Cyber Insecurity Ebook free download pdf pdf
Benoit Morel Copyright © 2017 Benoit Morel All rights reserved
First Edition PAGE PUBLISHING, INC. New York, NY
First originally published by Page Publishing, Inc. 2017
ISBN 978-1-64027-568-3 (Paperback)
ISBN 978-1-64027-569-0 (Digital) Printed in the United States of America
How come stealing from one book is plagiarism, but stealing from many is research?
—Alfred E. Neuman
PROLEGOMENA
This book is the product of fifteen years of courses in Carnegie Mellon University. If any of the many students who took that course over the years read the book, they will know that I realize how much I owe them. They were nothing less than magic by the mix of enthusiasm, interest, and computer savvy they brought to that course. In many cases, I learned more from them than they did from me.
Warnings
About the Use and Abuse of the word Cyber
The word cyber has become ubiquitous to the point of discomfort. Tim Unwin, for example, said, “My preference is to abandon the use of this ‘cyber’ terminology altogether and to use clearer, more specific words for
what we are talking about and seeking to implement.” Although one can only sympathize with that point of view, the meaning of words and, more generally, languages has something in common with politicians: they are easily corrupted. Still, everything seems to be “cyberized,” including human feelings. For example, one speaks now of
cyber anxietFighting the trend toward the cyberization of most English words is a heroic but ultimately futile battle. And contrary to the assertion that there is always a “clearer, more specific word” to substitute for cyber, the opposite is true in most cases. Furthermore, the cost of having to find a new word for each instance where the word cyber captures the action concisely is far too great. Hence, purists reading this book are in serious danger of an overdose of cyber.
About Technical Terms
Cybersecurity has spawned a lot of institutions and agencies and developed a huge jargon involving a lot of acronyms and technical words, to the point of discomfort for nonexperts and, to a certain extent, experts as well. Most people are familiar with at least some of those words, and not necessarily the same. It is impossible to explain each technical term without making the reading seriously cumbersome to most. Hence, readers who want help can find it on the web. There is also a good source on where to locate some glossaries. It is the Congressional Research Service (CRS) report
tps://unwin.wordpress.com/2014/01/15/on-cyber-and-the-dangers-of-elision/.
eorge R. Lucas, “Cyber Anxiety and Threat Inflation,” in The Ethics of Information Warfare, eds.
Luciano Floridi and Mariarosaria Taddeo (Switzerland: Springer International Publishing, 2014).
ita Tehan, “Cybersecurity: Data, Statistics, and Glossaries” (September 2015), http://www.fas.org/sgp/crs/misc/R43310.pdf.
INTRODUCTION
Cybersecurity is arguably the most complex threat against modern societies.It is a 100 percent man-made phenomenon that outsmarts human beings.
Few have experienced a life-changing experience because of cybersecurity. Still, some surveys suggest that people are more afraid of
All are rather remote threats. But the fact that cyber anxiety has entered the vocabulary is reminiscent of what the legendary chess player Aron
He was
speaking about chess and chiding a referee who would not ask his opponent to put aside the unlit cigarette he had in his mouth in a tournament where it was forbidden to smoke. The referee tried to explain to Nimzowitsch that, technically, his opponent was not smoking. What he accomplished was drawing Nimzowitsch’s ire for his lack of knowledge of the psychology of chess.
When it comes to threat perception, cybersecurity may have something in common with chess, although it does not take much to instill panic and distress to users as soon as their computers show signs of not functioning correctly. Furthermore, average users seem often to behave irrationally. After having been warned about the dangers of doing certain actions, they purport to take the warning seriously and proceed to do exactly what they were advised not to do. That has happened repeatedly with heads of the CIA, for
example.
The US government, in its rhetoric, treats cybersecurity almost as an existential threat to the US economy. Considering the resources of the US government, in a rational world, we would expect that by now, it would be the uncontested leader in cybersecurity. This would not be a good characterization. Hapless is closer to reality. Congress does not fare better. Not so long ago, a senator famously explained to his colleagues that the
Internet was “not a truck but a series of tube.” Few think that the present Wild West atmosphere of the Internet is sustainable. There is a need for some legal order. But it is the job of the US Congress to define the legal contours of that order. And the US Congress has
not passed a serious law on that subject since Whatever it tried to pass was either too contentious to make it through both chambers or worse than
doing nothing, or both.
