Friday, June 17, 2011

Cyber Warfare, Hacking, and You

June 17, 2011, 12:06 p.m.; with added critique June 18, 2011, 8:30 a.m., and June 19, 2011, 9:15 p.m.

[NOTE, June 18: Since posting this blog entry, I requested and received a critique from someone with more inside knowledge than I possess. (She/he wishes to remain unidentified.) Excerpts from her/his comments have now been embedded throughout the blog entry -- within brackets, quotes, and in this font.

It might have been less embarrassing to simply revise what I had written, but I have almost always been more interested in letting curiosity propel inquiry wherever it may lead than in being "proven right." Besides, it's both more honest and also more interesting reading to share with you both my text and the critique as written.]


A Primer

The hacker community -- Lulz Security and Anonymous, among others -- have had a good couple of weeks.
["Your first error is in referring to 'the hacking community.' There isn't one. Non-hackers tend to view hackers as a community due to the fact we have shared technical skills and some grossly similar social features. The reality is that if the 'hacking community' exists, it's an anarchist mob that's defined by temporary alliances, shifting loyalties, cults of personality and people whose fads have briefly aligned. Enduring long-term associations and friendships do exist, but they're much more rare than people think. We generally do not socialize very much outside our circles. Our few social mavens are rare birds, and prized for their abilities to make magic happen just by putting the right people together and standing well clear of the result.

"The 'hacking community,' to the extent it exists at all, is more a pool of diverse skills, philosophies and capabilities, which self-organizes in response to events. Consider the Iranian protests of a few months ago: there were contingents of pro-democracy hackers who were putting together anonymous relays to help get a trickle of uncensored communications into/from Iran, there were contingents of pro-regime hackers who were trying to shut down the pro-democracy types, and there were even jackasses who were exploiting the entire thing for juvenile sophomoric jokes ('the lulz'). Take any significant, serious event in the world and the 'hacking community' will within hours develop at least three or four responses to it, many of which are in open conflict with the others."]
Their targets have ranged from PBS and Sony, to Citibank and Lockhead, Google, the IMF, CIA, FBI, White House and U.S. Senate.

It has not been without cost. Sunday [June 12] Turkish police detained 32 members of the Anonymous cyberactivism collective on suspicion of planning attacks on a number of websites, after Anonymous took down the Website of Turkey's Directorate of Telecommunications. And Spanish authorities arrested three of the Anons group two days earlier on suspicion on organizing the cyber attacks against Sony, banks and governments.
["Second, the Turkish police didn't arrest 32 members of the Anonymous collective. There is no collective. It isn't as if these people carry membership cards and hang out in a clubhouse. Even the most hardcore Anonymouser wouldn't consider herself to be a 'member of Anonymous' or a 'part of Anonymous'. She might say that she /is/ Anonymous, which means she has adopted their political platform and is an autonomous agent spontaneously organizing with other like-minded people to perform acts.

"The hacking community, as it were, is *radically decentralized* -- decentralized to such a degree that most people can't imagine it functions at all. (And hackers grit our teeth and mumble, 'well, now that you mention it, it really *doesn't*.') It would be more accurate to say the Turks arrested 32 people who they allege have acted in concert under the banner of Anonymous -- but in the same breath you should say there is no guarantee these 32 people represented the beliefs of Anonymous as a whole, *because there is no such whole*.

"Compare to, e.g., if you said the Turkish police arrested 32 people from the freedom of religion collective. There really is no 'freedom of religion collective': freedom of religion is a philosophy which has many adherents, most practitioners of which want to murder the others who are believing in the wrong god and using their freedom poorly.

