Re: <SPAM> Re: emergency alert system

[Brad Judy <Brad.Judy () COLORADO EDU>]

Yes, highly unlikely (the reference was intended for the scenario of a
violent attack using a text notification system to increase casualties
and not the general case of prank text notification messages).  Let's do
some quick risk math in a couple of scenarios.

 

Some quick words about attack vectors.  A text messaging service can be
exploited for false notifications by either: directly attacking the
application and using it to send messages (unknown chance of success,
but high rate and accuracy of message delivery) or by spoofing a
message.  Spoofing a message requires access to some list of cell phone
numbers (attack campus systems, attack messaging service, scrape/attack
Facebook, or just guessing).  Depending on the source of the numbers,
the accuracy of message delivery will vary greatly.  Guessing will be
very inaccurate at larger schools where most student numbers are from
out of state and usually keep their home state cell phone numbers.  

 

First, terrorist bombing:

 

Likelihood of a terrorist bombing at an institute of higher education in
the United States is hard to calculate given the extremely small number
of bombs to have been detonated at institutes of higher education.  If
we guesstimate based on other bombings in the US and other parts of the
world, we could be generous and say one bombing every ten years across
the 4,000+ institutions in the US.  This places the average chance at
0.0025% for a given institution in a given year.

 

Casualties in a single terrorist bombing in a crowded public place tend
to number in the tens of fatalities and potentially hundreds of injured
(since it was specifically referenced, it looks like Omagh was 29
fatalities and 200+ injured).  There have been a very small number of
larger attacks, like Oklahoma City, but it seems most appropriate to
model the far more common size of attack.  

 

Now, what are the odds and impact of a terrorist using a text messaging
system to increase fatalities in such an attack?  We haven't seen it
happen yet, so odds are hard to calculate.  Lets again error towards
caution and guess that one in four terrorists would effectively take
advantage of such a system.  The impact is also hard to judge, but let's
say it doubles the casualty rates.  

 

So, deploying such a system would mean that in the very unlikely
scenario of an effective terrorist bombing on a higher education campus
in the United States (0.0025% in a year), there is some chance
(estimating 25%) that 30 more people would die than would otherwise.    

 

Yes, one could propose the movie plot scenario of a second bomb to
attack a rescue shelter or first responders, but the responders are
coming either way and the rescue shelter is created and can be targeted
either way.

 

The potential benefit from a warning system in the event of a bombing is
limited.  It could be used if there was an early warning such as an
ongoing investigation, or a bomb threat, but I can't find much about
cases where there was actionable early warning in a successful bombing.
In the chance of a non-simultaneous multiple bomb attack, a notification
telling students to stay in their dorms (or their off-campus housing)
could lower causality numbers in subsequent explosions.  From what I can
see, this type of attack is a minority of terrorist bombings.

 

Second, active shooter scenario:

 

The likelihood of an active shooter is higher than a terrorist bombing
and we have painfully seen them up close.  Let's put the number at two
incidents per year across higher education in the United States (a bit
high based on the actual stats).  This places the annual chances for a
single institution at 0.05%.  

 

Casualties in active shooter incidents have ranged from none to 32
fatalities with tens of injuries.  Typically, they result in two
fatalities, but we'll put the average at 5 fatalities with 5 injuries
(there is a good summary list on Wikipedia for reference -
http://en.wikipedia.org/wiki/List_of_school_related_attacks) 

 

Since an active shooter is usually from within the community, we'll give
them higher odds of effectively leveraging messaging to increase
casualties, say 50%.  Of course, I'd say half of that is the chance of
leveraging Facebook/MySpace/e-mail as their preferred messaging medium.
Again, we'll assume a doubling of casualty rates.

 

So, deploying such a system would mean that in the  small chance
scenario of an active shooter on a higher education campus in the United
States (0.05% in a year), there is some chance (estimating 25%) that 5
more people would die with a text notification exploit than would
otherwise.    

 

The potential benefit of text notification in an active shooter scenario
is also rather limited due to the often short length of the events - in
many cases the event may be over by the time a notification could be
sent.  However, we have seen some events last longer and, more notably,
some portion of active shooters may barricade themselves in a
building/room.  This could lead to a longer stand-off situation during
which text notification could be very useful in keeping
students/employees away from the site.  

