Archives For cyber warfare

skyfall

When a Bond movie comes out, you pretty much have to go see it. I mean come on, it’s a Bond movie, right? In the latest installment, 007 is taking on a computer hacker of sorts and shows us just how little research screenwriters tend to do about technology. While Bond’s brash and bold style of field work is somewhat passable with a little suspension of disbelief from the audience in the grand scheme of things — do we really need to go into detail why not staying low and using some very carefully crafted aliases and passports is a bad idea in spy craft? — the key crimes of the film’s villain, Agent Silva, sound as if the writer skimmed a few Wikipedia pages, pulled out a few impressive sounding buzzwords, and randomly jammed them into the film. And the resulting mix of buzzword salad and technobabble drew me out of the story like an icy slap to the face.

Look, I know, I know, it’s just a movie and a Bond movie at that, and so I’m willing to believe that an agent who needs to shovel painkillers and pour scotch down his gullet to function could still beat the living crap out of an international assassin on a very high level floor of a new Shanghai skyscraper. I’m also willing to give Bond the 600 foot fall that should’ve shattered his body into a million pieces. But when M is telling her assistant to “strip the headers” to pinpoint the source of a hack, my inner professional geek rebels, mostly because the headers is there the data she’d want can be found since it carries the request IP. She basically asked one of the top intelligence agencies in the world to do the equivalent of taking a letter out of its addressed envelope, throw that envelope away, and use the letter to figure out from where the envelope came. Ugh.

And when the tech jargon isn’t just plain wrong, it’s meaningless. When Bond is told that a hard drive containing the name of every NATO agent embedded in terrorist groups is “encrypted with an asymmetric encryption” we’re supposed to get the idea that it’s really tough to crack because the encryption is asymmetric. Classified data is generally encrypted using a Triple AES cipher, an updated block cipher first created in 1998 in a competition to create a brand new encryption standard, and as a block cipher, it’s strength is measured by key size. The bigger the key size, the harder it is to decrypt. So if MI6 wanted to explain to Bond how dire the situation is while still sounding computer literate, they would fret that Silva cracked say, a 2,048 bit key. That’s a very badass thing to do and would mean that Silva can summon NSA-scale resources, and well in line with some very basic information security jargon you can see on most tech blogs.

Finally we have an egregious scene in which Q tried to decrypt Silva’s hard drive contents. If we were to believe Q, only six people in the world could write polymorphic code and that using code obfuscators makes things ridiculously difficult to decrypt. There are exactly two problems with all that. One: polymorphic code in malware is so common that anti-virus companies have a special algorithm to detect it, an algorithm you can easily find online since it’s been published sometime in the late 1990s. Two: obfuscated code is generally quickly deobfuscated because for every obfuscator there is a deobfuscator out there. By the time a plain text password appeared in what was otherwise a wall of hex — which is what you would see if you tried to reverse engineer code you found suspicious — so blatantly obviously that even the computer illiterate Bond noticed it, I was slumped in my seat, sobbing softly into my sleeve. What in the hell was that?

Again, I know it’s just a movie, but at the same time, just consider that a few days of rudimentary research could’ve created a much better picture of real cyber threats facing world governments and might have even given the writers new plots for Bond movies. Silva mentioned destabilizing entire countries by manipulating stock markets. You could totally do that! I could even explain a hypothetical step by step process of how to make that happen with a mix of social engineering, high frequency trading algorithms, and customized hacking tools while you hobnob with the elite traders of the world’s foremost financial hubs. (Screenwriters in search of new ideas, you know how to reach me, just click the About page…) And that’s certainly a worthy task for Bond to dive into, isn’t it? Think of how much press a properly researched and computer literate movie about hacking and espionage could generate. Seriously Hollywood, stop being lazy about technology and do your homework. You’ll get fun plots and save the geeks in the audience a lot of angst…

Share

300

While reporting about cyberwarfare and information security has been getting better and better as of late, there are still some articles that posit baffling ideas about how to prevent a massive cyber attack launched by a government. The strange idea in question this time is one which has a good starting point, but ends up imagining cyber attacks as one would imagine a conventional siege, somewhat reminiscent of The Battle of Thermopylae. Rather than envisioning an attack from the cloud able to hit a target out of the blue, it tries to portray network topologies as a kind of unseen battlefield on which one side can gain an advantage by exploiting the landscape…

