Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now


Old Ideas for a New Threat Environment

Air-gapping may be the only surefire way to protect critical systems

I’m tired of thinking about hackers. I’m tired of maintaining a sophisticated stateful proxy firewall at home. This is almost surely on top of whatever threat mitigation is employed by my internet service provider Comcast.

Even basic firewalls (including the one on your computer) limit the connectivity to a handful of well-known ports and protocols for inbound traffic. That’s a lot of barbed wire fences to climb over.

My firewall (pfSense — free for non-com use, runs on Berkeley Linux) even blocks DNS resolution from URLs on several lists like, and a list of lists at Makes loading exploit code harder. I presume most consolidated IT departments employ similar tools.

Still, stuff happens.

Easy pickings

The reason this keeps happening is that the rewards for successful hacking and the ease with which thousands of exposed attack surfaces can be scanned quickly makes it trivial to pick the low-hanging fruit of misconfiguration. If only 2% of victims pay the ransom, so what? It’s still a bonanza.

Users at home might pay a hundred bucks or so to restore their files. A hospital might be good for a hundred thousand. Meanwhile the software tools to make this mischief are available for sale or rent.

Literally, there’s malware software as a service. Bitcoin makes collecting ransom anonymous.

So, lacking any true bulletproof software solution, I’m now exploring the kinds of firewall hardware that no amount of probing can circumvent. I’ve arrived at a solution that I think gets the job done, at least as far as the truly malicious software offerings are concerned.

For online banking, where I do not enjoy the protection of the $50 limit on credit card fraud, it’s now a machine that is connected only when I am online. Literally, the first order of business is to enable the wired IP interface. It gets disabled when I’m done. Any old hunk of junk will do for this application.

This strategy relies on the presumption that network mapping is a prerequisite to successful attacks, and a machine they can’t see is unlikely to be vulnerable.

Elsewhere, whole machine backups made to a USB-connected drive pass through an external USB hub. One of my Raspberry Pi timers (described in an earlier column) connects and disconnects the USB hub power on a schedule.

Yes, exploring the machine that is backed up using this scheme will reveal a Windows backup schedule and the path to the actual backup but no access. Let ’em wonder how that can be.


And so that’s where I’m headed for low-cost, low-tech solutions for the automation network at the radio station.

Like most places, we require internet connectivity to pull down paid content, news, weather and such. There’s no avoiding exposure. But I think a custom “jump box” will solve the problem.

It’ll be built as an FTP device, reaching out via scripting to harvest needed files, placing them in a quarantine, running them through anti-whatever, then dropping them into an “outbox” for pickup by the automation system’s loading tools.

Finally, once the key features are up and working, I’ll burn the entire boot partition to a DVD and boot from that. Reboot every 24 hours.

For script storage and the anti-whatever database, a thumb drive with an external write protect switch seems obvious; maybe something like this. You get the idea.

Think like a hacker. Create impenetrable physical barriers for him. Presume you’ll be infected and flush their effort before it is productive. Given the target-rich environment, I believe it’ll work like those alarm company stickers on your window. The bad guys will just move on.

Finally, I am no longer a fan of unified, company-wide systems for authentication like Active Directory.

The recent zerologon attack put a lot of AD users in the ditch. Essentially, one try in 256 would authenticate a password of all zeros. A glitch in the code, it seems.

These systems are robust until they aren’t and, unfortunately, can be bought and set up by anybody. De-compilers allow a view into the binaries, and any vulnerabilities will be found by bad guys.

Sadly, response from software vendors to even hacks they’ve been made aware of can be slow. Understandable, I suppose, since hundreds of supposed vulnerabilities are reported for every one that is actually viable. Everybody wants to be a hero. But sorting the real problem from all the chaff reported is time consuming.

Often, posting actual exploit code as a proof of concept is the only way to get a vendor’s attention. That’s what it took for the zerologon hack. And the bad guys have plenty of money to buy a version of every software product and every appliance out there, then reverse engineer it all. So it’s a losing battle.

On the other hand, a machine that is unplugged is a pretty tough hacking target. And a machine that boots fresh daily from read only media is going to be pretty challenging for a hacker, too.

Finally, when machines need updates, let ’em access the public internet for only the time required, then cut them off.

Turns out old ideas can apply to new environments. Want to prevent a mishap? Turn off the power, disengage, disconnect.

The author is chief engineer of Salem Communications’ Chicago cluster and president of the consultancy FM and Co.