 

Can we mitigate some of the risk of text notification exploitation for
such attacks?  Certainly we should vet the security of the application
itself to reduce the chances of a successful attack via that vector.  We
can do some policy and communications with students about the expected
content of valid messages (e.g. we will only tell you to stay put or
avoid a building, never to go to a particular location).  We can
properly protect any on-campus resources that store student or employee
cell phone numbers.  We can educate students about public sharing of
information like phone numbers.  We can (as a community) vet the
security of popular social networking sites like Facebook (I sent them a
message about a flaw that allowed some cell phone number identification
on users who had hidden that information and they have corrected that
flaw).  It's not total mitigation, but we have options to reduce the
risk.  

 

Now, let's balance all of that against the potential reduction of
casualties in other, non-attacker, scenarios on campus.  

 

Fire: Building/room fires occur on a fairly regular basis (I can't find
aggregate stats specific to higher education), but usually have no
fatalities and a small number of injuries.  I don't have good
information to estimate what portion of fires could have a reduced
casualty rate with text notification.  Probably not many since the
primary notification mechanisms are more localized and immediate
(fire/smoke alarms).

 

Flood: The amount of warning depends on the specific campus.  Some are
in general flooding areas that might have hours or days or warning, and
others are in flash flood areas where there are minutes to hours of
warning (we have a flash flood risk here, I know Texas has a lot of
flash flood risk).  A text notification system can be used to augment
public notifications like TV/radio/sirens and could be especially useful
because those who are in the open and exposed to a flash flood are
unlikely to be watching/listening to TV/radio (although hopefully hear
any sirens).  

 

Hurricane: Hurricanes have certainly caused lots of damage and
casualties in certain parts of the country.  Their approach typically
has a lot of early notification and a text system would largely augment
existing public news by passing along messages like evacuation
recommendations/requirements to students and employees.  

 

Tornado: Tornado deaths in schools are rare in the past few decades
(they were more common when schools were small and made of wood).  A
text notification system could be beneficial for tornado warning to
augment other mechanisms, but statistically speaking probably won't save
lives within higher education.  

 

Winter storm: A very useful feature of text notification is to notify
students/employees of campus closures and, in the event of a winter
storm, have fewer of them traverse dangerous roads in an unnecessary
attempt to reach campus.  

 

At the end of the day, we want to get emergency notifications to as many
people as possible in as many different mediums as we can.  In the
current environment, cell phones are a very useful medium that is
underutilized for emergency notification (hence why there is a movement
on a national scale to add emergency notification to cell phones).
We've interrupted TV and radio for decades with such news, but in a cell
phone and internet world, these notifications are reaching a smaller
number of people each year.  I expect every school on this list already
has a process for adding a breaking news item to their
website/portal/e-mail/etc and adding cell phones is a logical, and
useful, progression.

 

I won't argue that many systems are being purchased and deployed because
of misguided motivations and that many have inaccurate expectations set
up by vendors, media or proponents on campus.  Depending on your campus,
there may be more beneficial ways to spend the money (perhaps more
pressing safety issues).  I don't intend to say that they are the right
choice for any particular campus, I just intend to illustrate some of
the thought and logic that can/should go into the decision making
process and risk analysis regarding such systems.  

 

Wow, that turned into a novel that I've been writing on and off through
the day, sorry for the length.  I hope it was useful and not just
belaboring a point.  

 

Brad Judy

 

IT Security Office

University of Colorado at Boulder

 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John C. A.
Bambenek, GCIH, CISSP
Sent: Friday, April 18, 2008 10:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] <SPAM> Re: [SECURITY] emergency alert system

 

Highly unlikely?  Terrorists have done this before.  If you're in the
terrorism business, you know about Omagh, and even if the bombers in
Omagh didn't intend a "fake bomb threat" everyone saw how "good" a
strategy it would be.

The system could be used for other uses, but the expectations are set
now and people will follow directions with these systems.  Yeah, you
could flashmob with Facebook, say, but you have to establish a
relationship to get people to follow the directions.  You send out a
fake emergency text message with instructions, they will be followed
unquestioningly.

On Tue, Apr 15, 2008 at 11:10 PM, Brad Judy <Brad.Judy () colorado edu>
wrote:

The reality is that most campuses will never use these for active
shooters, terorrist attacks, bombs, etc.  They will most often be used
for things like campus closures, threatening weather (tornado warnings,
hurricane coming, etc) and other more slowly unfolding events.  