Part of the complexity of the threat that cybersecurity represents to modern societies stems from the difficulty that governments in general have to adjust to its culture. The drivers of change in cybersecurity reside outside governments and outside their control. Too much of the expertise in cybersecurity also resides outside governments. This is a somewhat scary situation, which justifies our sense of cyber insecurity.
Another facet of the complexity of the cybersecurity as a threat is the fact that it potentially affects all aspects of the life in modern societies, from the smallest to the largest.
Another facet of the complexity of cybersecurity is its technical dimension. This is a fundamental feature of cybersecurity that can only be underestimated. Cybersecurity is rooted in the technical complexity of the computer and of the Internet technology. The most obvious feature of the Internet technology is the relentless pace of innovations. This is also its most attractive feature and the major reason for its success. But each innovation seems to bring with it new opportunities for cyber attacks. Cybersecurity today is very different than what it was a few years ago, and we do not know what it will look like a few years hence.
Cybersecurity is not a mature academic field. In fact, one contention of this book is that after a good beginning, academia managed to marginalize itself from the real action. Furthermore, there are many data in cybersecurity, but none are good data and reliable. As a result, there is tendency to rely on anecdotal evidences. Cybersecurity encompasses a lot of things, people tend to specialize, making cybersecurity a fragmented field of study, lacking a common thread. Words are used loosely, or more exactly, they often mean something different for different people. There is no solid conceptual framework.
This book touches on a lot of subjects where cybersecurity plays a role, from the dark net to international relations. It addresses the question of where the government while emphasizing the singular excellence of NSA. It tries to convey a sense of the vast and complex world of malware and web application security. It tries to convey the dynamic nature of the field, by speaking of the Internet of things, the revolutionary changes occurring in the security industry, and how artificial intelligence can turn out to be a game changer. Something this book does not do is come up with answers. This is partially based on the observation that for the most important questions in cybersecurity, there is no good answer. A question without a good answer should stay unanswered.
eter Singer and Alan Friedman, Cybersecurity and Cyberwar: What Everyone Needs to Know (Oxford: Oxford University Press, 2014). tp://www.chess.com/blog/DENVERHIGH/quota-threat-is-stronger-than-the-executionquot-aron- numzowitsch. tp://www.wired.com/2015/10/hacker-who-broke-into-cia-director-john-brennan-email-tells-how- he-did-it/
inger, Peter W.; Friedman, Allan Cybersecurity and Cyberwar: What Everyone Needs to Know.
Oxford University Press, USA. 2013. tp://info.law.indiana.edu/faculty-publications/The-Emergence-of-Cybersecurity-Law.pdf.
tp://www.nytimes.com/2012/08/03/us/politics/cybersecurity-bill-blocked-by-gop-filibuster.html see
also: http://www.nytimes.com/2015/04/23/us/politics/computer-attacks-spur-congress-to-act-on-
cybersecurity-bill-years-in-making.html?_r=0.
—Ralph Johnson, computer scientis As John Chambers, former head of Cisco, likes to say, “There are two types of companies: those who have been hacked and those who don’t yet know
they have been hacked.” The advanced persistent threat, APT for short, has become a popular buzzword. Those who use that word seem to have a precise idea of what it means. The problem is that the word APT does not seem to mean exactly the same thing to everybody. This is representative of a problem with cybersecurity: it lacks conceptual precision and rigor. Still, APT refers to the fundamental fact that cyber attacks are taking place continuously and relentlessly.
To have a useful meaning, APT should refer to a subset of cyber attacks. But there is no consensus on how to define precisely that subset. Should it involve only threats coming from governments, large groups? Should refer to situations where the victims are large organizations or belonging to governments? Or does the pilfering of money through cyber means, whatever form it takes, also belong to APT? Or else?
APT may be poorly defined. Perhaps, the most useful thing that the
acronym APT is accomplishing is characterizing appropriately what cybersecurity is more and more about: a threat continuously growing in size, complexity, and diversity. Cybersecurity is not a problem about to be solved; it is a growing problem we will have to live with for the foreseeable future.
Cybersecurity has a short history, during which a lot took place. Cybercrime has quickly grown into an international phenomenon, challenging law enforcement at all levels. An underground economy has emerged. Classical security tools like antivirus (AV) programs and firewalls provide increasingly limited cyber protection. Security companies have to redefine themselves continuously to adjust to a fast-changing world. The approach to cyber defense and the cybersecurity industry altogether is going through a severe midlife crisis.
