Archives For hacking

surveillance camera array

On the one hand, I am somewhat surprised by recent revelations about exactly how much we’re being watched on the internet by the NSA. However, the big surprise for me is that they couldn’t get data form Twitter. Considering that it’s building an immense data center in Utah, and works with tech companies on a regular basis, is it really that astonishing that the agency is browsing through our communications metadata on a regular basis? We all suspected this was the case, so if anything the current furor is almost a required reaction of anger and hurt to have what we always thought was happening and didn’t really want to, actually is happening. The question is what to do now, in the PRISM-aware world. Citizens know they’re being caught up in the dragnet when they’re just going about their day, foreign companies are afraid of the NSA spying on them via the advanced cloud technology the United States sells across the globe, and China could sit back and laugh off American reports of its hacking and spying on the web as hypocrisy.

Another fun fact is that Americans are actually split on how they feel about the NSA’s snooping and a majority of 56% says that privacy is an acceptable casualty in trying to catch terrorists. It might also be telling that the split hasn’t changed much since 2006 and that it breaks down by a distinct partisan preference, with liberals and conservatives flip-flopping on the issue when the other party was in the White House. So while the press is incensed and investigative reporters are falling all over themselves to talk about PRISM, the American people are shrugging it off by party affiliation. I would expect everyone to carry on as normal because if Facebook and Google didn’t have a mass exodus of accounts, it’s very unlikely they will. Plus, the NSA isn’t reading all the e-mail in your inbox. It just has a record of you e-mailing someone at a given time and if you are in the United States, your phone number and e-mail should be crossed out in their system, until of course a secret court order grants the analysis access to request the whole e-mail.

Even the slowdown in purchases of American high tech gear is likely to be temporary because much of what we’re hearing from many other countries is an almost mandatory response to the revelations about PRISM. In reality, many of the countries buying these tech products have very extensive spy networks of their own and engage in cyber-espionage on a daily basis. It’s kettle calling the pot black, and it’s likely that the rumors of tech companies giving the NSA back door access into their servers are just not true. There’s a number of ways to supply data to the NSA and a number of ways the NSA could’ve gotten the data itself. I’m not going to speculate how in this post because a) I don’t know the agency’s exact capabilities, b) there are people from both defense contractors and military agencies reading this blog who I’d just annoy with speculating, and c) most of them are probably much worse than having the companies just play ball when a court order comes down and an incredibly powerful agency is knocking on their door.

Now, none of this means this isn’t a big deal. But what it does signal is that the country which is dominating the world in the tech field and serves as the key node in the global communications grid has been crying wolf about cyberwarfare and espionage while actively waging it. We were starting to be sure of this when Stuxnet was discovered, we suspected it even stronger when all of its ingenious siblings like Flame and Duqu floated into the spotlight, we had a good idea that the United State was publicly holding back when reports of its potential in cyberwarfare drills with allied nations started surfacing, and with PRISM, we now know it for a fact. On the one hand, it’s bad news because your privacy is now not only being compromised by bad security or very lax internal policies of web giants, but by the government as well. On the other, we know that we’re hardly defenseless in the cyber realm and will fight and spy right back. Make of these facts what you will. It’s not like we can put this genie back in its virtual bottle anyway…

Share

bad idea

Recently, computers at two power plants were found to have been infected by three viruses that came from compromised USBs, all three easily detectable by up to date anti-virus software, and both infections were easily preventable if the plant operators followed the simplest cybersecurity procedures. If our infrastructure was ever to be the victim of a powerful cyberattack, the exploits’ success wouldn’t be so much a testament to the skills of the hackers as much as they would be indictments of the shoddy practices by those who simply don’t understand how to secure critical systems and don’t care to learn. Very few attacks we see out in the wild are truly brand new and very sophisticated like Stuxnet, Duqu, Flame, Gauss, and Red October. Most target unpatched, poorly secured systems with easily exploitable administrator accounts or out of date servers and database engines, attacks on which have been all but automated by simple PHP scripts. If you’re wondering how Anonymous can topple site after site during an op, now you know.