Cyberspace depends on a physical infrastructure of computers and fiber, and this physical infrastructure is located on national territory or subject to national jurisdiction. Cyberspace is a hierarchy of networks, at the top of which a small number of companies carry the bulk of global traffic over the Internet “backbone.” International traffic, including attacks, enters the United States over this “backbone.” The backbone is a choke point, relatively easy to defend, and something that the NSA is already intimately familiar with (as are the other major powers that engage in signals intelligence). Sit at the boundary of the backbone and U.S. jurisdiction, monitor and intercept malware, and attacks can be blocked.

Technically yes, you can use the main switches where the fiber stretching across the oceans will reach your shores and have a deep packet inspector check the headers of incoming packets to flag anything suspicious. But this really only works for relatively straightforward attacks and can easily be avoided. If you’re trying to inject a worm or a virus into a research lab’s computer, you’ll have to get through an anti-virus system which will scan your malware and compare its bytes to as many virus and worm signatures in its database as it reasonably can. With the sheer amount of malware out there today, these tools are good at stopping existing infections and their mutant versions. However, brand new attacks require reverse engineering and being ran in a simulated environment to be identified. This is how Flame and Gauss went undetected for years and they were most likely not even spread via the web, but with infected flash drives, meaning that efforts to stop them with packet inspection would’ve been absolutely useless.

A deep packet inspector sitting at MAE-East or MAE-West exchange points (or IXPs) would have to work like an anti-virus suite if it is to do what the author is proposing, so it can stop someone from downloading an obvious virus or bit of spyware from a server in another nation or deny an odd stream of packets from China or Iran thought to be malicious, but it’s not a choke point in any conventional sense. IXPs are not in the business of being a traffic cop so having them take on that role could have serious diplomatic repercussions, and aggressive filtering could have all sorts of nasty downstream effects on the ISPs connected to them. Considering that trying to flag traffic by country could be foiled by proxies and IP spoofing, and that complex new attacks would easily be able to slip by an IXP-based anti-virus system, all the effort may might be worth it in the long run and simply cause glitches for users trying to watch Netflix or surfing foreign websites to read the news in another language while trying to prevent threats users can easily manage.

So if creating IXP chokepoints would do little to stop the kind of complex attacks for which they’d be needed, why has there been so much talk about the Pentagon treating the internet as a top national security concern and trying to secure networks across America, or at the very least, be on call should anything go wrong? Why is the Secretary of Defense telling businesspeople that he views cybersecurity as the country’s biggest new challenge and has the Air Force on the job? My guess would be that some organizations and businesses simply haven’t been investing the time and attention they needed to be investing in security and now see the DOD as the perfect, cost-effective way to secure their networks, even though they could thwart attacks and counter-hack on their own without getting the military on the case, perhaps not even realizing that they’re giving it a Sisyphean task. If they know they’re targets, the best thing for them to do is to secure their networks and be aggressive about hiring infosec experts, not call in the cavalry and expect it to stop a real threat from materializing since it simply can’t perform such miracles…

Share

noodly_horror_600

Supervisors at a water treatment facility in Indiana knew that something was wrong when a pump stopped working for seemingly no reason. Their concerns only grew when they checked the logs and saw that improper commands were being issued to the SCADA machine controlling the now broken pump. Even more disturbingly, the logs showed that someone from Russia accessed the machine months before. Obviously this was a case of sabotage designed to test how vulnerable American infrastructure was to a Russian version of Stuxnet. But why didn’t the hacker clean up the logs to hide his point of origin? Could it be a false flag operation? Or did he just get sloppy? Or was there no hacker at all and the logs showed a plant contractor doing his job from a family vacation in Russia, but the DHS simply ran with the hacker story instead based on no evidence of an actual hack taking place and stuck to it even in front of Congress? Yeah, I think the title of this post kind of gives this one away and the link makes the answer even more obvious…

