Cybersecurity and Cyberwar

Book Notes

Cybersecurity and Cyberwar
P.W. Singer and Allan Friedman; 2014

 

Synopsis

A non technical overview of cybersecurity starting with its definition and importance in today’s cyber world. It reviews some of the vulnerable areas of attack, methods of attack, and the lasting consequences of an attack. The book then covers some aspects of cyberwar, again defining what it is and its importance. It reviews some of the belligerents in the war, some of the politics that direct it, and some of the documented/known incidents. It provides multiple perspectives ranging from governments to organized groups and private individuals. It also goes into the aftermath affects of cyberwar and its ongoing efforts.

 

How it all Works

In U.S. government there is a large knowledge gap from politicians to even members of the military on what exactly is cyberspace and cybersecurity. Even as late as 2001 the Director of the FBI did not have a computer in his office. The Secretary of Defense would have his assistant print out his emails so he could read them from paper instead of a computer. As of late, there has been much effort to fill this gap by the ongoing sharing of information within the government agencies and officials.

The exact size of cyberspace is unknown. What we see on the internet is only a small percentage of it. Some estimates indicate 99% of cyberspace is in the deep web and everyday users are only exposed to the 1%.

ARPANET (Advanced research Projects Agency) – the predecessor to the internet. Used by government agencies and Universities (mostly for research) across a limited number of computers during the 1960s. It defined the communication layers and protocols that are used in today’s internet. Data packets would travel through the Transport Control Protocols (TCP) and Internet Protocol (IP) to traverse the networks. Modems were created to send the data packets through analog signals in the telephone lines. By the 1970s many commercial companies were entering the ‘net’ with MCI creating the first commercial email service by 1983.

IETF – Internet Engineering Task Force – develops new internet standards and protocols and modifies existing ones for better performance. Members of group believe in openness and keeping all their efforts transparent. They collaborate with various leaders in industry and government. It is overseen by the IESG (Internet Engineering Steering Group) which itself is overseen by the IAB (Internet Architecture board). Another larger group umbrellas these group, which is the ISOC (Interent Society).

Security – involves more than just the technical issues. It is affected by the organization, legal, economic, social aspects at that time. The easiest way to hack a system or gain unauthorized access is to simply ask for it.

Phishing – is the false claim or pretending to be someone else. Often done through email or websites. Spear phishing is a more targeted attack where the victim is some key individual, possibly with access or rights to gain the information the attacker wants.

DDoS attacks (Distributed Denial of Service) – are often done by a botnet overloading a target.

Hash – one of the key building blocks of cryptography, it is a function that takes a piece of data and maps it to something else. The mapping is one-way, meaning that with the result you can never get the original piece of data. But the result is so unique that it is a ‘fingerprint’ of the original piece of data. This is used in key based cryptography.

Asymmetric cryptography – how modern certificate based authentication is done using a pair of public and private keys. The keys are used to create the hash.

Advanced Persistent Threat (APT) – a specific targeted attack usually carried out by a group rather than an individual, and where multiple methods of attack may be used. The attack is persistent in that it may take a long time, with multiple tries and even evolving the attack over time. It may use members close to the target and exploit other vulnerabilities. Once the target is exposed, the attacker will infiltrate taking what they need. When done they may simply leave cleaning up any traces of the attack or they may plant other bugs or tools for future attacks or creating a backdoor for continuous access.

Malware – in 2013 according to McAfee there have been over 110 million different types of malware identified. But this number is growing at an exponential rate. In 2013 a new type of malware was being discovered every second. One of the challenges in protecting against malware is that you can never ignore previously caught ones since malware virtually does not die. So systems must protect itself from a continuously growing blacklist.

Zero Day – a zero day vulnerability or attack is a type of attack where the victim is unaware of the attack until it happens. In other words, it is an unavoidable, unpreventable, unblockable attack.

Anonymous – a group of hackers known as hacktivists that carry out attacks that are triggered by political or social reasons. The group advocates freedom of internet and any expression can be done on it, to a certain degree. They support a fight against moral issues such as human trafficking, child pornography and other human injustices. They targeted government leaders trying to hide the blood diamond trade and the Tunisian government for trying cover up the violence in its country. They often leak information to WikiLeaks. Once, Anonymous got into a confrontation with the Mexican cartel Los Zetas who found and kidnapped one of its members. In response Anonymous hacked the members of the cartel but the cartel hired hackers to do the same against the Anonymous group. Eventually, the kidnapped person was released but the cartel threatened to kill if Anonymous released any information about them.

Tor – initially created by the Department of Defense as part of a Naval Research Lab program to keep digital secrets. It uses the Onion Router where an overlay network is created on top of the internet. Communication takes multiple hops where the data is encrypted between each hop and information about the originator is omitted until it reaches its final destination. It disguises both parties.

 

Why it Matters

In 2008 Pakistan ordered it’s telecom provider to block access to video-sharing websites such as Youtube. Users trying to access the sites would be redirected a Pakistan government managed site (most likely for monitoring). Though this redirect was only supposed to happen to users within Pakistan, the rules propagated outside the country to other providers and soon over two-thirds of all the world’s internet users were being redirected to Pakistan, which overwhelmed their servers and brought it down.