For example, take the pillaging of Stratfor. How did Anons get into their system? By using easily crackable default passwords and reading databses that were never encrypted. What about the huge data leak from Sony in which hundreds of thousands of accounts were compromised? An unpatched server provided a back door. Periodic leaks of credit card numbers from point of sale systems you find at local bars and restaurants? Out of date operating systems exposing admin accounts to external systems as is a typical industry practice. The ability to get into AT&T users’ account just by typing the right URL? Total absence of security checks on the company’s sites, checks that should’ve been tested before the sites ever went live. I think you get the point. Keep up with the virus definitions, patches, updates, test your software, don’t let external systems run as administrators on your network, and don’t stick random USBs into mission critical computers. If you don’t follow these elementary practices, you, quite frankly, are begging to be infected and hacked, and considering that we basically live on the web today, that’s just reckless.

Share

skyfall

When a Bond movie comes out, you pretty much have to go see it. I mean come on, it’s a Bond movie, right? In the latest installment, 007 is taking on a computer hacker of sorts and shows us just how little research screenwriters tend to do about technology. While Bond’s brash and bold style of field work is somewhat passable with a little suspension of disbelief from the audience in the grand scheme of things — do we really need to go into detail why not staying low and using some very carefully crafted aliases and passports is a bad idea in spy craft? — the key crimes of the film’s villain, Agent Silva, sound as if the writer skimmed a few Wikipedia pages, pulled out a few impressive sounding buzzwords, and randomly jammed them into the film. And the resulting mix of buzzword salad and technobabble drew me out of the story like an icy slap to the face.

Look, I know, I know, it’s just a movie and a Bond movie at that, and so I’m willing to believe that an agent who needs to shovel painkillers and pour scotch down his gullet to function could still beat the living crap out of an international assassin on a very high level floor of a new Shanghai skyscraper. I’m also willing to give Bond the 600 foot fall that should’ve shattered his body into a million pieces. But when M is telling her assistant to “strip the headers” to pinpoint the source of a hack, my inner professional geek rebels, mostly because the headers is there the data she’d want can be found since it carries the request IP. She basically asked one of the top intelligence agencies in the world to do the equivalent of taking a letter out of its addressed envelope, throw that envelope away, and use the letter to figure out from where the envelope came. Ugh.

And when the tech jargon isn’t just plain wrong, it’s meaningless. When Bond is told that a hard drive containing the name of every NATO agent embedded in terrorist groups is “encrypted with an asymmetric encryption” we’re supposed to get the idea that it’s really tough to crack because the encryption is asymmetric. Classified data is generally encrypted using a Triple AES cipher, an updated block cipher first created in 1998 in a competition to create a brand new encryption standard, and as a block cipher, it’s strength is measured by key size. The bigger the key size, the harder it is to decrypt. So if MI6 wanted to explain to Bond how dire the situation is while still sounding computer literate, they would fret that Silva cracked say, a 2,048 bit key. That’s a very badass thing to do and would mean that Silva can summon NSA-scale resources, and well in line with some very basic information security jargon you can see on most tech blogs.

Finally we have an egregious scene in which Q tried to decrypt Silva’s hard drive contents. If we were to believe Q, only six people in the world could write polymorphic code and that using code obfuscators makes things ridiculously difficult to decrypt. There are exactly two problems with all that. One: polymorphic code in malware is so common that anti-virus companies have a special algorithm to detect it, an algorithm you can easily find online since it’s been published sometime in the late 1990s. Two: obfuscated code is generally quickly deobfuscated because for every obfuscator there is a deobfuscator out there. By the time a plain text password appeared in what was otherwise a wall of hex — which is what you would see if you tried to reverse engineer code you found suspicious — so blatantly obviously that even the computer illiterate Bond noticed it, I was slumped in my seat, sobbing softly into my sleeve. What in the hell was that?

