BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

The Galactic Empire Has Terrible Cybersecurity

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Tue, 17 Nov 2015 16:41:36 -0700
http://blogs.cfr.org/cyber/2015/11/17/the-galactic-empire-has-terrible-cybersecurity/

The new Star Wars movie, The Force Awakens, comes out in about a month. As
with most people, I can’t wait for the new movie. I’ve been re-watching the
old ones–except for The Phantom Menace, it’s terrible–and getting hyped for
the new release.

In re-watching the old movies, I’ve been struck at just how bad the Empire
was at cybersecurity. It’s not surprising given that the Empire, despite
its resources and power, had some pretty glaring security gaps. I mean, who
builds the most complex and destructive weapon in the galaxy and equips it
with a single point of failure in the form of an exhaust port? Its
cybersecurity gaps don’t fare that much better. In fact, three critical
cybersecurity improvements would have made it much more difficult–if not
impossible–for the Rebel Alliance to defeat it in Return of the Jedi.

1. Limiting access controls. This is probably the Empire’s biggest
vulnerability. Based on what we know from R2-D2 plugging himself into every
foreign computer imaginable, the Empire didn’t employ basic access
controls. Anyone plugging into an Empire-controlled network could find out
anything they wanted to know. That’s how R2-D2 was able to find out where
Princess Leia and the tractor beam controls were in Episode 4 (Star Wars/A
New Hope). It’s also how R2-D2 was able to find out from the Cloud City
network–presumably that was under the control of the Empire given Lando’s
terrible deal making–that the hyperdrive on the Millennium Falcon was
deactivated at the end of Episode 5 (The Empire Strikes Back). Good access
controls allow people to only have access to computer functions that are
necessary for them to do their jobs and should prevent anyone that connects
to a network from accessing the whole thing. That’s why in most companies,
you have to ask your IT department to install new software. When hackers
infiltrate a network, generally their first priority is to find ways to
gain more network privileges. Had the Empire even implemented basic access
controls, there’s little chance that R2-D2 would have been able access
everything he did.

2. Two-factor authentication. The lack of two factor authentication is also
a huge problem for the Empire. Two factor authentication essentially
requires someone to use two credentials to access a system or device, like
a password and security token, instead of a simple password. Had the Empire
actually deployed two factor authentication throughout the Death Star, it
would have been impossible for Ben Kenobi to deactivate the tractor beam in
Episode 4. You could make the case that some form of Jedi mediation or mind
trick could have gotten him over this obstacle by correctly guessing the
two forms of authentication he needed, but in the Star Wars canon, those
techniques don’t work on non-organic creatures like computers or droids. In
the same movie, R2-D2 also would have had a much harder time shutting down
the garbage compactor on the detention level, possibly not giving him
enough time so save Han, Leia, Chewie and Luke.

3. Encrypting sensitive data. The Empire has a patchy record with
encryption. In Episode 5, they actually seem to use it. When the Rebels
discover an unknown transmission on Hoth early in the movie, they can’t
decipher its contents. C-3PO, whose primary function is translation and
protocol, admits to the Rebel radio operator that it could be an imperial
code but doesn’t provide any more information, leading us to believe that
the message is encrypted. If only the Empire had used encryption with all
of their sensitive data, like the blueprints for the Death Star. It’s also
pretty appalling that they didn’t encrypt the fact that they had
deactivated the hyperdrive on the Falcon in Episode 5. Even with sloppy
access permissions, encrypting that fact meant it would have taken longer
for R2-D2, Chewie and Lando to figure out what was wrong with the Falcon as
they escaped Cloud City. That extra time would probably have given Admiral
Piett more time to activate the Executor’s tractor beam and recapture them.

It’s probably impossible to argue that the Empire’s poor cybersecurity
practices led to its downfall. After all, the Star Wars universe is science
fiction and there are probably ways the Rebels could have gotten around the
security measures had they been in place. No security control is ever
perfect.

Here’s to hoping that Kylo Ren and the First Order step up their game in
The Force Awakens.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: