You may be aware that Google recently threatened to cease operations in China. They publicly spun the decision as a response to censorship laws, but the cold hard truth is that
Google's new approach to China resulted from “a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property". I have seen a spat of computer security related articles recently and I have been thinking about technology and security. This topic is a little bit off my regular focus, but I found that as I looked deeper there were disturbing trends and tons of information available.
Corporate cyber espionage is rampant and current security systems are woefully unprepared to deal with involved studied attacks. Governments around the world are setting up cyber defenses and military attacks are rumored to exist, but if they are most are classified. Finally, most attacks whether military, corporate or personal begin with social engineering and are targeted such that common defenses (firewalls, anti-virus, anti-malware, etc.) do practically nothing resulting in a state of misplaced paranoia.
China Attacks Google & Others
There is a lot of speculation about the details of the attacks. The only thing that is known for certain is that in December anonymous attackers targeted the source-code repositories of at least 30 American companies (though some investigations report that over 100 companies may have been targeted) and critically compromised at least some of their targets. Another high profile company that was a victim of the attacks was Intel though they have not revealed how much or what was stolen. To get an idea of the gravity of the situation last week when the CEO of Intel
Paul Otellini was interviewed by Charlie Rose when asked by Rose, "What is the next big idea you think in technology in terms of the internet and in terms of processing information?", Otellini replied, "I think recent events have given us all a wake up call on security. I think we need to do a much better job of protecting people's privacy corporate assets, government assets... this is everything from credit card fraud, to phishing, to state sponsored cyber attacks... all of that suggests we need to do a hardening of our systems... ". Now, keep in mind they were not talking about security when Rose asked this. Otellini recommends that breaking passwords should become so hard that it needs a massive amount of computing power to be done. The interview is an excellent review of the current situation of technology. I
highly recommend the
Charlie Rose Paul Otellini interview.
The National Security Agency and others have been working to determine the origin of the attacks which are now being called the Aurora attacks. You know if the NSA is on the case this is serious. I suspect that the recent media spotlight on international hacker warfare is only scratching at the surface of an ongoing cold cyber war, a cold war 2.0 of sorts. Various sources have found links to two Chinese schools with close ties to the Chinese military to the Aurora attacks. However, because the Chinese government encourages volunteer “patriotic hackers” to run espionage it is possible that the source of the attacks was not officially sanctioned, but rather zealous computer nerds. There is also the possibility that the attacks came from China, but not from Chinese citizens; no matter how well you trace digital fingerprints unless you have the web cam on the other end turned on it is impossible to tell who is actually at the terminal. At best you can trace the route back to a location. A United States military contractor that faced the same attacks as Google has pointed to a specific computer science class at the Lanxiang Vocational School. The other school fingered by investigations is the
Shanghai Jiaotong University. The Chinese approach to online espionage is distributed which will make definite proof of the origin of an attack almost impossible.
Short Circuit on Demand
Consumers often joke that manufactures build products only long enough to last until when next generation of the product is available. What if manufactures could simply turn off your electronics from a distance at their command? They already can. Windows will stop working eventually if you don't register your version of the software and your car's engine can be stopped by OnStar. These situations are benevolent. The real threat is malicious Trojan horses hidden in computer chips that control our nations financial systems, communications networks, power grids, and military defenses. The scenario postulated is that a foreign nation supplying the microchips to another nation may include an undetectable back-door in those microchips. This New York Times article,
Old Trick Threatens the Newest Weapons, indicates that this kind of digital warfare has already occurred
A Trojan horse kill switch may already have been used. A 2007 Israeli Air Force attack on a suspected partly constructed Syrian nuclear reactor led to speculation about why the Syrian air defense system did not respond to the Israeli aircraft. Accounts of the event initially indicated that sophisticated jamming technology was used to blind the radars. Last December, however, a report in an American technical publication, IEEE Spectrum, cited a European industry source in raising the possibility that the Israelis might have used a built-in kill switch to shut down the radars.
Separately, an American semiconductor industry executive said in an interview that he had direct knowledge of the operation and that the technology for disabling the radars was supplied by Americans to the Israeli electronic intelligence agency, Unit 8200.
The disabling technology was given informally but with the knowledge of the American government, said the executive, who spoke on the condition of anonymity. His claim could not be independently verified, and American military, intelligence and contractors with classified clearance declined to discuss the attack.
The United States has used a variety of Trojan horses, according to various sources.
In 2004, Thomas C. Reed, an Air Force secretary in the Reagan administration, wrote that the United States had successfully inserted a software Trojan horse into computing equipment that the Soviet Union had bought from Canadian suppliers. Used to control a Trans-Siberian gas pipeline, the doctored software failed, leading to a spectacular explosion in 1982.