Again, I know it’s just a movie, but at the same time, just consider that a few days of rudimentary research could’ve created a much better picture of real cyber threats facing world governments and might have even given the writers new plots for Bond movies. Silva mentioned destabilizing entire countries by manipulating stock markets. You could totally do that! I could even explain a hypothetical step by step process of how to make that happen with a mix of social engineering, high frequency trading algorithms, and customized hacking tools while you hobnob with the elite traders of the world’s foremost financial hubs. (Screenwriters in search of new ideas, you know how to reach me, just click the About page…) And that’s certainly a worthy task for Bond to dive into, isn’t it? Think of how much press a properly researched and computer literate movie about hacking and espionage could generate. Seriously Hollywood, stop being lazy about technology and do your homework. You’ll get fun plots and save the geeks in the audience a lot of angst…

Share

So we’ve already seen how some of the more vocal pronouncements about cyber warfare were overhyped by those who think that hackers are nearly omnipotent, and thankfully, more and more skeptics with a good idea of how computers actually work have been published in major publications. One of the promoters of the idea of cyber warfare used for asymmetrical military engagement, Foreign Policy, now has two dueling posts on the subject, one of which puts current examples of cyber war in proper context, and one which tries to spin every act of digital malfeasance as an act of war. Obviously, you know where I stand on the issue and can probably guess that I find few faults with the skeptical column. It does underplay intelligence collection on the web and recurring problems with phishing and whaling for classified information, something which does have a very real impact on military affairs and planning, but otherwise, it’s very well done and researched. And by contrast, its doppelganger seems to mix digital spies, activist DDoS attacks, and what seems to be actual military operations using a computer virus into one huge and scary melting pot of digital gloom and doom.

robot vs. fish

We can’t assume that every major DDoS attack is being executed as an act of war because it’s not. For a long time, these attacks were used to hold certain sites for ransom and occasionally, what looks like an attack is a programming error which triggers internal applications to send way too much data over the wire. Over the last year, it’s also become a form of protest, a means to voice one’s displeasure with the powers that be and do at least something to demonstrate that they’re not invulnerable. So yes, some DDoS attacks could be political in nature, but they’re hardly effective weapons. Take a look at the reality behind the case of the attack on Estonia which was compared to a military blockade of government institutions by the nation’s prime minister…

The well-wired country found itself at the receiving end of a massive distributed denial-of-service attack that emanated from up to 85,000 hijacked computers and lasted three weeks. The attacks reached a peak on May 9th, when 58 Estonian websites were attacked [ simultaneously ] and the online services of Estonia’s largest bank were taken down… It was a nuisance and an emotional strike on the country, but the bank’s network was not even penetrated; it went down for 90 minutes one day and two hours the next.

Would you really claim that an attack that made one major bank’s online dashboard unavailable for three and a half hours over two days was a successful military operation? A similar DDoS attack on Twitter credited to a group of Russian hackers who wanted to silence a Georgian blogger also used to get a lot of traction when a cyber warfare drum needed to be beaten, but the outage lasted just a few hours and did nothing to silence or dissuade the blogger being targeted. Take a look at a much more serious incident when hackers working for a Chinese government project were snooping through Google’s servers for political dissidents’ e-mail. This was a careful, expert attack for political purposes but it was an internal matter rather than an attempt to attack the company or the nation which that company called home. So far, the only real successful example of a well executed act of cyber warfare was the Stuxnet worm. It was written by experts, targeted one specific system to sabotage another nation’s nuclear program, and seems to have achieved its intended goal. A supposed work of a Russian hacker squad to apply their own version of Stuxnet to an Illinois water utility actually turned out to be nothing more than a manufacturer’s employee trying to update the SCADA software from Russia, but it was assumed to be a sinister attack until shown otherwise thanks to the heated rhetoric about cyber war.

