Cybersecurity and Cyberwar (8 page)

The good news is that there are only three things you can do to a computer: steal its data, misuse credentials, and hijack resources. Unfortunately, our dependence on information systems means that a skilled actor could wreak a lot of damage by doing any one of those. Stolen data can reveal the strategic plans of a country or undermine the competitiveness of an entire industry. Stolen credentials can give the ability to change or destroy code and data, changing payrolls or opening up dams, as well as the ability to cover tracks. Hijacking resources can prevent a company from reaching customers or deny an army the ability to communicate.

In the end, there are many things that can happen, but they have to be caused by someone. Threats should be assessed by understanding potential bad actors, what they are trying to do, and why.

And you shouldn't need to fly all the way to Idaho to learn that.

In 2011, London police confronted a mysterious and unusual spike in car thefts. The odd thing wasn't just that so many cars were being stolen, over 300 in all, but that the cars were all of a particular brand, new BMWs. And, second, the thieves were somehow stealing hundreds of cars equipped with some of the most advanced car security systems in the world, without activating the alarms.

What the police soon figured out by watching hidden security camera footage of the thieves in action was that the robbers had figured out how to use the car's advanced technology against itself. First, they used radio frequency jammers to block the signal of a car's electronic key. Instead of the car owner locking the doors as they walked away, the doors would remain unlocked. Once in the car, the thief would then plug into the OBD-II connector (the electronic port that mechanics use to diagnose your car's problems) and
then use that to obtain the car's unique
key fob digital ID
. Next, the thief would reprogram a blank electronic key to correspond with the car's ID. Then they simply drove away, with the owner of the advanced luxury car none the wiser. It all took only a few minutes. These vulnerabilities led to so many thefts that police resorted to leaving
paper leaflets on all BMWs
parked in London warning them of the danger.

The case of the lost luxury cars is a good illustration of how building a complex system can create new openings and hidden vulnerabilities that bad guys can try to exploit. Different vulnerabilities allow an attacker to achieve different goals. In some cases, it might be the ability to read confidential data. Or the goal could be the ultimate prize—compromise of the entire system. When the attacker has such “root access,” the ability to execute any command, the victim is completely vulnerable, or what hackers call “pwned” (An apocryphal story is that a hacker meant to type that a target was now “owned.” But he typed too fast, mistakenly hit the
p
key right next to the
o
, and a cool term was born.)

Often the easiest way to gain control of the system is simply to ask. A time-honored tradition for breaking into systems from hacking's early days is to
call up a low-level employee
, claim to be from technical support, and ask for the person's password. This falls into the category of what is known as “social engineering,” manipulating people into revealing confidential information and thereby helping the attacker. The manipulation can take many forms, often with the attacker trying to set up a scenario designed to encourage
cooperation through psychological mechanisms
. Fear is a powerful motivator. When a user's computer displays a message threatening to expose activities on a pornographic website,
fear of exposure can motivate payment
. More often, however, users just follow social cues. In our daily lives, we regularly encounter problems that need fixing, like a program that won't close until you just “click here,” or people who need our help, like your Aunt Suzy who somehow got robbed in Iceland and needs you to wire her money via Bangkok.

A particularly common form of social engineering is the “phishing” attack. Phishing e-mails look like official e-mails from the victim's bank, employer, or some other trusted entity. They claim to require some action by the victim, perhaps to correct an account error or see a message on Facebook, and fool victims into visiting
a web page where they are asked to enter their credentials. If the victim enters his or her account details, the attacker can now do anything with that information, from transfer money to read confidential e-mails. The phony credentials web page may have a URL that looks similar to the authentic one. If you don't look closely, maybe
www.paypai.com
looks like
www.paypal.com
. In sophisticated phishing attacks, the fake page may also actually log the user into the real website to minimize the chance of detection.

One of the most challenging subsets of these “phishing” attacks is known as “spear phishing.” These target not just networks but key individuals inside those networks. It's the difference between you, along with scores of others people, receiving an e-mail from that kind Nigerian prince who just needs your bank account information, versus receiving an e-mail that looks exactly like it's from your mother. This is a good illustration of the difference between the automated and targeted threats you read about in the last section. Such specialized attacks require prior intelligence gathering to figure out how to trick a particular person and are mostly reserved for prime targets.

Attackers also prey on systems that have ignored basic precautions, such as products that have default login names and passwords, which users often forget to change. Most home wireless routers have default passwords that
a shocking number of users
leave in place. Find the right one and it is easy to steal a neighbor's Wi-Fi and eavesdrop on their conversations. This kind of vulnerability can also be created by product manufacturers that don't prioritize security enough or fail to factor in the likely human errors and even laziness of their customers. For instance, Microsoft's database product MS-SQL 2005 shipped without an administrator password, so that any user could control the entire database until an admin password was set. Other situations involve systems that have features that may be convenient but represent real security vulnerabilities, like that of the BMW remote access keys.

Applications can also create vulnerabilities if they are miscon-figured. In one study, researchers at Dartmouth searched peer-to-peer file-sharing services, where users share specific files from their own computers with others, usually entertainment files like movies or TV shows. Because of misconfigured settings, in addition to users sharing episodes of
Game of Thrones
, a large number
also had unintentionally shared personal bank statements and tax documents. A similar study found that large financial institutions were unintentionally leaking highly sensitive internal documents through
misconfigured applications
.