"And that's exactly what Anonymous is. Anonymous is a philosophical banner beneath which different people self-organize to perform acts in accordance with the ideals of Anonymous (to the extent it has any, and the jury's still out on that). What are the ideals of Anonymous? Well, Anonymous has been in a constant state of civil war in order to determine just that...
[[My source subsequently [June 19] provided me with additional evidence of his/her judgment that "the hacker 'community' [is caught up in] fractious, internecine conflict, cults of personality, fads, etc. Case in point. LulzSec and Anomyous are, as near as I can tell, identical in philosophy, goals and methods, and yet they're still engaged in a hatefest." She/he cites Matthew Lynley, "Hit the deck: LulzSec and Anonymous start trading blows," Venture Beat, June 15, 2011 ("Hacker group LulzSec has begun publicly attacking hacker group Anonymous, an action that could lead to a civil war of sorts between the two hacker groups that have similar origins.").]]
"The associations within a freedom-of-religion-collective would be rather permanent: people rarely wake up one day and decide, 'today I think I'll be a Buddhist.' The associations within Anonymous are in a constant state of flux as internal power battles play out."]
The Internet has grown faster than Kudzu; in fact, it is the largest and fastest growing anything in the history of the world -- and there's nobody in charge. If a part of the backbone goes down, the traffic routes itself around it and follows another path. That was a deliberate part of the Defense Department's plan in creating the Internet's predecessors: it wanted a communications system that could not be knocked out with a single bomb on "headquarters."
["Third, the DoD did not plan for the internet to survive nuclear strikes. Urban myth. The DoD didn't want the internet at all. The DoD was, through the Advanced Research Projects Agency, funding a lot of different scientists in a lot of different places. These scientists said, 'hey, can we spend some of our research grants to build a better way for us to collaborate?' ARPA said yes. In those days communication channels were unreliable and expensive, so ARPA's scientists developed a network that could work even if large parts of it went down. The rest, as they say, is history. The DoD has never trusted the internet to handle national-defense data: rather than trust the internet, DoD much prefers to trust MILNET (its own version of the internet)."]
Whether the global hacking community deliberately modeled its organizational structure and governance on that of the Internet, or did so as a matter of necessity, it is equally resilient. Whatever may happen to the 32 in Turkey and the three in Spain, the organizations and the hacking by their members will continue.

What's going on is serious enough that, without getting into the jargon and details of hacking techniques, each of us needs to have at least some basic understanding of what's happening. And that understanding requires that we recognize the enormous variation in the sophistication of hackers' techniques, their motives, and the consequences of their actions.

Let's consider these variations in turn.

Sophistication of techniques.

It helps to begin with the variations in sophistication of those doing mischief in what the cyberati refer to as the "brick and mortar" world in which the rest of us live. Consider the range. A burglar may see three days of newspapers in a driveway with no cars in sight, try each of the exterior doors, find one that opens (or a key under the door mat), walk in and walk out with the new HD wall screen TV. A company's bookkeeper or accountant may design accounts and transactions that can cover for years their embezzlement of thousands of dollars. Art thieves may figure out how to disable, or otherwise get around, heat sensors, motion detectors, and video cameras, to make off with a multi-million-dollar painting. Or our military may design fighter planes that fly with no pilots, send video recordings thousands of miles back to control centers, and fire missiles at designated targets.

Just as there is unsophisticated brick-and-mortar crime, there is also unsophisticated virtual world, electronic crime. It doesn't require much sophistication to find a credit card in the parking lot of a big box store, pick it up, and use it to make some purchases there. It doesn't require much more to get into a computer network if an employee's user name and password are displayed on a Post-It note stuck to the monitor's screen. Information that ought to have been encrypted, and kept behind more than one firewall, may have been inadvertently left on a public Web site or made equally vulnerable. In fact, an awful lot of what's characterized as "hacking" involves little more than asking -- a current, or former, employee may provide the necessary information, perhaps even one who designed the security system. The credit card information may be obtained from a receipt found in a dumpster. A hidden camera may record users' ATM pin number key strokes.