These past events show that any sophisticated computer system that is not built entirely on home soil can never be completely trusted. This problem is essentially one of globalization. In the case of military defenses a country must remain self-sufficient; that is it must be an
autarky. However, autarky is not viable in most realms, but can be pursed with great economic cost to those countries which have sufficient resources to develop their own arms from scratch. In the case of the United States the Pentagon now securely manufactures about 2 percent of the integrated circuits which the military buys annually (Intel also does a lot of manufacturing work in the United States, see the
Otellini interview). The push to have a completely organic source of microprocessor seems to be economically prohibitive. Some say that the computer security industry plays up the fears of catastrophe and deliberate sabotage, rather, the larger threat is design and programming errors in hardware or software. The severity of this problem is open for debate and I am not enough of an expert on it to weigh in too heavily. I wont don't delve into science fiction paranoia about it, but I do think it is a risk. You can read more on this topic at IEEE Spectrum in the report
The Hunt for the Kill Switch.
Testing the Electric Fences
In Jurassic park the seasoned park ranger demands that the velociraptors be killed as they're far too intelligent. They are testing the electric fence for weaknesses, but never the same spot twice, because as he says, "They remember". They escape as soon as the power is cut and claw their way out; they have been waiting. Finally, despite that the ranger knows the danger, as he's stalking one velociraptor, another ambushes him from the side. His famous last words:
Analysts have found that the Aurora attacks were actually an entire campaign of observation and intrusion. The
ISEC Partners report details the infiltration program of the Aurora malware suite and the pattern it followed:
Despite the diversity of victims in these attacks, we have seen a common pattern in the attacks, which generally proceed like this:
1. The attacker socially engineers a victim, often in an overseas office, to visit a malicious website.
2. This website uses a browser vulnerability to load custom malware on the initial victim’s machine.
3. The malware calls out to a control server, likely identified by a dynamic DNS address.
4. The attacker escalates his privilege on the corporate Windows network, using cached or local administrator credentials.
5. The attacker attempts to access an Active Directory server to obtain the password database, which can be cracked onsite or offsite.
6. The attacker uses cracked credentials to obtain VPN access, or creates a fake user in the VPN access server.
7. At this point, the attack varies based upon the victim. The attacker may steal administrator credentials to access production systems, obtain source code from a source repository, access data hosted at the victim, or explore Intranet sites for valuable intellectual property.
In the report they outline recommendations for all organizations or companies even if they have not been contacted or found evidence of an Aurora infection. The ISEC team lists off steps that companies need to take to defend themselves, but troublesomely states:
The most interesting aspect of this incident is that a number of small to medium sized companies now join the ranks of major defense contractors, utilities and major software vendors as potential victims of extremely advanced attackers. This is concerning for many reasons, not the least of which is that even most Fortune-500 companies will not be able to assemble security teams with the diversity of skills necessary to respond to this type of incident.
Security Clearance Required
Mike McConnell, the former Director of National Intelligence, said to the US Senate Commerce, Science, and Transportation Committee yesterday that if the US got involved in a cyber war at this moment, they would surely lose. "We're the most vulnerable. We're the most connected. We have the most to lose," he stated.
It is not at if we aren't
trying to prepare, in fact the United States is much better prepared than most countries, but we are also a primary target. Given the rumble of talk about cyberwar and such programs as the
United States Cyber Command the only thing that is clear is that the United States is keeping its cards close.
We all know the threat is there, but are we watching the flank? Every computer network is guarded with a password, albeit probably a
poor password, in order to keep out those who shouldn't access to specific systems. Is it
velociraptor paranoia to password everything? No, in fact I would argue more secure steps should be taken even for average users like restriction of remote logins, biometric scans (I already use one for my laptop), and security key fobs (even video games, like World of Warcraft now have
authenticators!) that must be present for login. There is a rumble of talk about
dark nets,
foreign cyber attacks, corporate espionage, and an entire business sector for
malware which lead me to believe there is an incredibly serious danger at hand. Perhaps there is a cold cyber war going on right now. In a globalized world I don't see how much of a benefit it would be to destroy another nation that you trade with or that is in debt to you (if you could hack into the banking system, would you destroy the banks, steal all the money at once, or just take enough?). Like the cold war, a cyber war would have the threat of mutually assured destruction. Yet, this will not abate the fears that all our electronics have Trojan back-doors (the ultimate outflanking maneuver) yielding all resistance (and passwords) futile.
The McCarthyism of McAfee
There is one catch to all this fear mongering which I would call the
McCarthyism of McAfee. You see many
anti-virus programs are detected as viruses by other anti-virus programs. These programs take up system resources and don't protect users from their own worst enemy (themselves). On my old desktop I did some monitoring and determined that my anti-virus software is actually about the 15th greatest system resource hog in terms of CPU and RAM utilization on average and I don't even have it turned on to actively scan. The is not much of a threat on your home computer if your a tech savvy user. The threat is from social engineering and on the business network you log into.
I am wondering for each press release how many undetected probing attacks are made? Or for each missile the air force launches how many digital attacks does it make? You can bet it is a lot, but I wouldn't lose sleep over it because history shows us that doomsday is less likely than government control schemes.