Here are some important questions we need to ask about this incident. Why is an agency that should protect us from external threats immediately going into paranoia mode without doing any proper investigation? Why are taxpayers shelling out tens of billions of dollars on experts who can’t seem to make a few phone calls and publish their first suspicions as facts? Why does the agency which employ them renounce the report for the media but tells Congress that a Russian cyber-army was testing its weapons against American infrastructure? And why are its centers, in which data is supposed to be shared between agencies to act on threats faster, producing little to no actionable intelligence? If the DHS is basically just a piggy bank for anyone who can claim to be a security consultant, why are we footing the bill for it? Why can’t we just beef up existing agencies at a lower cost and have them access each other’s’ systems? And finally, why is it that when these questions are asked aloud do we hear nothing but excuses and talking points?

Share

dead cyber spy

Nowadays, if you hack into a company’s servers, the company might hack you right back. No, it won’t wipe your hard drive or infect you with a virus of course. The goal is to figure out who you are and what you’re after, primarily because some of the most advanced hacks over the past few years have been cases of industrial and military espionage. And this is where legal wonks are arguing that the government should step in, lest a company issue a retaliatory cyberattack only to find that its target is actually a foreign intelligence agency. Case in point, Google. After a very sophisticated attack on its servers coming from China and a messy international incident which saw a heated back and forth between the Chinese Communist Party and the company, the tech titan hacked back and found that its attackers were targeting defense and other tech companies with meancingly complex scripts and the group, dubbed the Elderwood Gang, is still at it.

Their easy access to zero day exploits and the coordination equired to pull off their favorite type of attack points to backing from someone who can afford to employ highly skilled programmers and wants to spy on foreign defense and tech contractors, trying to steal blueprints, e-mail, and source code.Basically, what I’m trying to say is that prevailing rumor paints the Elderwood Gang as a part of the Chinese cyber-army long suspected of stealing classified documents from the U.N. and a lot of First World military contractors and government agencies via spyware. As the vast majority of the wired world knows, the United States isn’t exactly a hacking lightweight and it more than likely deploys some very sophisticated spyware and malware of its own. So, say the legal wonks mentioned above, have the Air Force and the NSA tackle sophisticated hackers, not companies that find themselves riddled with foreign spyware. It could’ve come from a Facebook game someone way playing at work and is trying to steal logins to PayPal, or it might be a worm from another government and hacking them back would provoke an international incident which would have to escalate all the way up to the military. But is that a workable approach?

No, not really. Fact is that the vast majority of infections are trying to steal financial information and/or turn your computer into a bot for DDOS attacks. Not only that, but the malware kits used to make viruses and worms are exploitable too. Only a tiny sliver of all the nasty stuff you might catch surfing random sites without some very heavy duty firewalls and strict privacy and browser settings, is actually complex malware from a nation state, and even then you’d have to be a very highly visible defense or tech company since these attacks tend to come from whailing (which is like spear-phishing but targeted to high level executives) and compromised industry message boards, blogs, and forums. Little fries don’t interest the spies much so they quickly lose interest, so it’s really the Lockheed Martins, EADS’, and Northrop Grummans of the world that should be worried, but considering their cozy relationship with the militares of their home states, they can always escalate things when they need to. And since all this is being done in secret, I’d highly doubt that a foreign intelligence agency hacked in retaliation will cry foul. That would just be an admission of guilt and the start of a major diplomatic clusterscrew.

Were we to start reporting hack attempt after hack attempt and infection after infection, we’d so quickly swamp cybersecurity experts at the NSA and the Air Force, that they’d be buried under a massive backlog of things to investigate in weeks while the torrents of reports keep on coming. Antivirus makers already have vast databases that can identify who was infected with what kind of virus and how to remove it running 24/7/365, and can keep up with 99.9% of infections out in the wild. Considering that they’re the primary discoverers of cyber weapons in use, they’re more than up to the job and can do it without defense establishments getting involved in their daily work. And when we take into account the sheer number of random trojans and worms out there, a hacked company has a 99.9% chance of pinging random hacker crews rather than something as threatening as the Elderwood Gang or as sophisticated as Flame or Stuxnet, and even then, no one on the other end will make a peep because doing so would be a lot worse than keeping quiet and let the retaliating businesses get away with it. Treaties and tens of billions in trade may be at stake so it’s best to just let the accusations die down and resume the spying later. So if you get hacked, go ahead and hack back. You’re not going to start any wars by doing it.

Share

Having established why antivirus software can’t really deal with cyberweapon-grade malware, let’s take a look at the really big news in the world of both information security and politics, an official reveal of Stuxnet’s origin as excerpted in the New York Times, and which at this point wasn’t much of a surprise to anyone. The entire web was certain that it was created by the NSA and that the process somehow involved Israel because some of the malware’s critical flow controls were peppered with references to Jewish history and myth. But as the world now acts shocked that what they very vocally and unambiguously suspected actually happened, the contingent of Americans convinced that a cyber attack could cripple the nation’s infrastructure are now waiting for the other shoe to drop. After all, while nations like Iran wouldn’t be able to offer a conventional response to a worm that crippled some of their centrifuges, isn’t creating malware much simpler and just as effective as a couple of bombs, and aren’t there thousands of network and software vulnerabilities to exploit as payback?

Well, if you recall one of my earlier posts on the subject, the second part of that statement is true but the first comes from a massive overestimation of what computers can and can’t do. As noted before, yes there are an amazing number of potential vulnerabilities, or infection vectors if we want to get fancy, but the vectors expose different functionality and far from all of the exposed functionality will actually let you do real damage. There’s a reason why it took a while to write Stuxnet; it had to use several different hacks to get into the right machine, it required expertise not only in how the centrifuges worked, but in how Siemens Step 7 operated and the OB35 data block structure, and finally, needed fake digital certificates to mask its true payload and convince humans to let it out of its sandbox and gain the access it needed to unpack and get to work. In other words, this wasn’t an easy task and by the nature of the beast, the software has to be extremely specialized. Drop any old worm into a control center of a power plant and it’s going to error out and be discovered when a system admin goes over the event log which would more than likely record the errors thrown by the worm during a crash.

Again, I’m sure that Live Free or Die Hard was a fascinating movie, but were it based in the real world instead of a technophobe’s nightmare, the hackers would’ve taken months to gain control of a small local power grid and would’ve spent tens of thousands of dollars at least to test their worms on real equipment they think was being used by the grid they were targeting. Spyware is an entirely different matter altogether and software a lot like Flame is nothing new. In fact, over the last five to seven years, hardly a few months go by without articles mentioning some mysterious spyware attributed to China found on computers of officials in big international organizations, or in a U.S. lab working on national security matters. Does anyone really think that the U.S. isn’t going to spy back or try to gather intelligence on regimes with which it has an antagonistic relationship? True, it is so far the only country known to have used malware as a weapon, but it did so for a subtle act of industrial sabotage rather than a conventional military attack, and acts like this very, very rarely result in war since spying and sabotage are facts of life for nations. In a high profile case there’s a lot of tough talk, a lot of threats, but as soon as the press coverage fades, the saber rattling fades with it as things more or less return to normal.

Share

Contrary to the gripes of many security types, your antivirus software is not useless. Were you turn it off, many routine infections from contaminated websites, that nowadays are more likely to ask you to give to the poor than to pay for a live nude webcam show, would quickly turn your computer into a gold mine for a lazy identity thief armed with simple viruses. Really advanced and powerful malware using zero day exploits, however, will always elude it because that’s the nature of the arms race between virus writers and antivirus makers. Those with the means and motive attack systems and applications, the companies and researchers who discover a security breach either patch the vulnerability if possible, or add a new algorithm to look for the threat signature in the future, such a self-modifying files or local services suddenly trying to open an internet connection. And a piece of malware that slips by the antivirus and doesn’t get reported can work in silence for years, just like the widely reported cyberweapons Stuxnet and Flame did. To explain how these worms went unnoticed, both Ars Technica and Wired, published a self-defensive missive by an antivirus company executive which basically boils down to an admission of defeat when it comes to proactively recognizing sophisticated malware.

Slightly longer version? Some of the most advanced cyberweapons work a lot like typical software and uses a lot of the same tools, or uses legitimate frameworks and packages included in most legitimate software as a launching pad for deploying hidden code designed to act in the sort of malicious ways antivirus would flag as an attack but executed in a way that circumvents the channels through which it would scan. So when Flame is installed, the antivirus checks its components, probably saying to itself "all right, we got what looks like a valid certificate, SQL, SSH, some files encrypted using a standard hashing algorithm… yeah, it all checks out, that’s probably a network monitoring tool of some sort." And herein lies the problem. Start blocking all these tools or preventing their installation and you’re going to cripple perfectly valid applications or make them very difficult to install because every bit of them will have to be approved by the user. How does the user know which piece of software or what DLL is legitimate and which one is not? For the antivirus to help there, it would need to read the decompiled code and make judgments about which behaviors are safe to execute on your machine.

But having an antivirus suite decompile and check the code of every application you run for possible threats is not much of a solution because the decisions it makes are only as good as the judgment of the programmers who wrote it, and because a lot of perfectly legitimate applications have potentially exploitable code in them; a rather unfortunate but very real fact of life. Remember when your antivirus asked you if a program you installed just a couple of minutes ago could access the internet or modify a registry key? Just image being faced with a dialog asking you to decide whether some potentially exploitable function call in one of your programs should be allowed to run or not, faced with the following disassembly snippet to help you make a decision…

00000010 89 45 E4              mov    dword ptr [ebp-1Ch],eax
00000013 83 3D A4 14 9D 03 00  cmp    dword ptr ds:[039D14A4h],0
0000001a 74 05                 je     00000021
0000001c E8 5E 40 3D 76        call   763D407F

Certainly you can see why an antivirus suite that tries to predict malicious behavior, rather than simply watch if something suspicious starts happening on your system, simply wouldn’t be practical. No user, no matter how advanced, wants to view computer-generated flowcharts and disassembly dumps before being able to run a piece of software, and nontechnical users confronted with something like the scary mess above may just turn their computers off and sob quietly as they imagine their machines crawling with viruses, worms, back doors for identify thieves looking for their banking information, and other nightmarish scenarios. Conspiracy theorist after conspiracy theorist would start posting such disassembly dumps to Prison Planet, Rense, and ATS, and portray them as proof that the Illuminati are spying on them through their computers. Unless we want to parse every function call and variable assignment, look into every nook and cranny of every bit of software we’ve ever installed, or write our own operating systems, browsers, and applications, and never using the web, shutting off and physically disconnecting all our modems, we’ll just have to accept that there will always be malware or spyware, and the best we can do is keep our systems patched and basic defenses running.

Share

A while ago, I wrote about the overhyped dangers of cyberattacks and the problems with using them to ruin an opponent’s infrastructure as imagined by doomsayers on Capitol Hill. And while the media is slowly but surely getting closer down to earth about the threat, a proper scholarly rebuke has been published to give the press even more guidance on what cyberwarfare is really like and why it’s not the long anticipated holy grail of asymmetric engagement for rogue nations. Short version? Since there’s a limit on how much an attack would do to a militarily superior enemy, an attacker would have to back up actions in cyberspace with planes, ships, missiles, and even good, old fashioned boots on the ground when a conventional response comes, and the militarily powerful nation states that may be targeted are far from helpless against hackers and malware, and will also launch their own cyberattacks on enemy infrastructure when provoked. So if you really think you could zap a major regional or global player into submission with a virus, you’ll need to rethink your strategy…

As mentioned in previous posts, an advanced energy and transportation infrastructure is huge, and though it’ll have its vulnerabilities, the sheer number of thoroughly researched and tested exploits it would take to impact even a small part of it would be daunting even for a fully fledged hacker army working around the clock. Salvos in a cyber war would rely on the assumption that the discovered vulnerabilities haven’t been patched, many of the targets are exactly what the hackers think they are, and that the exploits won’t be detected long enough for all the viruses to open back doors to critical systems while the IP addresses won’t change until the green light for the attack is given. Oh and once this massive effort is discovered, expect most of the exploits used to get a quick patch, which means that new exploits will have to be found to mount a new attack. Disguising an attack is also getting progressively harder as militaries and intelligence agencies find new ways around obfuscation tools or how to hijack them to trace previously untraceable attacks. And that raises the possibility of cyber war triggering a conventional one if the attack is severe enough or physically hurts the target nation’s civilians.

All that said, there may be an important caveat to consider. Both the academic rebuke and the objections to a lot of popular cyberwarfare gloom and doom address the idea of malware being used as a weapon, just like the Stuxnet virus was thought to have been used. In reality, cyberwars may actually employ spyware like the newly found Flame suite which has silently been infecting computers in the Middle East and North Africa for a few years at least. Rather than trying to crudely bludgeon each other’s infrastructure, nation states seem to be focused on gathering intelligence to better aim diplomatic brawls and conventional strikes. And that makes a great deal of sense. Why huff and puff to shut off a power plant two two after months if not years of painstaking effort when you can precisely identify where and how to carry out a attack, or sneak a peek at what your enemy might be planning behind closed doors? It’s much easier and more effective anyway since you have fairly well known and difficult to patch attack vectors to exploit, vectors like social media, e-mail, or servers which haven’t been properly updated and store easily accessible and weak passwords. Infiltrations can be subtle and last much longer without requiring esoteric knowledge. Unlike we’ve been told so many times, cyberwar won’t get here with a bang but with an insidious whisper, and its main goal won’t be to destroy, but to quietly steal.

Share

Some of my latest posts about cyber warfare seem to have attracted a few eyes, including those of someone who does research in the security field. One pair of the eyes in question belong to Dr. Jan Kallberg, who was kind enough to send me a paper regarding the political side of standardizing security standards and a piece on space warfare strategies which delved into detail about something I mentioned regarding one surprising problem with cleaning up space debris. Considering that standardized communication satellites should be using the same operating systems and therefore, likely to be susceptible to very similar exploits, Dr. Kallberg envisions covert, space-based wars which use hijacked satellites as missiles. Now, mind you, you cannot just grab any old satellite and send it hurling into a covert military asset because you’ll need to change orbits, an ability which is very limited for many spacecraft, and you’ll need to know exactly where this asset is. It’s not at all impossible as demonstrated by an amazing astrophotographer who captured a Keyhole spy sat, but it’s also not trivial. Though, if you can pull it off, chances are that you may actually escape a swift retaliation.

Imagine that you’re a nation with spy satellites scattered around Low Earth Orbit and a rogue communication satellite just careened into one of them. If it was the property of a native company, you could always ask for an explanation to make sure it wasn’t compromised and find some sort of digital trail pointing to foul play. But if a foreign satellite is involved, how exactly do you prove a breach or a deliberate crash? Maybe someone from a rival state paid for the satellite, the company shot it into orbit only for it to sadly spin out of control and thwack a spy satellite from your inventory at 17,000 mph. You’d have to do a lot of digging in a potentially hostile terrain to put together the real sequence of events. But we might be getting ahead of ourselves. First ask yourself if it would be wise to acknowledge the loss and try to retaliate for it since you’d be exposing a secret sat program, and also saying that your orbital assets can be tracked and shot down for as low as $51 million per shot. Yes, it sounds very expensive, but when your multi-billion dollar SIGINT program could be derailed for $250 million or so, it’s a blow to your intended ROI and a devious exploitation of a loophole in the Outer Space Treaty…

Share

So we’ve already seen how some of the more vocal pronouncements about cyber warfare were overhyped by those who think that hackers are nearly omnipotent, and thankfully, more and more skeptics with a good idea of how computers actually work have been published in major publications. One of the promoters of the idea of cyber warfare used for asymmetrical military engagement, Foreign Policy, now has two dueling posts on the subject, one of which puts current examples of cyber war in proper context, and one which tries to spin every act of digital malfeasance as an act of war. Obviously, you know where I stand on the issue and can probably guess that I find few faults with the skeptical column. It does underplay intelligence collection on the web and recurring problems with phishing and whaling for classified information, something which does have a very real impact on military affairs and planning, but otherwise, it’s very well done and researched. And by contrast, its doppelganger seems to mix digital spies, activist DDoS attacks, and what seems to be actual military operations using a computer virus into one huge and scary melting pot of digital gloom and doom.

robot vs. fish

We can’t assume that every major DDoS attack is being executed as an act of war because it’s not. For a long time, these attacks were used to hold certain sites for ransom and occasionally, what looks like an attack is a programming error which triggers internal applications to send way too much data over the wire. Over the last year, it’s also become a form of protest, a means to voice one’s displeasure with the powers that be and do at least something to demonstrate that they’re not invulnerable. So yes, some DDoS attacks could be political in nature, but they’re hardly effective weapons. Take a look at the reality behind the case of the attack on Estonia which was compared to a military blockade of government institutions by the nation’s prime minister…

The well-wired country found itself at the receiving end of a massive distributed denial-of-service attack that emanated from up to 85,000 hijacked computers and lasted three weeks. The attacks reached a peak on May 9th, when 58 Estonian websites were attacked [ simultaneously ] and the online services of Estonia’s largest bank were taken down… It was a nuisance and an emotional strike on the country, but the bank’s network was not even penetrated; it went down for 90 minutes one day and two hours the next.

Would you really claim that an attack that made one major bank’s online dashboard unavailable for three and a half hours over two days was a successful military operation? A similar DDoS attack on Twitter credited to a group of Russian hackers who wanted to silence a Georgian blogger also used to get a lot of traction when a cyber warfare drum needed to be beaten, but the outage lasted just a few hours and did nothing to silence or dissuade the blogger being targeted. Take a look at a much more serious incident when hackers working for a Chinese government project were snooping through Google’s servers for political dissidents’ e-mail. This was a careful, expert attack for political purposes but it was an internal matter rather than an attempt to attack the company or the nation which that company called home. So far, the only real successful example of a well executed act of cyber warfare was the Stuxnet worm. It was written by experts, targeted one specific system to sabotage another nation’s nuclear program, and seems to have achieved its intended goal. A supposed work of a Russian hacker squad to apply their own version of Stuxnet to an Illinois water utility actually turned out to be nothing more than a manufacturer’s employee trying to update the SCADA software from Russia, but it was assumed to be a sinister attack until shown otherwise thanks to the heated rhetoric about cyber war.

As said in the previous post on the subject, cyber warfare is nowhere near as effective or simple as we’re told again and again by the media, politicians, and self-proclaimed security experts why spread gloom and doom so they can sell their services after driving demand for them upwards. Counting every DDoS attack, and every questionable use of a computer as a precursor to cyber warfare diverts our focus from securing what’s really, truly important to secure, misleading those in charge into thinking that every computer virus should be treated as seriously as an active nuclear warhead ready to go off with no warning rather than prioritizing their assets, and developing cost and time-effective measures to avoid easily discoverable and exploitable flaws in the key nodes of their networks. No system will ever be unhackable or invulnerable, but it can be greatly reinforced in the most important points and surrounded by honey nets and powerful firewalls that filter incoming traffic into tools that can examine the probability that an incoming request is malicious. To do that, we need to be sober about the threats we face rather than chasing down every DDoS protest or rumor of a Stuxnet 2.0 co-opted by vicious hackers working for a special ops team with wild abandon while thinking it makes us safer.

[ illustration by Andre Kutscherauer ]

Share

Generally, if you work with technology for a living, you notice that people have two extreme reactions to all new electronic devices. The first is surprise that they can do anything beyond their expected functions, like gasping when smartphones browsing the web offer to make calls to the numbers one clicks. The other is a belief that the new device can do pretty much anything and everything under the sun, transcending mere bits, bytes and circuitry, and becoming indistinguishable from magic. Unfortunately for us, those now terrified of cyberwarfare seem to have the second extreme reaction, and if you want to know just how paranoid they can get, check out what former bureaucrat and current security consultant, Richard Clarke, says about the possibilities of a huge cyber-offensive in his attempt at a non-fictional adaptation of a Tom Clancy novel. Unbeknownst to IT experts, computers have suddenly gained the power not only to tear through any security measure, but also overcome incompatibilities between proprietary software packages and operating systems, and air gaps, while hackers are now supposed to level playing fields for nations with small militaries with their 1337 techno-wizardry.