Another vector is mistakes in the systems themselves—software vulnerabilities—that are exploited by more advanced attackers. It is practically impossible to build a modern IT system without some hidden vulnerabilities waiting to be discovered. Modern operating systems have millions of lines of code and have hundreds of subcomponents that interact. An attacker's goal is to find some chink in the armor of this code, where the system does not behave precisely as designed and exploit that weakness. An attack that exploits a previously unknown vulnerability is known as a “zero day.” The term comes from the notion that the attacks take places on the zeroth day of the awareness that the rest of the world has of these vulnerability and thus before a patch to fix it can be implemented.

There are different types of vulnerabilities with different ways of exploiting them, but a common approach is to find some way of tricking the victim's computer into executing the attacker's commands rather than the intended program's. A key is that most computer systems treat data as both information to be processed and commands to be executed. This principle is foundational to the very idea of the modern computer, but also a major source of insecurity. A good illustration is a SQL (pronounced “sequel”) injection, one of the most common ways a website is attacked. Many web applications are built on Structured Query Language (SQL), a type of programming language used to manage data. It's a highly effective system that dates back to the 1970s. But an attacker, instead of entering a name and address as requested, can enter specifically crafted commands that the database will read and interpret as program code, rather than just data to be stored. These commands can be used to learn about the database, read data, and create new accounts. In some cases, access can be used to discover and change security settings on the server, allowing the attacker to control the entire web system. As we explore later in the
Part II
section on hactivists, the Anonymous group used this kind of attack to penetrate the security firm HB Gary and share its embarrassing secrets with the world.

Beyond attacking applications, attackers can also exploit vulnerabilities in code at the system level. A common vulnerability is the
buffer overflow. Computers use memory to store data and instructions. If a program can be tricked into writing inputted data that is larger than expected, it can spill over the allocated “buffer,” or storage area, and overwrite the space where the computer stores the next instruction to be executed. If that newly written memory space is then read and interpreted by the computer, the program can break or follow the attacker's instructions. Once the program executes arbitrary instructions, the attacker can effectively gain control of the system. In essence, it follows the same principle as the SQL attack, where the computer interprets data as instructions, but now it takes place at the system memory level.

Designing these types of attacks requires a great deal of skill and experience, but once the vulnerability has been exploited it is relatively easy to package. This “exploit” is a piece of software or set of commands that can take advantage of the vulnerability. And that is where cyber risk takes on a whole new level of concern, as it allows other, less sophisticated attackers in on the action. It's as if the master thief now writes a book about safecracking that comes with a handy-dandy set of tools.

Malicious software, or “malware,” is a prepackaged exploitation of a vulnerability. There is often a “payload” of instructions detailing what the system should do after it has been compromised. Some types of malware contain instructions for reproduction, in order to spread the attack. “Worms” spread themselves automatically over the network. In some cases, this can be sufficient to cause drastic harm: many of the worms that attacked Microsoft Windows in the late 1990s and early 2000s had no direct malicious effect but still overwhelmed corporate networks because they tried to send out an exponentially large number of copies. One worm even sought to patch vulnerable computers, a “good worm,” but still
managed to cripple networks
. Other vulnerabilities have been exploited to allow the attacker to capture valuable personal data or, in an anarchistic turn, just destroy data on the victim's computer.

MalwarecanalsobespreadovertheWebvia“drive-by” attacks, where the victim's only mistake is visiting the wrong website. Such attacks exploit vulnerabilities in the web browser or in the many components and add-ons that web browsers use to take advantage of sophisticated websites. The attacker first compromises the web server and then simply attempts to exploit vulnerabilities in any browser that requests files
from that website. Drive-by attackers often target groups by going afterwebsitesusedbyspecificcommunities, aso-called“wateringhole” attack (taken from the ideas that smart lions don't chase after their prey across the African savannah, but rather just wait for them all to come to the watering hole). For example, a group out to steal secrets from a US defensecompanyindirectlytargeteditbycompromisingthewebsiteofapopularaerospacemagazinethatmanyemployeesread.In onecase,a watering hole attack infected
five hundred accounts in a single day
.

More recently, malware has been used not only to take control of a computer system but to keep control of that computer, in order to exploit its computational and network resources. By capturing victims' systems and coordinating their behavior, attackers can assemble armies of “zombie” computers. Millions of machines can be controlled by a single actor through a range of different command and control mechanisms. These are referred to as “botnets,” and most computer users will never know if they are part of one.

Botnets are powerful resources for a host of nefarious activities. Regular access to the victims' machines allows monitoring to capture valuable data. Botnet controllers can also leverage the network connections of their victims' systems to send spam, host websites to sell illegal products, or
defraud online advertisers
. Perhaps most insidiously, botnets can launch a “distributed denial of service” (DDoS) attack.

DDoS attacks target the subsystems that handle connections to the Internet, such as web servers. Their vulnerabilities are based on the principle that responding to an incoming query consumes computational and bandwidth resources. If someone were to call your phone incessantly, you would first lose the ability to concentrate and then lose the ability to use your phone for any other purpose. Similarly, in the cyber world, if the attacker can overwhelm the connection link, the system is effectively removed from the Internet. It is fairly easy to defend against a single attacker from a fixed source: one just has to block the sender, just like blocking an annoying caller's number (but never your mother's. Never.). In a distributed denial-of-service attack, the attacker uses a botnet of thousands or even millions to overwhelm the victim. It's the equivalent of having thousands or even millions of people trying to call your phone. Not only would you get nothing done, but the calls you actually want to receive wouldn't easily get through.