Monday, July 09, 2007

Is the 'Electronic Fence' Vulnerable to DOS Attacks

Just another piece of information calling into question the reliability of the electronic measures we will depend upon to secure the border:

Using standard commercial 5.8 gigahertz wi-fi equipment could leave SBInet open to intentional interference. "A drug dealer could buy a laptop with built-in 5.8 gigahertz wireless and could launch a denial of service attack against SBInet," Wallen said.

He said he could detect that the SBInet wireless network used a strong form of encryption, Wi-Fi Protected Access. But the encryption would not be useful in stopping denial of service attacks, said Wade Williamson, director of product engineering for AirMagnet, which sells wireless intrusion detection systems.

Williamson said mounting a denial of service attack against a wi-fi network is a "trivial exercise" because even on an encrypted network, the address of an end user device or wi-fi access point -- known as a media access control address -- is clearly broadcast and retrievable. Anyone who wants to knock out the transmissions from the SBInet towers could capture that address, spoof it and then flood a tower or end user with data packets, Williamson said. He added that SBInet communications also could be jammed by inexpensive signal generators that could knock out the signal from the towers.

An intrusion detection system would help DHS and Boeing detect such cyberattacks and zero in on the location of intruders by triangulation, Williamson said. DHS and Boeing could also "fight fire with fire" by launching reverse denial of service attacks, he said.

George Teas, director of field engineering for Fortress Technologies, which sells wi-fi systems hardened with multiple layers of security for government users, said his company provides multifactor authentication systems that include a unique device identifier, which insures that even if hackers spoof a media access control address, they will not be able to get into a network. An attacker would not be able to take down all of the SBInet with a denial of service attack, Teas said, but just one node with traffic routed around that node.

I'm no expert, but this sounds like a problem that can be corrected relatively easily. If that's the case, why make the mistake in the first place?

Politically, proponents of 'adjustment' for the current illegal population must be able to sell the fact that the border is 'secure' -- whatever that means in a system that has traditionally been proudly porous (remember how you learned in school that the US and Mexico had the longest undefended border). Stories like this are death to that effort.

It seems as if the camel's back of 'comprehensive reform' has been broken -- at least for the near future. To the extent that's true, a few more straws won't make a difference.

Update: Drat! A commenter points out:

It's actually our border with Canada that's the longest undefended border, considering, you know, that the Mexican border starts at roughly the east-west midpoint of the country in Texas.

Of course, I remember that now. Sloppy error. I stand corrected.


Anonymous said...

This virtual fence is a joke anyhow. Arrests have to be made by real people. We need troops and border police not cameras to stem this tide that threatens to overwhelm the country

Anonymous said...

It's actually our border with Canada that's the longest undefended border, considering, you know, that the Mexican border starts at roughly the east-west midpoint of the country in Texas.

Bubba McCarroll said...

Technology no doubt has a place in the mix, but it can't be the be all and end all of our border security. As anonymous stated, we need real live people enforcing these borders because there hasn't been a program or system invented that isn't subject to intrusion of one form or another. The problem seems to be that some people don't understand the danger unprotected borders represent today, beyond that posed by people merely wanting to participate in our economic system without virtue of legality. When the first nuke goes off in one of our major cities (or even a minor one) that attitude is apt to change in a hurry.

Larry said...

And while the towers and the DOSers are flinging feces at each other, the coyotes are going to be doing what? sitting out a "kings X"?

LonewackoDotCom said...

why make the mistake in the first place?

If you assume that this whole project was intended as a designed-to-fail boondoggle, it makes more sense. And, the reason you're hearing about things like this now instead of later is because of another Bush administration hallmark: gross incompetence.

Congrats on the link from Insty, someone who played a tiny role in helping bring things like this about by supporting Bush last time around.

Anonymous said...

Less than a year ago a bunch of engineers at several large firms were drawing up the proposals for SBInet.

They weren't all based on towers. All but Boeing's were based on UAV's.

In the 9 months since the award, Boeing's guys have figured out how where to put 100' towers for best coverage, how to power them 50 miles away from the grid, how to make them stable without guy wires or foundations (because that would require an EIS, and delay everything for years) and delivered working prototypes using off the shelf hardware.

If there's a problem with denial of service attacks, they can walk to the other side of the facility and borrow the networking software that they've written for Future Combat Systems.

The F-22 was designed in the late 80's, and it's just now entering service. You want to cancel a system over a possible software bug, when the spec were written less than 6 months ago? Do you have ANY software on your system that is both V 1.0 AND works perfectly?

Ivan Goddard said...

I live 60 miles from the border, and know some ranchers who live right on it, and some retired Border Patrol agents. Even if the "virtual fence" works as intended, it cannot succeed.

The sheer volume of illegal entrants is staggering. The Arizona sector alone of BP makes about 100,000 apprehensions a year (representing, it is estimated, 10-20% of illegal entrants). The volume is so enormous that there aren't enough judges, prosecutors, etc. to even have deportation proceedings on the ones caught. They sign voluntary return to Mexico forms, are bussed to the border and released. No, I'm no kidding. If their coyotes or guides are good, they escaped, meet them at a rendezvous point there, and come back the next night.

A physical fence *might* be enough of a barrier to reduce this. But a virtual fence is an operation set up to fail.

Ben said...

Actually, from a detection network standpoint, a DOS attack is fairly definitive indication that something is messing about on the border. What you do at that point and the frequency of false positives in the form of network failures is another matter.

beowulf said...

Why are we paying Boeing to build a virtual fence that can have its power cut (I'm assuming, contra the Springfield monorail, its not solar powered), can be hacked or can be ignored by an intruder if he can leave the area faster than the Border Patrol can get there?

Recently, the Chinese built a simple 12' high post and barbed wire single fence line along its North Korean border. And Israel built a triple fence as high as 25' with motion sensors, access roads and anti-vehicle ditch barrier along its border with the West Bank.

Either system would be far more effective than Boeing's Cordon Imaginaire. Maybe we can hire Airbus to build an actual fence.

Anonymous said...

Didn't China build a pretty robust wall a thousand years ago? It might eve still be around.

I bet we could one much more quickly now. We could even save some money by using cheap, undocumented labor.


Anonymous said...

Beowulf, the towers are powered by solar, wind, batteries and a propane IC engine for backup. Between solar and wind they figure on .999 availability. They don't want to run the propane, because they have to refuel by helicopter.

Yes, the crossers can get away if they can move faster than CBP. Making the CBP agents superhuman-fast wasn't part of the contract.

If you build a physical wall without a sensor net, the crossers can climb over it and walk away without CBP ever knowing they were there.

A wall will delay the crossers, by a few seconds or a few minutes. In an urban area you need that time so CBP can respond. In the middle of the Nogales sector, there's nothing on either side of the border for 30 miles. You need to get an agent there to put the habeus-grabbus on them.

If you want the towers to have automated machine guns, like they have on the wall on the west bank, talk to your congressman.