This is a context where computers are progressively invading every aspect of daily life. Cars, airplanes, medical devices, appliances—all are progressively becoming targets for cyber attacks. Databases, where the family jewels of most organizations and the financial of most individuals are stored, are regularly compromised. And the list goes on.
Among all these, what belongs to APT? Or is APT the sum of all them? Does the answer to that question matter? http://www.javacodegeeks.com/2012/11/20-kick-ass-programming-quotes.html.
https://agenda.weforum.org/2015/01/companies-fighting-cyber-crime/.
CHAPTER 2 Repository of Cybersecurity Knowledge and Expertise There is a lot of knowledge in cybersecurity, but it is scattered and difficult to
pinpoint. There is no centralized repository of knowledge, a place to go to to get reliable answers and total information. Cybersecurity is totally man-made. Still, nobody understands it fully. Somehow cybersecurity has become too complex for human beings to comprehend fully. Who are the “experts” quoted by the media? There are knowledgeable people, but no “experts” who know everything. Some know more or have more to offer than others, although most “experts” do not know as much as they profess to. And there are the charlatans who take advantage of the present confusion to try to make money by selling the cyber equivalent of snake oil: “Your computer may be infected, call…”
The Hackers
General Keith Alexander, when he was head of NSA (2005–2014), made a point to attend personally to the most important hackers’ meetings, i.e., Black Hat Briefings and DEF CON, because, as he told the attendees, “[they] are the best experts.”
Hackers basically started and made cybersecurity what it is today and still drive its evolution. Hackers were the ones who showed how buffer overflows
could be exploited. This is not trivial and requires quite a bit of knowledge
on how computers work. Their tutorial are better than what often is taught in universities. Hackers’ meetings, like Black Hat Briefings, DEF CON, Chaos Computer Club meetings, ShmooCon, and the like are the most important conferences in cybersecurity. But they cannot be confused with scholarly events. The best talks look more like demos than academic contributions. There is a lot of banter and beer.
Hackers made cybersecurity what it is today. Many of the best security tools were hacking tools originally. They were not originally made to protect, but to attack. Any new innovation or technological advance is perceived collectively by the hackers as an invitation to use their imagination to prove that it is “hackable,” i.e., it is possible to make it do things it was not supposed to. So far, they never failed to succeed.
The community of hackers is not homogeneous. Many are not that good. But those who are good are the best experts in cybersecurity. As the famous
hacker Mudge said in a hackers’ conference, they are researchers Hackers, on the other hand, are not always the best teachers. They develop their skill far away from academia, and their goal is not to immortalize themselves in publications in peer-reviewed journals. Still, some of their publications are
considered among the best sources. Some articles, like the Mudge tutoria or
“Smashing the Stack for Fun and Profit” (Phrack 49), are classic. Phrack, for decades (1985–2006), was a prominent e-zine, the articles of which were written by hackers for hackers (and anybody else interested in cybersecurity). It was a very good source of information on the technical dimension of cybersecurity.
How and Where to Get Informed about the Latest in Cybersecurity
The amount of cyber activity going on continuously in the Internet is humongous. A lot of good information is circulating in cybersecurity, but most of it stays confined to a limited community. Getting the full picture of what goes on is not possible, and getting a partial picture is time-consuming.
go out
of their way to systematically roam the web and select the best articles of the day and distribute them to their readers. Even reading all those preselected articles takes a lot of time.
There is a whole ecosystem of blogs where one can find high-quality
information. Some like Bruce Schneieror Dancho
far too many, to be able to follow them all.
Wired,
(the last two are related to
to focus on the aspect of cybersecurity most relevant for their readership, which tends to be rather specialized. That contributes to the impression of fragmentation that cybersecurity sometimes projects.
Large security companies like Kaspersky, Sophos, Symantec, or FireEye, to name a few, have their own publications, reports, or blogs. Unfortunately (and this is to be emphasized), the numbers they produce have to be taken with a pinch of salt or as mere orders of magnitude. In cybersecurity, there is no such a thing as “good and reliable” numbers. This is not specific to cybersecurity, but this is particularly acute in that field, and that contributes to the difficulty of getting a high degree of situational awareness.
