Apr 28, 2014

Security In Media: "Captain America: Winter Soldier"

Captain America: Winter Soldier, is the next installment of the long string of Marvel Superhero movies, sometimes serving little more than to bridge the gap between Avenger movies (I'm looking at you, Thor 2). This installment was not bad, working well as a stand alone movie and addressed necessary issues such as the natural conflict between squeaky clean Captain America, sordid past Black Widow, and ever paranoid and aloof Nick Fury.

While mostly an action piece, the S.H.I.E.L.D. storyline (movie and TV) have always tried to delve into the cyber arena, with mixed results. Everyone tells me I should get back into the TV show now that Winter Soldier has changed the game, but I'm skeptical. Winter Soldier plays typically fast and loose, especially toward the end, leading to some head shaking moments. However, there may be a gem in this rough.

Be forewarned, Spoilers Abound.

Overriding Clearance Levels

Almost all movies that deal with clearances treat them as one-dimensional. You have a hierarchy of clearance levels (Secret, Top Secret, and the awesome "above Top Secret") and that's it. If you have a level of clearance, you have unfettered access to all material at that level and below, and no access to any material above that level.

Unless, of course, someone with a high clearance gives it to you.

After chewing Nick Fury out about trust issues, the director of S.H.I.E.L.D. throws Cap a bone by introducing him to project "Insight." The project is classified at "Level 10" whereas Cap only has clearance for "Level 8," which Fury promptly overrides.

Things don't (shouldn't) work like that. Classification is, arguably and ostensibly, serious business. The stated point of it is to protect information that, if put in the wrong hands, could be used to cause significant damage to the United States and its people. To gain access to classified information requires a process by which a candidate is vetted. Now, while there may be some extreme or extraordinary circumstances by which a person needs and should be given access to classified material beyond their clearance, this isn't one of them. There is no compelling need to show the Captain this project and it doesn't even serve the plot, since the computerized Zola could have told them about it.

But, more importantly, is the oft forgotten component of Need-to-Know. In reality, having a clearance does not automatically grant you access all material of that classification. There must be some reason for you to have access to it. The "Need to Know." Along with the process for granting a clearance, access to specific information must be requested separately, in which the justification for that request is reviewed. Even if you have the appropriate level of clearance, if you don't have proper justification, you don't get access.

This means, in real life, someone with a high clearance can't simply have access to all material of equal or lower classification, and can't simply give out material of that classification to other people, ad hoc.

"Our facility is biometric... these tags will give you access."

The current methodology behind authenticating people (proving a person is who they say they are) is to provide one or more factors, grouped accordingly:
  • something you know (a password, a pass phrase, PIN, the answer to a secret question);
  • something you have (a key, a badge);
  • something you are (voice, eye, fingerprint);
Systems that focus on the last factor are referred to as biometric systems and they rely on aspects of a person that are thought to be unique and that cannot be duplicated. Common implementations use retina scans, finger prints, or voice recognition, but there are other methods. The point is, you can't give someone a biometric authenticator, your authentication mechanisms must be configured to use something they already have. Because of this, it is not really suited for on-demand access of new individuals and visitors.

What Pierce gives them (the wearable tags) is "something they have" and operate much like Smart Cards in real organizations today. These are cards with embedded computer chips (or sometimes RFID tags). Systems that use such devices are more flexible since the creation and dissemination of cards is easy, but it is also easier to compromise, since a card can be stolen (which is why they are usually part of a two-factor authentication scheme, combining the possession of the card "something you have" with a PIN "something you know").

Basically, Pierce gives them a device that circumvents their biometric security that anyone could easily steal and, thus, gain access to the entire building.

Leaking Stuff on the Internet

In order to expose S.H.I.E.L.D/Hydra, The Black Widow uploads secret information to the internet. We aren't privy to the details, but based on her statements ("Oh look, it's trending"), this implies some sort of social media site. So, what, she posted it to her Facebook Account? Made a tweet about it? A spy of her caliber should know better. Given the nature of the information, and the fact that companies like Facebook and Twitter usually defer to the government, any information she leaked through those channels would probably be very quickly quashed. A far more reliable method would have been to send it to the media outlets, a la Snowden.

More importantly is the fact that the release of this information, and the understanding and comprehension of what it entails, would take time. More than the 30 or so minutes that takes place. Go to any web site and you're likely to find people making all sorts of claims about government agencies on par with what is said about S.H.I.E.L.D. here. Overcoming that skepticism is no small feat.

Who designed those carriers anyway?

To thwart Hydra's plan, Cap and Crew infiltrate the three helicarriers and replace the circuits controlling the targeting mechanisms with fakes designed by Fury (to force them to target themselves). Setting aside the logistics of this (as well as the plot holes: how did he design these without access to Zola's algorithm, why did they need to replace them as opposed to just destroying/removing them?), one is left to wonder why they put such a critical part of the infrastructure in the location they did. It's in an isolated part of the ship, practically exterior (protected only by a dome of glass), and is accessed by treacherous catwalks. Say something gets damaged there. You now have to send technicians to this dangerous and hard-to-reach location to fix a crucial component of the ship.

Such an important component should be well within the ship's interior, part of a guarded, enclosed room. The entire point of these ships is to defend against and engage threats, other than the engines that keep it aloft, the ability to accurate target the enemy is probably the most important function of the ship. It's as if the ship was designed deliberately to be the boss in a video game with strategically placed weak-points.

Nick Fury's Secret Account

I will give the movie credit in this regard. When Fury showed up near the climax, in an effort to give the Black Widow the access she needed to release the files, I inwardly groaned in my head. I was anticipating Fury using his existing access to do this, and many movies are bad about removing access of people who know longer need it (I'm looking at you, Minority Report). To its credit, they addressed this adequately. Being declared dead, Fury's access and authorization were removed from the system - as it should be. But, Nick had an ace card up his sleeve: he had another account, biometrically tied to his other eye. Now, I don't know if that would work in a biometric system, but this was a very clever and realistic idea.

Account management is a crucial aspect of information security and one that is hard to do correctly over long periods of time. As people come, get transferred or terminated, keeping track of what accounts should exist or be deleted, and the rights those accounts should have, is a difficult task. To help combat this, there should be periodic reviews of all accounts (usually on an annual basis), but this doesn't always happen and, even if it does, some things can slip through the cracks. The creation of a separate account to use as a secret back door can and does happen for nefarious purposes. However, while I'll concede that full account reviews can't catch everything, especially in large organizations such as S.H.I.E.L.D., they should probably be more diligent about reviewing accounts that have high levels of access. There can't be many accounts with "Level 10" access, so it should be easy to spot duplicate/fake accounts such as those put in place by Fury.


The movie was good, from an action standpoint, but leaves much to be desired from a security standpoint. It makes some errors that it didn't need to, but the bit with Fury's second account was a good twist, and a refreshing avoidance of a common mistake made in such portrayals. With its questionable stance on security, especially with regards to how much power higher level individuals wield, it's no wonder that Hydra was able to infiltrate it to the degree that it did.


Shripathi Kamath said...

Any thoughts on the Hydra lab created and operated with tape-reel computers, but retrofitted by the director (?) to accept a USB key?

Also, I wonder who all were at Level 9.

Scott Rollison said...

Well, it's no more ridiculous than the system storing and holding a human-consciousness-level AI. Adding a USB to such a system is probably technically feasible; we can add stuff like USB and SD card readers to old systems like Commodore 64s, which came out in 1982.

Maria Hill is level 9 (