 

To entirely dismiss them because they aren't instantaneous, perfectly
effective communications mechanisms is short-sighted.  

 

A point was raised that there may be a mis-match between expectations
and reality with these services.  I expect that is true on many
campuses, but this is an expectation setting problem.  This may
translate into a communications/documentation issue, vendor relationship
management issue or other issue on any given campus.  Figure out what
your system is really capable of and make sure people who make decisions
and receive the notifications understand the limitations.

 

As for shutting down campus for firecrackers, that's where you need good
people and procedures between the event and the notification.  Having
this type of notification system doesn't make that decision making
process any better or worse, it just changes the notification mechanism.


 

As for exploiting such a system to increase casualties in an attack,
first, this is an extremely unlikely scenario.  Second, if it were to
happen, one would get higher numbers coming to a quad using existing
technologies like Facebook/MySpace/blogs/e-mail to advertise a flashmob
or free food.  Having one of these services would not notably increase
the chances of this scenario.  

 

Some of the motivation for deploying these solutions might be misplaced,
but that doesn't mean they can't be useful and effective tools.
Whatever FUD went into the motivation, this kind of counter-argument has
far more FUD.

 

Brad Judy

 

IT Security Office

University of Colorado at Boulder

 

________________________________

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John C. A.
Bambenek, GCIH, CISSP
Sent: Tuesday, April 15, 2008 9:37 PM


To: SECURITY () LISTSERV EDUCAUSE EDU

Subject: [SECURITY] <SPAM> Re: [SECURITY] emergency alert system

We're all technological here (I assume), so I don't need to convince you
that they are not life-saving devices.  If you have an active shooter,
you aren't going to get SMS out in time before the event is over.

The big problem is that with SMS systems in specific, they are insecure
and insecurable. Anyone, from anywhere in the globe can send an SMS as
anyone else without any real effort. This is important because you
create a system where people are trained to obey unquestioningly,
immediately and without thought. You don't want them analyzing the
message, you want them to do X.  Insert the panic component as well, and
most higher thought is out the window for most people.

Now, take a scenario similar to the Omagh bombings. Basically, they
called in a fake bomb threat to the courthouse and people were evacuated
basically to where the bomb really was. Modify the scenario a little
bit.  Spider facebook to get cell phone numbers, or heck, just use the
area code and exchange and blast all the numbers, either way, you get
alot of people with text messages.  Tell them to head to an open
location, quad, whatever.  That's where your suicide bomber is and his
body count increases dramatically when a bomb goes off open-air with
people standing around.  A bomb inside is no picnic, but you have walls
and such that starts to dissipate the impact.  You go from dozens killed
to hundreds.

Now of course, that's worst case scenario... but think of the pranks a
moderately tech-savvy frat boy could pull. It'd be a game of simon says.

Add on top the very low threshold that is demanded in which these
systems are activated, 99 times out of a 100 (at best) you are dealing
with false alarms.  Someone with a can of spray paint not only shut down
a university for a week, it shut down unrelated schools simply because
they were within a mile or so. To be somewhat aggressive, at least the
French know who they're surrendering to. We've slamming these systems in
place with the expectation and policy to engage them far more than is
effficient.  A couple of frat boys with a few M80s could should down
finals that they didn't study for, for instance.  Remember, most people
can't tell the difference between an M80 and gunfire.  It doesn't
matter, if the police don't here it, they wouldn't know either and they
have to respond as if a mass campus shooting is eminent, no matter how
much a stretch it is.  No one wants to be the one who didn't connect the
dots, after all.

That's about a quick brain dump.

EQ should have an article on this next time out from me and my RA.

On Tue, Apr 15, 2008 at 4:09 PM, HALL, NATHANIEL D. <halln () otc edu>
wrote:

Mike Iglesias wrote:
> John C. A. Bambenek, GCIH, CISSP wrote:
> > *sigh*
> >
> > These systems are really a very very bad idea.
>
> I won't argue with you on that point.

Could you tell why you believe these systems area bad ideas?  I am
curious why you are against them.

--
Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA
Network Security System Administrator
OTC Computer Networking
(417) 447-7535