Some companies provide real-time information and maps. Noteworthy are
the Attack Maps of Arbor Networksthe
among
others. They convey a sense of the global nature of the cyber attacks as well as their dynamic nature. The fact that companies like Symantec or Kaspersky have customers all over the world allows them to deploy sensors all over the world. In a sense, they have a larger information base than a national agency, which tends to be more limited in where it can deploy sensors. Obviously, the attacks targeted against specific networks do not show in those data or maps.
The media cover only “big events,” and in general, they do not cover them very well. Few journalists have technical depth. Too often, when they describe an attack, their description is only superficially correct. But there are subtle mistakes or imprecision scattered around that most of the public does not realize. That contributes to explain why those who get informed mostly, if not only by the media, have such a poor grasp of the technical reality of cybersecurity.
The (Marginal) Role of Academia
Academia is the repository of a lot of knowledge in many fields, but when it comes to cybersecurity, academics have been very good at progressively making themselves rather marginal. Academic conferences on that subject have progressively become less important. Rarely does an important contribution get aired there.
cybersecurity is not a natural
academic field. Cryptography is very mathematically intensive and, as a result, favors academia. But most of the rest of cybersecurity has not found the same degree of legitimacy as an academic field. It deals too much with the minutiae of protocols and engineering details.
Another area where academia can make a difference in cybersecurity is in the development of tools that use, much more aggressively, artificial intelligence. Many cyber-espionage incidents were made worse because the detection of the intrusion took weeks or months. When an intrusion is suspected, it does not take long for companies like Kaspersky or Mandiant to identify it and analyze it.
Existing tools are not good at autonomous intrusion detection. What is needed is a tool able to make context-dependent determination, i.e., displaying the cognitive ability of human beings, a kind of instantiation of a Turing machine. Clearly, what is needed is artificial intelligence with high degree of sophistication. Developing that level of artificial intelligence requires a long and protracted research effort. Private companies (the drivers of innovation in cybersecurity) cannot easily stomach such research; hence, academia is the natural place to develop such capabilities. But academic research along those lines is, at best, anemic. Why?
This is probably because of the natural inertia of the field seen as a community of researchers. The US National Science Foundation (NSF) has been struggling for years to develop programs in cybersecurity that make academic sense. So far, they’ve mostly failed. NSF has consistently funded researches that did not have the potential to make a difference. But paraphrasing what Churchill said about the Americans, NSF always ends up doing the right thing, but only after having exhausted all other possibilities.
A Hacking Industry?
Hacking skills are precious. Still, hackers—who get wealthy, honestly—are rare. There are companies who sell their hacking expertise, but they tend to operate under a veil of suspicion.
The Italian company the Hacking Team, for example, sells tools and expertise to governments. Although it tries to project a sense of rectitude by stating a policy whereby it refuses to deal with governments that violate
human rights the reality is different. Citizen Lab (a watchdog group located within the University of Toronto) has accumulated evidences that the Hacking Team had, in fact, sold its tools to unsavory governments, such as Sudan, or it helped other governments (like the Ethiopian government) in its censorship policy against journalists. “On February 12, 2014, Citizen Lab
published a report documenting how journalists at the Ethiopian Satellite Television Service (ESAT) were targeted by a governmental attacker in December 2013, with what appeared to be Hacking Team’s Remote Control System (RCS) spyware. The governmental attacker may be the Ethiopian Information Network Security Agency (INSA).”
More damning and embarrassing for the Hacking Team was the fact that they were “hacked,” and courtesy of WikiLeaks, its list of customers became
public One effect of these revelations was to inspire one member of the European Parliament, Marietje Schaake, to ask whether the Hacking Team had not violated some European laws prohibiting export of sensitive technology to countries with poor human rights record. For its defense, Hacking Team argued that they were not selling weapons, just software, and that they should be treated like “sellers of sandwiches.” Critics point out that
spying and surveillance tools are not the same thing as sandwiches.
vulnerabilities that Hacking Team
was keeping in reserve. Zero days can fetch tens of thousands of dollars in some markets. “Hacking Team, ironically, published a blog post on Wednesday claiming that the hacker had put everyone at risk by leaking the
company’s exploits and the source code for its surveillance tools
is a French information security company created in 2004 and based in Montpellier, France. Its founder, Chaouki Bekrar, and his researchers initially worked with some software vendors to patch their bugs. “But after taking $1.5 million in venture capital from 360 Capital Partners and Gant & Partners, Bekrar found that the firm could earn far more by keeping its
findings under wraps and selling them at a premium.” Now, Vupen offers offensive security solutions, including “extremely sophisticated and
offensive cyber operations.” A Freedom of Information (FOI) request by government transparency site MuckRock revealed that NSA has been one of the clients of Vupen. And the German magazine Der Spiegel International reported that German authorities were clients of Vupen until September
2014.
