Monday, 6 June 2011

The Cyber War

Those who know me tend to ask me to help them to fix their computer. People who don't know me somehow find me in a crowded bar and also ask me to fix their computer. Let's just say having had a computer since 8 years old, and having been employed in IT for over a decade I know my way around computers and networks.

Computer and network security use terms like 'best practices' and 'industry standard' for a reason: quite simply you cannot and never will completely secure a computer or network that is connected to the internet. I like to say to completely secure your system take the wire that connects your computer to the power outlet, and throw it away, then don't replace it.

Huh? But then how do I use it?
--- fill it with earth and plant some seeds, or convert it into a magazine rack.

Quite simply put: the least secure part of any computer or network is it's user(s). Once the computer became something that everybody could use without years of education it became a tool for hackers. (and by hacker I mean enthusiast, and curious 'how does it work?' types).

Hackers, hackers everywhere

The term 'Hacker' has been villanized for decades. Ever since the movies 'War Games' (1983) and worse still 'Hackers' (1995), the term has taken on an antonymic double-meaning. Initially, computer hackers were simply enthusiasts. Steve Jobs and Steve Wozniak who are credited with founding Apple Inc. were members of the Homebrew Computer Club which was essentially a group of computer hackers (read: hobbyists). Without the Homebrew Computer club, Apple likely would not have been founded and computers would still be considered a tool for businesses and be largely too expensive for most mere mortals to own. Moreover, had Compaq been sued out of business for reverse engineering IBM's hardware the home PC market we have today would not exist... But the home PC market was launched by IBM to counter the threat posed by Apple, so, believe it or not, Apple really is the reason we all have a computer at home whether Apple made your computer or not.

So our computer market and internet are based on hackers and reverse engineering.

But hackers are the bad guys stealing credit cards and breaking into NASA, aren't they?

You see this is why 'hacker' is now a completely devalued double-agent of a useless word. Once the Military-Industrial-Entertainment-Media Complex associated this word to criminal activity a whole group of formerly pioneering and innovative people were no longer distinguished from common thugs. Hackers did invent a new word for the criminal acts of breaking into systems with intent to cause harm: "Crackers", but this word has largely been ignored by media and the general population. Of course the movie 'hackers' does depict cracking in order to derail a criminal act blurring the line even further by using an unethical means to an altruistic end. 

The knowledge I use every day in my career stems from being a hacker. So it worries me greatly that hacking a password is considered an act of war while dropping bombs on Libya is a 'kinetic military action'. Especially when hacking a password (or bypassing it completely) is child's play. Modern video cards are even speeding up the process of hacking secure passwords by guessing them at speeds of 3.3 billion passwords per second. This is beyond the fact that DNS has already been known to have security flaws for years, and that the internet was originally designed as an open system to which security was added later (as is the case in a 'software feature').

The internet is not a place that can be completely locked down. Any system that can access the internet can conceivably be accessed by the internet at the same time either due to an uninformed user, an unpatched security hole, or even an unreported security hole. Given that I have known this for years and that no school ever taught me that I am surprised about all the recent data theft announcements from companies like Sony.

I am grossly horrified when I hear that RSA was compromised since that leads to Lockheed Martin, Northrop Grumman, and L3 Communications also being hit, and I am sure this is only the beginning. Though I cannot for the life of me figure out why they'd have highly sensitive data even accessible to the internet. I've already been given assignments involving sensitive and classified data. It did not live in our primary network and could not connect to the internet without some means of physical transportation like a USB key.

The Impossible Mission

Most attacks are directed at the software running on computers and servers. In the realm of programming, adding something means new code is insert into the existing product and a bit of the code from the existing product is modified to reference the new code. In marketing terms this is adding a feature, in geek terms this is adding new bugs (I've been calling bugs 'features' for years now). The new bugs are released to circumvent old bugs people knew how to exploit and replace them with bugs nobody is aware of yet.

Notice I have not named any names yet? This is quite simply because bugs exist in all software Microsoft, Apple, Linux and Unix, Adobe, Mozilla, Cisco and Google and others I have not named have all been guilty of releasing buggy software at one time or another; it is impossible to avoid releasing software that could potentially be exploited because it is not possible to test software against the entire internet population until it has actually been released.

The only thing software companies can do is be proactive in releasing frequent free and hopefully automatic updates. Microsoft and most Linux distributions have done this for years, Adobe has started recently, Mozilla and Google do this fairly transparently to the user. Apple and Cisco? Not so much.

<Apple Rant>

Apple has long marketed the idea of being virus free. This fact was true but only due to market segmentation, and not for Apple having more or better security.In fact it has long been stated that Apple's OSX was less secure than the Microsoft Windows platform that they were sucker-punching. They simply enjoyed being a less attractive attack vector due to their much smaller market share. Obviously it's easier to find unsuspecting victims in a more crowded space than a sparse one. Now that OSX has been attacked, they have actually told employees not to assist with removing the infection that they lulled their users into believing was impossible.

To their credit they released a fix. However the fix was circumvented within 8 hours.

Welcome to the real world Apple, now try not to alienate all your new users by dropping the ball like this next time.

</Apple Rant>

Eventually new exploits are found, some even disclosed to the company who owns the faulty software to give them time to fix the problem, by none other than 'hackers'. Others are exploited for criminal uses like identity theft by people commonly referred to as 'hackers'.

Fixing the problem

Obviously there is no solution to end hackers (crackers, cyber-criminals, et al...), and as I have stated above, hackers (enthusiasts, curious geeks, et al...) are often responsible for fixing security problems in software thus worsening our overall computer security by ending them. So it would seem that we need to fix the language as a primary goal, if we could all agree that hackers are the benign group of enthusiasts who like to figure out what makes it work, and that crackers, phishers, spammers, script kiddies, and other such criminals are in their own separate group (I'd like to invent the term phrackers for all of them in a tribute to the original 2600 'phone phreaks' who were eventually arrested for Toll Fraud phor phiguring out how to phuck the phone companies out of long-distance phees).

Enter the Phracker

Then the war can become the Hackers v the Phrackers, sure it's a cat and mouse game that never ends, sure the bad guys are always one step ahead of the good guys. But the Hackers catch up quickly, and both sides have to stay sharp or step aside. All this leads to more innovation, less sloppy coding, and hopefully less bugs or holes in the future... At least that is the theory that they'll see it as more profitable to not have to keep wasting resources on fixing things they've already sold for free.

The phackers are known to start out as innovative, loose-knit organizations with decentralized leadership which are opposite traits from Military units. This is the same reason the U.S. Military has had such problems with the al Qaeda, there is no head to sever. Hackers tend to find themselves in similar decentralized innovative, loose-knit groups making them a good counter-weight.

The CIA/DoD/FBI can swoop in to get the bad guys that have become greedy bloated institutions and try to recoup some of the ill-gotten gains on more familiar footing (against another top-down managed, unimaginative, non-innovative, sluggish to change course, mega-corporation in a cage match).

Bombing a nation because a phracker was born or is living there is not going to help anything, and chances are that a single target will escape the blast, and a bus-load of nuns and orphans will not.

Besides I think one invisible enemy at a time is already too many.

-- Update June 11th --
The gauntlet has been thrown down

--- Update June 14th ---
Interestingly enough Citigroup's online credit card security was so poorly planned that they lost 200000 customer accounts to what might be the stupidest trick I have ever heard of from a major financial institution.


No comments:

Post a Comment