Schneier on Security: Bomb Threats As a Denial-of-Service Attack


Whenever people apply too much security (“better safe than sorry!”), you can always turn it around into a Denial of Service attack. Example below:

The University of Pittsburgh has been the recipient of 50 bomb threats in the past two months (over 30 during the last week). Each time, the university evacuates the threatened building, searches it top to bottom — one of the threatened buildings is the 42-story Cathedral of Learning — finds nothing, and eventually resumes classes. This seems to be nothing more than a very effective denial-of-service attack.

Think about this for a minute. There are so many situations where security can be turned on itself. Another example is when typing the wrong password locks your account - so someone can lock your account.

An attacker can use this to cause basic problems, economical loss or to fuel conflicts (for example, getting students or citizens to go in conflict against the police). But it can also be used as a “cry wolf” preparation for an actual attack. By making people numb to security alerts, or by forcing the VIPs of the targeted systems to open back-doors (e.g. ignore password locks for important managers because they were too inconvenieced), it’s actually lowering the security for the actual attack.

Remember, nothing is secure, it’s just a cost-benefit ratio.

  1. stygiansingularity reblogged this from ripperdoc
  2. varanine reblogged this from ripperdoc
  3. peacelovedave reblogged this from ripperdoc
  4. ripperdoc posted this
Blog comments powered by Disqus