A Google search for "denial of service attack tools" (software) produces nearly a million hits. Some of what Lulz Sec and Anonymous members have been doing involve denial of service attacks. They send so many requests to a Web site that its servers slow down or stop, preventing legitimate users from gaining access. Such attacks are a nuisance, a big nuisance, but they need not do any harm to infrastructure or physical property, and do not provide the attacker access to the contents of the site, or its network. It's something experienced teenagers can do, if so inclined.

Similarly, while designing malicious software programs may require some sophistication, getting them onto a computer inside a secure location may involve little more than putting them on a thumb drive, leaving it in the building's parking lot, and hoping some employee will find it, put it in their computer to see what's on it, and thereby unwittingly load the hidden software onto the institution's "secure" computer network.

At the other extreme, what has been described as "the most sophisticated cyberweapon ever deployed," a complex computer program called "Stuxnet," is suspected to have been the creation of some of the most brilliant computer programmers in the West. It was specifically designed to attack the centrifuges in Iran's weapons grade uranium facility, causing them to spin at speeds ultimately producing their self-destruction. This destruction, under the watchful eyes of Iran's trained scientists, was made possible by the program's additional ability to simultaneously take over the recording and reporting facilities, which continued to display to the facility's guardians that everything was operating normally when it was not.

This is the kind of sophisticated attack that could be waged by an enemy against our infrastructure, such as the electric grid -- turning off the traffic, as well as the house, lights, shutting down air traffic control, the stock market, banks and financial transactions, turning off the natural gas and gasoline pipelines, and filing stations' gas pumps, and so forth. Except, of course, such a strike would be far, far easier than what the Stuxnet was designed to do -- and accomplished.
["Fourth, under 'Sophistication of techniques,' you should also put 'velocity' of techniques. If a particular criminal offense nets you only $0.001 per attempt it's clearly more worthwhile to you to flip burgers at McDonald's. If you can do a million attempts per second, though, you're now raking in $1000 /per second/ and you're going to be sipping mai-tais on a beach somewhere. Network crime doesn't have to be particularly efficient or effective, because the network allows you to do so damn much of it.

"Velocity -- the ability to scale up your efforts -- is a big deal. One real mark of sophistication is velocity. A well-designed computer virus can infect 95% of all susceptible computers on the internet in about fifteen minutes. Quite often, by the time you know you're under attack it's too late and you've already lost. Against an unsophisticated teenager, reactive security measures work pretty well. Against a sophisticated operator, reactive security measures are pretty much useless."]
Could it happen? It could, according to the Director of the CIA, soon to be Secretary of Defense, Leon Panetta, who told Congress last week, "The next Pearl Harbor we confront could very well be a cyber attack that cripples our power systems, our grid, our security systems, our financial systems, our governmental systems."

Motives

The motives of hackers vary as much as the sophistication of their methods.

Some attacks, like Stuxnet, appear to be acts against one nation by another -- in that case literally, the history shows, an alternative to dropping bunker buster bombs on the facility (an option considered and rejected).

The Defense Department has recently declared that when a cyber attack on U.S. infrastructure, or defense installations, can be traced to another nation's government, it will be considered an act of war justifying our response with conventional military weaponry.
["Fifth, under 'Motives'" you're misquoting DoD badly. DoD has never said cyberattack *will* be considered an act of war. DoD has said that *depending on the consequences, it could be considered* an act of war. This is a pretty sensible policy. Your other points are quite accurate, though.

[[NJ: For more on the content, context, and challenges of this DOD declaration, see David E. Sanger and Elisabeth Bumiller, "Pentagon to Consider Cyberattacks Acts of War," New York Times, June 1, 2011, p. A10.]]

