Award Consulting

Metaswitch consultants

The Hawaii missile false alarm – and cyber security

By

Do you remember where you were on Saturday, January 13, 2018? If you lived in Hawaii, you would.

This was the day when Hawaii residents received an emergency alert on their phone stating:
Emergency Alert
Ballistic Missile Threat inbound to Hawaii. Seek immediate shelter. This is not a drill.

2018 Hawaii missile alert.jpg

It took 13 minutes before state officials began spreading the word by social media that this was, in fact, a drill, and it wasn’t until 38 minutes after the initial message when a second alert was sent out saying that you were not, after all, about to die.

How did this happen?
There’s a whole bunch of exciting process flaws I could talk about here, including:

  • The supervisor who stated both “Exercise exercise exercise” (to indicate a drill) and also “This is not a drill” when calling in a simulated emergency alert.
  • The employee who was confused by this message, and decided not to confer with the coworkers around him, and hit the panic button immediately – causing widespread panic and at least one (non-fatal) heart-attack.

However, instead I’d like to tell you about this photo.

hawaii 1

This photo accompanied an article by the Associated Press from 6 months earlier, about how the Hawaii Emergency Management Agency monitors threats. Pictured is the Operations Officer, Jeffrey Wong, along with his computer monitors. One of those screens has a helpful Post-It note reminding him of his password. Which was then photographed by the AP photographer. And published as part of their story.

In the days following the incident, internet users found this photo and speculated that hackers had used this password to send out the false alarm. As it happens, investigators ultimately found that the alarm had nothing to do with hackers, and this Post-It note didn’t do any harm, but boy was that a close shave.

Cyber Security 101
I recently attended a presentation about cyber security, which is where I learned about this photo, and so I wanted to pass on to you some key learnings.

  • Don’t write your passwords on a Post-It note. Or if you do, at least keep the Post-It note in your wallet.
  • Don’t take photos of your passwords and share them online.
  • Use multi-factor authentication: this was actually the biggest take-away from the presentation. There are a variety of ways that hackers might compromise a password, but if you require a second type of authentication (e.g. SMS code, or a code from an Authenticator app) then it becomes hugely more difficult for a hacker to break into a system.

On top of these quick tips, it’s also helpful to think of security through the Swiss Cheese Model. This is the idea that no single form of defense is perfect (each has holes, like the cheese), but if you have enough layers, it will be incredibly unlikely for a malicious hacker to penetrate all the layers. So for example:

  • Security through obscurity – don’t even tell anyone that there’s a system that could be hacked and then no-one will go looking for it.
  • Firewalls – block any external traffic from reaching your network.
  • Use private IPs – so even if the firewall rules get messed up, your equipment is still not accessible.
  • Non-standard usernames – because everyone’s going to guess admin
  • Secure passwords – obviously
  • Multi-factor authentication – so even if a hacker gets everything else right, they also need access to the user’s phone

We often talk about a similar model for VoIP toll-fraud:

  • Use secure SIP passwords
  • Block known bad user-agents / foreign countries
  • Put limits on international calling, to limit the damage if an account does get hacked
  • Use monitoring tools to quickly spot a fraudulent event, even if it does happen.

What’s Next?
My goal today has been to get you thinking. It’s easy to continue with what we’ve always done, but cyber attacks on our communications infrastructure are becoming increasingly common – and we can’t afford to be complacent.

If you’d like to dig deeper into this area, I’d strongly recommend you check out this resource from the Center for Internet Security: Protecting Against Potential Russian Cyber Attacks.

Hope y’all stay safe and secure out there. If you need help with Toll Fraud security feel free to contact us.

About Andrew

Award Consulting is focused on helping ILECs and CLECs who use Metaswitch products to thrive as they improve their networks through migrations, strategic projects and improved service offerings.

Our goal is to create highly specific, highly valuable content targeted specifically at US regional service providers, and especially those who are running Metaswitch equipment. Join our email list to be notified of new content.