Vupen distinguished itself in an ambiguous way at a competition organized by Google to find security holes in its browser, Chrome, in 2012. The hackers from Vupen “declined to enter Google’s contest and instead dismantled Chrome’s security to win an HP-sponsored hackathon at the same conference. And while Google paid a $60,000 award to each of the two hackers who won its event on the condition that they tell Google every detail of their attacks and help the company fix the vulnerabilities they had used, Vupen’s chief executive and lead hacker, Chaouki Bekrar, says his company never had any intention of telling Google its secret techniques—certainly not
for $60,000 in chump change.” “We wouldn’t share this with Google for even $1 million,” added Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.”
Vupen and, in particular, its head have inspired negative comments of the kind: “Vupen is the Snooki of this industry,” says Soghoian. “They seek out publicity, and they don’t even realize that they lack all class. They’re the
Jersey Shore of the exploit trade.” Google has called Bekrar an “ethically
challenged opportunist Companies like Netragard, Endgame, Northrop Grumman, or Raytheon also sell services in cybersecurity to governments, but they do not get the same press as Vupen.
Hackers for Hire
Hackers have unique talents that, if not used for constructive purposes, can end up being used for more nefarious purposes. Times are changing for the hacking community. “The business of hacking is no longer just the domain of intelligence agencies, international criminal gangs, shadowy political operatives, and disgruntled ‘hacktivists’ taking aim at big targets. Rather, it is
an increasingly personal enterprise hackers. HackerOne aims at connecting hackers with companies. “We want to make it easy and rewarding for that next group of skilled hackers to have a viable career staying in defense,” said Katie Moussouris, HackerOne’s chief
policy officer. “Right now, we’re on the fence “In the last year, HackerOne has persuaded some of the biggest names in tech—including Yahoo, Square, and Twitter—and companies you might never expect, like banks and oil companies, to work with their service. They have also convinced venture capitalists that, with billions more devices moving online and flaws inevitable in each, HackerOne has the potential to be very lucrative. HackerOne gets a 20 percent commission on top of each bounty paid through its service. About 1,500 hackers are on HackerOne’s platform. They have fixed around 9,000 bugs and received more than $3 million in bounties.”
HackerOne competes with Bugcrowd, another start-up that charges companies an annual fee to manage their bounty programs. Facebook, Microsoft, and Google have bounty programs that, in some cases, had been run by members of HackerOne. The companies offer a bounty to whoever finds a bug or vulnerability in their software. United
after a security
researcher tweeted about vulnerabilities in the plane’s in-flight Wi-Fi system
and told the FBI that he had hijacked the plane while in flight.
There is another kind of demand for “hackers for hire.” For example, “a man in Sweden says he will pay up to $2,000 to anyone who can break into his landlord’s website. A woman in California says she will pay $500 for someone to hack into her boyfriend’s Facebook and Gmail accounts to see if
he is cheating on her Finding a suitable hacker for specific jobs is getting easier. Hacker’s
members of the general public who wish to hire one. Anonymity, privacy, confidentiality, discretion, security, protection against scam and fraud are guaranteed, as well as the talents and honesty of the hackers.
Malware as a Service
Everything is offered “as a service”: platform as a service (PaaS), software as a service (SaaS) (not to be confused with storage as a service [SaaS]), infrastructure as a service (IaaS), communication as a service (CaaS), network as a service (NaaS), etc. All are put together under the umbrella
Malware as a service (MaaS) is not yet officially in the XaaS list, but it has real prospects as a business model. If sending malware at competitors becomes fair game, MaaS may turn out to be a game changer in the life of business.
“Speaking at the recent InfoSec Security Conference in London, US Federal Bureau of Investigation (FBI) agent Michael Driscoll said that the potential effects of selling ‘malware as a service’ could be ‘devastating.’
http://insecure.org/stf/smashstack.html.
http://insecure.org/stf/mudge_buffer_overflow_tutorial.html.
Mudge (Peiter Satko): Analytic framework for Cyber security, Shmoocon presentation, 2011, https://www.youtube.com/watch?v=rDP6A5NMeA4. http://insecure.org/stf/mudge_buffer_overflow_tutorial.html. http://www-inst.eecs.berkeley.edu/~cs161/fa08/papers/stack_smashing.pdf. http://www.team-cymru.org/. https://www.schneier.com/. http://krebsonsecurity.com/. http://ddanchev.blogspot.com/. http://www.gfi.com/blog/the-best-35-information-security-blogs-to-follow/.
Top 100 + Cyber Security blogs and infosec resources: http://ddosattackprotection.org/blog/cyber-
security-blogs/. http://www.scmagazine.com/. http://thehackernews.com/. http://www.wired.com/. http://hackmageddon.com/. https://threatpost.com/. http://securelist.com/. http://press.kaspersky.com/. http://www.arbornetworks.com/resources/research/attack-map. http://home.mcafee.com/virusinfo/global-virus-map?ctst=1. https://isc.sans.edu/. http://www.symantec.com/deepsight-products/. http://people.csail.mit.edu/rivest/. http://www.hackingteam.it/index.php/customer-policy. https://citizenlab.org/2014/02/hacking-team-targeting-ethiopian-journalists/. https://www.bgpmon.net/how-hacking-team-helped-italian-special-operations-group-with-bgp- routing-hijack/.http://www.lemonde.fr/pixels/article/2015/07/10/les-logiciels-espions-sont-ils-des- armes_4678993_4408996.html#R41tIMWW0QuUxx9w.99.
“Zero days” are software vulnerabilities, which after being discovered were kept secret and against
which security tools like Antivirus (AV) do not provide any protection. http://www.wired.com/2015/07/hacking-team-shows-world-not-stockpile-exploits/. https://wikileaks.org/spyfiles/files/0/279_VUPEN-THREAD-EXPLOITS.pdf.Andy Greenberg, Meet The Hackers Who Sell Spies The Tools To Crack Your PC (And Get Paid Six-Figure Fees), Forbes Magazine, April 9, 2012, http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the-tools- to-crack-your-pc-and-get-paid-six-figure-fees/.
Charlie Osborne, NSA purchased zero-day exploits from French security firm Vupen, ZDnet, September 18, 2013, http://www.zdnet.com/article/nsa-purchased-zero-day-exploits-from-french- security-firm-vupen/.
“BND will Informationen über Software-Sicherheitslücken einkaufen”, der Spiegel, September 11,
2014, http://www.spiegel.de/spiegel/vorab/bnd-will-informationen-ueber-software- sicherheitsluecken-einkaufen-a-1001771.html.Andy Greenberg, “Meet the Hackers Who Sell Spies the Tools to Crack Your PC (And Get Paid Six-Figure Fees),” Forbes Magazine (April 9, 2012), http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-the- tools-to-crack-your-pc-and-get-paid-six-figure-fees/. http://www.forbes.com/fdc/welcome_mjx.shtml. http://dealbook.nytimes.com/2015/01/15/need-some-espionage-done-hackers-are-for-hire-online/. https://hackerone.com/.
Nicole Perloth: HackerOne connects hackers to companies and hopes for a win-win, The NYT, June
7 2015, http://www.nytimes.com/2015/06/08/technology/hackerone-connects-hackers-with- companies-and-hopes-for-a-win-win.html.http://www.cnn.com/2015/05/17/us/fbi-hacker-flight-computer-systems/ see also: https://grahamcluley.com/2015/05/security-researcher-hijacked-plane/. http://www.zdnet.com/article/hackers-for-hire-anonymous-quick-and-not-necessarily-illegal/. https://hackerslist.com/. http://www.zdnet.com/article/hackers-for-hire-anonymous-quick-and-not-necessarily-illegal/.
http://www.computerworlduk.com/galleries/infrastructure/9-everything-as-service-xaas-companies-
watch-3376134/, and http://searchcloudcomputing.techtarget.com/definition/XaaS-anything-as-a- service.https://www.linkedin.com/pulse/malware-service-cyber-crimes-new-industry-stuart-poole-robb and
https://www.kcsgroup.com/2015/07.CHAPTER 3 International Dimension For better or worse, the Internet connects literally everybody on the planet. Although originally an American invention, it is the most international
structure ever built. Nobody fully controls the Internet or has the power to regulate it. It disrupts the life within nations and the relations between states in ways that nobody has anticipated and even understands fully.
Espionage is the oldest profession in international relations, but with the Internet, it has reached a new level and almost changed in nature. It is difficult to imagine that there is still a network belonging to a government or embassy that has not been compromised. But it is a documented fact that the personnel involved in these networks do not realize it and are surprised or horrified when evidence of a breach in their network emerges.
Conflicts, like the different wars in the Middle East or the disputes between India and Pakistan, generate cybersecurity activity. So far, they have not significantly affected the dynamic of those conflicts, but that may change if cyberspace becomes a more active battlefield in the future. Cyberspace is often referred to as the fifth domain of warfare, after land, sea, air, and
No nation has yet officially recognized being behind a cyber attack, although the malware Stuxnet, for example, which sabotaged the uranium- enrichment program of Iran, has clearly been developed at the state level (the
The fact that NSA had to maintain the secrecy of that operation had unexpected consequences. When Symantec investigated the malware, it probably accidentally interfered with the attack. Symantec identified two command and control (C2) servers that the malware was communicating
with. In its report, Symantec explained that there were two C2 servers “in
Malaysia and Denmark; they have since been redirected to prevent the attackers from controlling any compromised computers.” In the process, they “sinkholed” the C2 servers, which presumably were used by NSA and/or Israel. Apparently, Symantec did not imagine that the “attackers” could be the US government. After interviewing the people in Symantec charged with investigating Stuxnet, in her book Countdown to Zero Day: Stuxnet and the
Launch of the World’s First Digital Weapon, Kim Zetter wrote, “By
Intercepting data the attackers were expecting to receive from infected machines in Iran, [the Symantec people] had possibly landed themselves smack in the middle of an international incident and also may have helped
sabotage a classified missi
China’s Hacking: A Major Subject of International Debate
Every nation is clearly engaged in some level of cyber espionage, but China has the dubious distinction of being singled out as being the nation doing it
the most aggressivel It would be more appropriate to say that China is the nation that does it the most blatantly.
The US government, which has at least sixteen different intelligence
agenciesOne could be surprised that the country, which has, in NSA, the gold standard in spying, utters such complaint. Thanks to NSA, it is safe to assume that by now China probably does not have any secret to the United States. Though this is not limited to China. It is common knowledge that when a US president meets any foreign chief of state, he is given in advance his or her talking points. China is demanding that the United States halt its “unscrupulous cyber
spyi The Chinese Foreign Ministry says China opposes hacking attacks and is
itself a victim by explaining that “[it] has never sanctioned” such activity, although the opposite is documented beyond any
reasonable doubt. We even know which buildings in Chi some attacks
originate from and even sometimes the name of the people behind thus The security company Mandiant produced a report in which it detailed how a unit within the People’s Liberation Army (Unit 61398) “ran a formidable hacking and espionage operation against foreign entities out of a building on the
outskirts of Shanghai.”
The problem is with industrial espionage. There is an etiquette in espionage: state secrets are fair games, but industrial espionage is not. And importantly, there is one asymmetry the US government cannot do much about: there is far more to learn in technology and otherwise from the United States than there is from China.
Who can stop Chinese hackers from pilfering technological information from the cyber-hapless US military industrial complex? What are the odds that China will voluntarily refrain from doing something that serves its interests?
There is a controversial idea that is sometimes mentioned: granting US
companies official green light to “hack back.” But what would that accomplish if there is not much to learn? At that game, their technological inferiority confers the Chinese with a strategic advantage.
Level of Sophistication of the Attacks
One conspicuous feature of China’s espionage is that the level of sophistication of the attacks varies considerably. They can be quite sophisticated, but they can be quite the opposite as well. One implication seems to be that those who do the attacks on behalf of the government of China have very different levels of skills (i.e., China is drawing from a large pool of talents). Another observation is that the level of sophistication does not necessarily need to be high for the attack to be quite successful.
done with not-so-sophisticated means. An old malware (called GhostRat) was used. It was introduced in targeted networks using social engineering means (i.e., by inducing somebody to open an e-mail attachment). When in the network, the malware would spy on e-mail, communication, logging keystrokes and triggering webcam, exfiltrate documents, etc. The malware would send its loot to servers scattered in the world, but clearly under Chinese control.
GhostRat had been around years before (GhostNet was discovered in 2008, while GhostRat was exploiting a vulnerability recorded in 2006, CVE- 2006-2492). The reason GhostNet was not detected earlier was that the malware GhostRat had been slightly modified to avoid detection by the major antivirus software.
The mechanism by which GhostNet was eventually discovered was when compromised. He was put in contact with a group of researchers at the Munk
They came to
Dharamsala, and using a honeypot, they gathered information on the traffic for analysis back home in Toronto.
They established that the malware GhostRat was present. GhostRat was sending information to a variety of servers, and that information was eventually sent to China. By monitoring the traffic of the servers to which GhostRat was programmed to speak, they discovered that a large numbers of high-value networks scattered in 103 countries had also been compromised. That included embassies, economic and financial institutions, etc. Apparently, none of them had realized that their networks had been compromised. They learned it (the hard way?) by reading the report entitled
Red October
If the GhostNet campaign did not impress by its sophistication, the also- Chinese Red October Campaign discovered by the security company Kaspersky left a different impression.
Both attacks had a lot in common. In both cases, the goal was cyber espionage. In both cases, the victims had a wide geographical distribution. In both cases, the attack started with some form of social engineering. In the
case of Red October, it was “spear phishing.” One impressive feature of Red October was “a module [in the malware], which is essentially created to be embedded into Adobe Reader and
Microsoft Office applications. The main purpose of its code is to create a foolproof way to regain access to the target system [in case the attack is
detected and the malware eradicated].” It took a long time before Red October was detected in 2012. It is
estimated that the campaign started i And Red October changed with time. In particular, it gathers information about the compromised networks, like security checks, which could be used in future attacks. That illustrates an additional danger of not detecting attacks early.
The infrastructure of servers used for command and control (C&C) by Red October also impressed Kaspersky. By the time Red October was discovered, the C&C system would resist takeover—i.e., if need be, the attacker could recover access to infected machines using alternative communication channels. The structure of the C&C system reminded Kaspersky Lab of the Flame malware.
Flame is one of the most sophisticated pieces of malware ever produced.
It infected computers mostly in the Middle East. Its target set (Iran, Saudi Arabia, and other Middle Eastern countries), and its similarity with the malware Stuxnet or Duqu points to NSA as the probable author of Flame.
The similarity between the Flame C&C and the Red October C&C is intriguing. Flame started being active in February 2010 and was discovered
in 2012. If the Flame C&C system was designed by authors different than Red October, and considering that Red October was discovered in the fall 2012 after five years of activity, that suggests that the Red October people had analyzed how Flame works years before its official discovery in spring 2012 and modified the architecture of their C&C system accordingly. In other words, somehow they knew about that malware years before the rest of the world did. The assumed authors of Red October are Chinese, but according to Kaspersky, China was not a target of Flame. So how did the Chinese learn about Flame?
China and Cyber War
Another conspicuous feature about China’s cyber posture is its relative openness on subjects like cyber war. China is not known for its openness when it comes to the Internet. It tries to control the traffic in and out of its network with the so-called Great Firewall of China. But the military use of cyberspace has been a subject of public strategic debate since 1999, when a couple of colonels of the People’s Liberation Army, Qiao Liang and Wang
Similarly, China does not make it a secret that it is building a cyber
army. Combined with all the allegations of Chinese spying and stealing
information on secret projects like the fighters F-35, China managed to project the image of a nation aggressively engaged in understanding how cyberspace changes the security equation to the point of inspiring fears.
Russia
Churchill famously said that Russia “is a riddle wrapped in a mystery inside an enigma.” That applies also to a certain extent when it comes to cybersecurity. In fact, the way Russia is described in the 2015 DoD cyber
strate says something similar: “Russian actors are stealthy in their cyber tradecraft, and their intentions are sometimes difficult to discern, especially compared with China, Iran, or North Korea.”
On paper, Russia is a leader in cybersecurity. Probably more malware has come from Russia than the rest of the world combined. The proportion of hackers in Russia who are cyber criminals is larger than in the United
is to read and understand Russia The best security company in the world (Kaspersky) is headquartered in Russia.
The common explanation for that state of affair is that the Soviet system may have been an economic failure, but it produced first-class computer scientists. Many of them found in cybersecurity a way to make a living after the fall of the Soviet regime.
With that kind of pedigree, Russia could be a giant in cybersecurity. But concretely, what has Russia as a nation done with all these cyber resources? There was the distributed denial-of-service (DDoS) attack on Estonia in