"Further, under 'Motives' you declare the hack of PBS was a protest about how they handled a Wikileaks story. The question becomes, why are you taking felons at their word for why they're committing their offenses? I suspect the real motive was because PBS is high profile and gets noticed -- the motive the attackers gave is just a rationalization and/or public-relations theory. 'We're engaged in political protest!' goes over in the public eye a lot better than 'we did it all for the lulz!'"]
There are a number of problems with this declaration. (1) Since our government is engaged in cyber attacks on other countries, presumably those countries could rationally justify dropping bombs on the United States. (2) It is often very difficult to know where cyber attacks are coming from. (3) Many involve multiple global operatives. For example, the computer theft of $10 million from banks was run out of 49 cities on multiple continents. (4) When a single country can be identified beyond a reasonable doubt, it's still not clear who is behind the attack: that country's government, its organized crime operatives, or just its precocious teenagers. If our government cannot know, let alone control, everything our mafia and teenage cyber gangs are up to, it's neither reasonable nor fair to expect that other countries are able to control what their criminals and teens do. (5) Indeed, a country ("country A") intent on harming another ("country B") could fairly easily construct a cyber attack on the U.S. in such a way as to make it appear that the attack on the U.S. came from country B, thereby causing the U.S. to launch a retaliatory attack on country B rather than country A. There are many potential examples, such as Pakistan and India, Israel and Palestine, North Korea and South Korea.

Shy of the devastation brought on by cyber warriors are the individuals engaged in serious, organized crime -- mass scale identity and credit card theft and resale, or movements of money (including that of banks and their clients).

Then there are those who do a little of the former, but are mostly just up to devilment -- a form of electronic vandalism. For example, the hack of PBS was a protest against a Frontline program about Wikileaks.

For those just beginning hacking -- eight of the Turkish 32 were minors -- hacking is often little more than a challenge, a hobby, and a way to earn the respect of one's hacking contemporaries and elders.

(Of course, there are also the white hats: those who are hired by the hacked company to try to break in, to test the adequacy of the company's security measures.)

Consequences

The consequences can vary from unsuccessful and unnoticed attempts at unauthorized entry, to little more than a minor nuisance (denial of service attacks), to taking over personal computers and using them to circulate harmful viruses or other malware, loss of national security secrets, or closing down vital infrastructure (such as the electric power grid).

Any unauthorized impact on a computer is something we need to know about and try to prevent. All are, not incidentally, already illegal. But in our efforts at prevention and enforcement it's important for us to be able to distinguish between that which could bring down our country's infrastructure, and that which is kids' play.
["Sixth, under 'Consequences': it is not strictly speaking necessarily illegal for someone to attempt to exceed their granted authority to a system (although a naive reading of the Computer Fraud and Abuse Act could make one think otherwise). C.f. the Lori Drew case, where Drew was accused of violating CFAA because she violated a website's terms of service. The government's rationale was the ToS was the grant of authority, she violated the ToS, therefore she exceeded her authority and violated CFAA. The judge in the case threw out Drew's conviction."]
Obviously, if the computer systems of governments and major corporations are vulnerable, so are yours and mine. What can we do to protect ourselves?

Self-defense

There is probably little or nothing we can do to protect ourselves from the kind of sophisticated attack that could be imagined and implemented by hackers with the skills of those able to create something like the Stuxnet worm. Fortunately, such individuals are few and far between and those that exist are not likely to waste their professional time trying to read our Microsoft Word documents.
["Seventh, under 'Self-defense.' When you say there is little to nothing regular people can do to defend themselves against serious attackers, you're being both too optimistic and too pessimistic. A very important concept is *target specificity*. If a highly trained cyberwarfare operator with a few years of dirty tricks experience decides to target you, and you specifically, then there is literally nothing you can do about it -- not even unplugging your PC will work, since so many of the vital records in your life exist on computer systems beyond your control. At the same time, though, if you are not a specific target, there's a lot you can do. Keep a well-honed sense of skepticism. Check with your OS vendor regularly for security updates. Don't open random things people send you in email. Browse the Web with Firefox or Google, and not Internet Explorer. Etc., etc. There's not much you can do about a bullet with your name on it, but there's a /lot/ you can do about all the hot lead flying around addressed 'To Whom It May Concern.'"]
But there are a good many basic and obvious things we can do to protect ourselves from the electronic devilment, vandalism, and theft to which we may be vulnerable. Use common sense (and a locking cable) to prevent theft of the entire laptop. Create more complex passwords than "password." Don't write user names and passwords on paper kept within easy access from the laptop. Use encryption for documents that warrant it. Get good quality virus protection software and keep it up to date. If you have a home Wi-Fi signal others could access, make it a locked, password protected signal.