While this notion grabs eyeballs, sells books and magazines, and scares the living daylights out of politicians who saw the flick Live Free or Die Hard one too many times, it’s total rubbish. Cyber-espionage is a very real thing and it does happen all the time when hackers or even computer science students recruited by a military adopt common hacker tricks to peer into classified networks. They use social engineering, a widely available packet sniffer like Wireshark, or a custom built one based on the open source library on which Wireshark was built, attempt spear phishing and whaling with employees of major security contractors, or look for any gap in secured networks that may lead to valuable intelligence. But there’s a huge gap between the very real threats posed by hackers looking for information much the same way Anonymous’ Antisec collective carried out a lot of its operations, and being able to just flip a switch and bring one of the largest, best armed, and most wired nations on the planet to its knees in just fifteen minutes like Clarke prophesizes. A review of his book on a top security news blog accurately alludes to the Book of Revelations when describing his visions…

Chinese hackers take down the Pentagon’s networks, trigger explosions at oil refineries, release chlorine gas from chemical plants, disable air traffic control, cause trains to crash into each other, delete all data, including offsite backups, held by the federal reserve and major banks, [and] then plunge the country into darkness by taking down the power grid from coast-to-coast. Thousands die immediately. Cities run out of food, ATMs shut down, looters take to the streets.

He forgot cats and dogs living together and the seven-headed, ten-horned beast ridden by the bejeweled and purple-robe clad Whore of Babylon leading Satan’s digital forces in a charge across Megiddo, but not bad as far as apocalyptic fantasies go. Problem is that all of this simply can’t happen unless the entire nation runs on only one massive command and control system that can be accessed via the web. Considering that the main software package in your office has trouble talking to that of another company, much less every company that works in the same industry as you, you can probably see the problem in this logic. Try and bring down power grids across the country. You can’t. They work in disparate blocks using different SCADA machines which are made by different manufacturers and use different software. The now infamous Stuxnet worm only targeted a single system, Siemens Step 7 and looked for only one type of instruction to disrupt. If the same instruction is a different argument type in Step 8, the worm will be rendered impotent. True, there are vulnerabilities in many of those SCADA machines because the manufacturers often didn’t bother fixing them and their customers do not want to update for fear that their perfectly calibrated systems may break, costing tens of millions in repairs and downtime, but the sheer variety and number of them makes a one-size-fits-all attack impossible.

Even though it was found that thousands of SCADA machines are not really air-gapped, they were made by different vendors, have different vulnerabilities, and represent only a tiny fraction of all the SCADA machines in use right now. An army of thousands of hackers working around the clock couldn’t do even a tiny fraction of the damage Clarke envisions just because the technology they’re attacking is so disparate and varied. And to hit banking systems to empty out ATMs they would need to attack massive international funds exchange entities responsible for standardizing inter-bank communications, no easy task by any means. To disable GPS, they’ll need to task down dozens of military operated and tracked satellites, and to take down air traffic systems they would need to disable tens of thousands of radar towers across the nation, also operated by a wide variety of software and hardware. I really don’t think Clarke and those who quote his hyperbole realize just how vast our wired infrastructures are and how many millions of targets would need to be hit simultaneously to do serious or lasting damage to them in a very short span of time, many of which would be air gapped and really difficult to exploit. And when the hackers actually bump into decent security and honey nets, they’ll need hours if not a full day or two to find the appropriate zero-day exploit to continue their attack. Again, this isn’t simple stuff.

Sure it’s scary when Antisec rummages through the web and takes down the websites of the CIA and FBI, but you have to keep in mind that most of the sites hit by Anonymous members were targeted with a social DDoS tool which simply overwhelms web servers rather than actually destroying databases or interfering with how a site does business logic on the backend. Big enough websites are pretty much impossible to shut down with this method because their enormous networks could simply absorb the attacks, and tearing down posters for any major government agencies in no way compromises the data they actually keep classified on the internal networks they use in their daily work. The sites that are hit by hackers who do steal valuable information either used very lax security or didn’t update their security tools against new threats, and the hacks were the results of their complacency. For well-maintained and well-updated sites, a hack isn’t a simple matter of using a new script like a lock picker would select a different tool, it’s a slow and steady research project where the gap will be found by trial and error rather than a simple brute attack. No network and no device will ever be 100% safe and secure, but neither is every network an easy target for government hackers on a mission.

Share