In 1998 Jon Postel emailed 8 of the 12 world DNS administrators to resolve certain names to a server he controlled at USC. It is unclear whether he this maliciously or by mistake but it was the first time in internet history that it was hijacked. Post this incident spurred many conversations on Internet Governance.

In 2011 the FAA (Federal Aviation Administration) ordered almost half of all US airspace to be shutdown, which resulted in 600+ planes being grounded around the country. This was due to a computer glitch at the main Atlanta headquarters.

The 2005 Microsoft SQL database shipped with a default administrator password. This was supposed to be changed by the administrators after initial installation / setup but many forgot to. As a result, many systems running this version of the database were vulnerable to attacks.

During the 2011 uprising in Syria, DDoS attacks were used against anti-government groups and news agencies reporting on the violence within the country.

Buckshot Yankee – an attack in 2008 on US military systems using USB flash drives that were dropped strategically at US bases. One soldier found the drive and inserted it into a computer that was on the US military Central Command network. It deployed a worm that accessed data and created backdoors to the central servers. It took the Pentagon over 14 months to clean out the bug. This is the largest cybersecurity attack on the US military as of date.

GhostNet – cyber espionage network which attacked government networks through crowd sourcing – by finding insiders who were willing to release the data. The reasons the insiders participated were noted as they felt it was for patriotic or other noble purpose, but it was still an attack.

2011 US government released counterintelligence report indicating many attacks from China. New York Times followed up with a story where it was able to track down an attack to the Chinese government, which was covering itself behind a fake public company as well as using addresses of private residents in Shanghai.

WANK – an attack in October 1989 against the Department of Energy and NASA. WANK stands for Worms Against Nuclear Killers. The attack made computer screens at the agencies blink with a message – “You all talk peace but prepare for war”. This was done by a hacker in Australia and was one of the first recorded incidents of Hactivism.

Aaron Barr – CEO of HB Gary Federal, a security firm, made a statement in February 2011 that he will expose members of Anonymous and is able to infiltrate the hacktivist group. Soon after the statement his personal sites and accounts were hacked by Anonymous with embarrassing data being leaked into the internet. This led to his resignation from the firm.

Credential Fraud – the most popular type of cyber crime where attackers steal an individuals identity. This leads to accessing restricted areas for information or monetary values.

Shady RAT – RAT is for Remote Administration Tool – an attack that was discovered by McAfee on several servers across the world. The attack used a malware that opened up a communication backdoor allowing the attackers to access the system and other systems on its network. The attack wasn’t going after a particular target but spreading to only retrieve data from its hosts. It was an espionage attack. It took McAfee nearly 5 years to investigate the attack and found it had gained information from governments and other organizations around the world. The exact damage is unknown.

Cyberterrorism – defined by FBI as a premeditated and politically motivated attack against computer systems by sub-national groups or clandestine agents. Though the number of attacks is in the several hundreds of thousands, the number of people physically hurt has been zero. Thats not to say that cyberterrorism does not harm lives, as the information lost to it can lead to physical attacks. For example, stealing information on how to create explosives or destruct a physical structure.

Stuxnet – exploitation of a SCADA computer system that specifically targeted systems in Iran. Discovered in 2010. It was a complex malware using at least 4 zero-day vulnerabilities. It used authentic (but stolen) signed drivers. Eventually it was determined that Stuxnet was targeting Irans Natanz nuclear facility and specifically, the centrifuge controllers at that site. It manipulated the centrifuges’ spinning rotor speeds to make them slightly out of sync and thereby causing damage to the overall system. It disrupted and delayed the Iranian nuclear program from advacement.

 

What can we do?

Whenever a new adversary or technology causes disruption, the US government adjusts by creating agencies specific to that area. For example, with the development of boats it created the Navy and the creation of planes created the Air Force. The drug war created various agencies to fight it like the DEA. Each of these had specific areas that could be covered by a single or limited number of focused agencies. However, cyberwar is not so specific. As it encompasses so many areas, it is difficult to handle by a single agency. Joint efforts are required, but there is complexity and challenges in collaboration and information sharing.

Existing agencies such as the FBI, CIA have divisions focused on cyber crime/attacks but some new agencies focused on cyberwar are the NSA the military’s Cyber Command, or CYBERCOM.

Also, where certain events like World War II, Cold War or even the Drug War were specific events in time, Cyberwar is not as it does not have an end. There is no specific adversary to target, as it is always changing, and since the cyber environment will not go away, there doesnt seem to be an end. On top of that, Cyberwar does not follow the same jurisdications as a traditional war as it can involve many countries. Alliances like NATO specifically call out for unity in arms if a certain member is attacked. But by this definition an ‘attack’ is some harm on human life. With Cyberwar, there often is no human harm so it is difficult to determine if such alliances apply for this scenario.

The ‘human harm’ question opens many areas of ambiguity and even call into question what is ‘war’. If no human life is harmed, but information, infrustruture, etc is lost, does that qualify for war and to what degree? For example, could someone be executed on the grounds of a cyberattack?

 

One of the solutions to cybersecurity is collaboration and information sharing. Much like how the CDC (Center for Disease Control) researches and identifies emerging threats to human health and works with other organizations such as World Health Org (WHO), cyber organizations need to take a similar approach against cyber threats collaborating with organizations around the world.