And while we're at it, recall the observation that every hard drive will, someday, crash; we just don't know when. So make regular backups (or offloads) of any documents you care about onto an external hard drive (or two; one stored somewhere away from home or office). That way, if the laptop self-destructs from an attack, is lost or stolen, or is otherwise destroyed (or the time comes for your hard drive to crash) you will at least have retained the computer's contents -- which may be much more valuable to you than the computer itself.

I will close with one final observation regarding the extent to which we, and our friends, are our own worst enemies when it comes to protecting our privacy and identity. Most of the privacy and identity we have "lost" we have willingly given away in exchange for what we've perceived as benefits.

The credit card company knows what cities and stores we have been in, at what hour of what days, what we purchased and what we paid. The bank has all our loan and checking account records (legally considered their records, not ours). It knows where and when we've visited ATM machines, and how much cash we withdrew. Our cell phone carrier knows where we've been, and when, whom we've called, and how long we've talked. The airlines know where we've flown and when. Some have as well our Social Security numbers, birthday, address and phone numbers.

They haven't hacked or otherwise stolen this information from us. We've voluntarily given it to them. We believe that the use of checks, credit cards, ATMs, cell phones and airlines is well worth the loss of privacy.

What we may not be aware of is that the Supreme Court says once we voluntarily give information about ourselves to third parties, (a) we no longer have a "reasonable expectation of privacy" with regard to that information, and (b) the third parties are free to hand it over to law enforcement, or others, without letting us know they have done so. And the government has not violated our Fourth Amendment rights to be protected from governmental "search or seizure" if it was third parties, rather than the government, that obtained the information in the first place and simply handed it over to the government when asked.

Walt Kelly, the creator of the comic strip character Pogo, once had him say, in the context of environmental issues, “We have found the enemy, and he is us.” So it is with our loss of privacy. Much of the problem is not that George Orwell’s 1984 Big Brother is watching us (and digging through our trash, as the FBI is now permitted to do without a warrant).

The problem is that we and our Facebook friends are the “enemy,” watching us, recording us, photographing and videoing us, writing and commenting about us, circulating all of the above, and filing it all away, in public (on Facebook; and on Facebook’s servers forever), where Big Brother can come and just download it all. The government can then include and save it with all the other databases that include records and information about us (school, medical, military, vehicle and criminal, credit card, bank, real estate, etc.). It can then “data mine” all of this information to its black heart’s content. Facebook's latest invasion -- face recognition, plus "tagging" of individuals in photos -- added to the rest, now makes potentially available to the FBI, CIA and NSA everything a criminal record would contain but our fingerprints. (And with fingerprint ID gaining in popularity for check cashing and door opening, they may soon have that as well.)

If none of this bothers you, if it's worth the services you get in return, fine. No problem. Just make sure it's really what you want.

It is a whole new jumbled jungle of two worlds out there. One is a virtual world of blue smoke, reflective mirrors, electrons and no parachutes. The other is a world of crumbling brick and mortar. Both offer wonderful opportunities from which we benefit. Both also present risks which we ignore at our peril.

Have a nice day.

# # #

1 comment:

Nick said...

Notice Regarding Advertising: This blog runs an open comments section. All comments related to blog entries have (so far) remained posted, regardless of how critical. Although I would prefer that those posting comments identify themselves, anonymous comments are also accepted.

The only limitation is that comments unrelated to the essay, such as advertising posing as comments, will be removed. That is why one or more of the comments posted on this blog entry are no longer here.
-- Nick