As said in the previous post on the subject, cyber warfare is nowhere near as effective or simple as we’re told again and again by the media, politicians, and self-proclaimed security experts why spread gloom and doom so they can sell their services after driving demand for them upwards. Counting every DDoS attack, and every questionable use of a computer as a precursor to cyber warfare diverts our focus from securing what’s really, truly important to secure, misleading those in charge into thinking that every computer virus should be treated as seriously as an active nuclear warhead ready to go off with no warning rather than prioritizing their assets, and developing cost and time-effective measures to avoid easily discoverable and exploitable flaws in the key nodes of their networks. No system will ever be unhackable or invulnerable, but it can be greatly reinforced in the most important points and surrounded by honey nets and powerful firewalls that filter incoming traffic into tools that can examine the probability that an incoming request is malicious. To do that, we need to be sober about the threats we face rather than chasing down every DDoS protest or rumor of a Stuxnet 2.0 co-opted by vicious hackers working for a special ops team with wild abandon while thinking it makes us safer.

[ illustration by Andre Kutscherauer ]

Share

Last time we talked about somewhat improbable traffic violations, I wondered if you could get a traffic ticket for teleporting your way around a traffic jam and then argue your way out of it. But there is another possible use for technology in getting out of legal trouble if it works, or landing yourself in serious hot water if it doesn’t. And even more interestingly, it doesn’t require any sort of futuristic machinery to pull off. All you need is to know the basics of an SQL command, and you might just beat those automatic speed cameras without having to resort to rocket cars. And while you might not be able to stop them from taking a picture of your speeding, how could the camera’s operators send you a ticket if they can’t find an entry for your violation? That’s the thought behind a concept known as the SQL injection plate, a license place with a script telling the computer recording your offense to erase the record it just made, if not entirely deleting its database tables, or the database itself.

Would this little trick work? Well, it sounds better on paper than in reality because if you don’t know the names of the tables where your entry is stored, an optical character recognition system wouldn’t accept the command as valid. Plus, since these hacks aren’t exactly unknown, a programmer can easily disable these attempts by telling the system to look for SQL scripts in images and discard them as invalid input. Or more probably, mail the photos to a police department which might not take this lightly and very sternly warn you not to do this sort of thing again in the form of a citation or a rather strongly worded letter. But of course this is assuming that the camera’s operators are even using some sort of OCR system. Depending on the quality of the pictures taken by their cameras, it may be far cheaper and more efficient to leave this work to people who could have a laugh and attach the snapshot to the ticket to be sent in the mail. Again, neat idea, but the execution is a lot tougher than an aspiring traffic camera hacker might want it to be.

So what can you do if you can’t trick the speed camera into giving you a free pass? Annoyingly enough, it’s not very hard to use the impartial lens and its often less than caring operators as a means for a scam. Just a tad over a year ago, teens in Maryland supposedly printed fake license plates and then intentionally sped through intersections monitored by speed cameras, and by using the numbers of teachers or other students, they saddled those they didn’t like with traffic tickets requiring at least some time and effort to sort out. Though a few of their victims probably paid the fines because they thought they had no chance to dispute their wrongful punishment, I would be surprised if quite a few of these tickets didn’t get dismissed if those pranked drove a different car and could easily prove it in traffic court. The extent of the prank is hard to pin down because many of the story’s details come from an unnamed parent who stated that he was extremely opposed to the use of speed cameras in general, hence the use of the qualifier supposedly instead of using the story as a fact.

But then again, the mechanics of this prank seem perfectly plausible when we consider that speed cameras don’t necessarily snap the greatest quality pictures, meaning that a well printed fake license plate glued over its perfectly valid counterpart would be very hard to notice, even on a decent image. So the next time you find a ticket in the mail, claiminging that camera caught you running a red light or speeding, take a close look at the image and make sure it really does present a strong case. If you see another car racing past you in the shot, or something looks amiss, take it to court. Machines make mistakes, and they do it all too often, since fallible and error-prone humans are usually the ones calibrating them…

Share