusion of this magnitude is that it inherently leaves the space less secure afterward. The devices used for intrusion going forward can be about the size of your middle finger. In a space the size of Congress, how can you ever be sure that you’ve gotten all of them out? Since unknown people had direct access to the computers and network devices, they need to be nuked. None of those devices are any level of trustworthy anymore.
There are two ways that the vulnerabilities created by the rioters can go; they show up on someone’s rap sheet or we never hear of them again. Fixing this damage of unknown persons having physical, unfettered access to computers is going to be very, very expensive. Finally, I want to add a disclaimer; I’m just an ordinary programmer. I have very limited hacking skills gained in order to learn how to create systems that are at least minimally protected against hackers. Like I said, I don’t know how to make most of the stuff in this post happen. I just know it’s possible. Someone who actually knows this shit can tell you how much worse the situation is.