A while ago I published a post, “A hack is forever,” explaining that a competent hack is extremely difficult to eradicate from a cyber system – there is no certainty that the system is really clean. However, there is flip-side aspect of this in cyberspace that is not commonly understood: by way of dubious consolation, the hacker cannot be certain that he really got away with the crime.
Cyberspace is an information and communications space. In essence, we don’t really care what media our information is stored on, we care about the utility aspects, such as the efficiency of the storage, how quickly and conveniently information can be retrieved, and so on. Similarly, we don’t really care what communications channels we use, we care about our communications’ speed, reliability, security, etc.
Cyberspace has one very significant property: information cannot be destroyed. Just think about it. We can destroy only a copy of the information, i.e. we can destroy a physical carrier of the information, such as a floppy, a thumb drive, a letter, or a hard drive (often that’s not an easy task either). However, we cannot destroy the information itself. It can exist in an unknown number of copies, and we never really know how many copies of a particular piece of information exist. This is particularly true given the increasing complexity of our cyber systems — we never really know how many copies of that information were made during its processing, storage, and communication, not to mention a very possible intercept of the information by whoever, given our insecure Internet. Such an intercept can open an entirely separate and potentially huge area in cyberspace for numerous further copies of the information.
Back to the consolation point: cyber criminals of all sorts can never be sure that there is not a copy somewhere of whatever they have done. That copy can surface, someday, usually at the most inopportune time for the perpetrator.
One practical aspect of this is that Congress perhaps should consider increasing the statutes of limitations for cyber crimes, or crimes committed via cyberspace.
Tag Archives: cyberspace
The secret reason behind the Chinese hacking
For quite some time I’ve been puzzled by the alleged Chinese hacking of our databases. I could understand if they hacked our advanced research and development– that would save them time, effort and money. But why the databases? Then it dawned on me: it’s a savvy business strategy.
We routinely encounter problems with our databases. One organization can’t find our file, another somehow has the wrong information about us, and all too often they certainly can’t get their act together, and we see classic cases of the left hand not knowing what the right one is doing . The pre-9/11 non-sharing of intelligence is a good illustration. In other words, we have a somewhat messy general situation with our databases; we’re used to taking this in stride; and we just sigh when we have to deal with some organization that accuses us of something we aren’t guilty of.
The Chinese understood the problem, but they just never got used to it. For many centuries they had a much bigger population than other countries, but somehow they always managed to know exactly who is who, who is related to whom, and what he/she is doing.
So naturally they wanted to have the same level of knowledge about the rest of the world. To their dismay, in the US they found disorganized databases and mismatching records. So they had to process all that information to make sense of it for themselves. And suddenly they saw a perfect business opportunity: they would develop a gigantic and very efficient database of the US, and then sell this data back to us piecemeal, retail. This would give them full and exact knowledge of the US, and the US would pay for the project, with a significant profit for the Chinese. For us this would be a very valuable service, a kind of of involuntary outsourcing where we (both the Government and the private sector) can get relevant and reliable data at a modest price. Makes perfect business sense.
This approach has a special bonus for the US Government: when buying data abroad they won’t have to deal with privacy restrictions imposed by the US Constitution and constantly debated by Congress. The logic is impeccable: we bought it abroad, and if the Chinese know it, we are entitled to know what they know about us.
A classic hot potato—political hacking
Media attention to cyber attacks can be divided into two categories: the endless stream of examples of institutions hacked, and cautious descriptions of potential (and very real) horrors of our vital systems being attacked.
But there’s one area of cyber attacks that conspicuously has received little or no media attention: political hacking.
Practically all our electronic systems are vulnerable to cyber attacks to varying degrees. Political systems rank close to the high end of vulnerability, and indeed most of them are virtually undefended against even a low-skilled hacker.
It’s pretty obvious that these systems are extremely valuable targets for some political activists, and certainly for the aggressive ones. It’s not too far-fetched to assume that some of these activists, whatever their focus, either possess hacking expertise themselves or have access to guns for hire, whether for money or some other consideration.
This hacking potential may impact our lives more than we realize. It’s not technically difficult to hack into a voting system and “adjust” the outcome to the hacker’s liking. Such hacking targets can be at any level – from a poll on a local ordinance to allow dogs on the beach to the election for a head of state. Importantly, it’s not easy to detect such interference, and even if done successfully it takes a lot of time. We can only imagine the political mess if a couple of months after an election it’s determined that a group of teenagers (or some mysterious “Russian or Chinese hackers”) materially changed the outcome, and the wrong people were sworn in to their new hard-earned and increasingly expensive jobs.
On a more subtle indirect note such “adjustments” can be made to the results of public opinion polls, manipulating public opinion in a very effective way.
While it’s understandable that nobody wants to discuss this classic case of a very hot potato, nevertheless we have to realize that we ignore this threat at our own peril.
Product Liability—the Unique Position of the Cybersecurity Industry
There are three points that radically distinguish US cybersecurity industry from any other.
One – every cybersecurity company seems to be the self-declared “world leader in cybersecurity.” This can be easily verified by visiting their websites. I haven’t been able to detect any #2. Surprisingly, comedians and cartoonists don’t explore this hilarious situation.
Two – the industry as a whole is de-facto exempted from any product liability, even any implied warranty liability. This is a truly unique break that the cybersecurity industry has been getting away with for over thirty years. In the US every manufacturer is obligated at the very least to make sure that its products are reasonably fit for their intended uses . For example, a car manufacturer must make sure that its cars are at least drivable and can deliver a user from point A to point B. A hammer manufacturer has to make sure that its hammer handles do not break, at least not before you bring one home. The Uniform Commercial Code (UCC) is very explicit about this, and there have been millions of court cases where this principle has been upheld.
But not for the cybersecurity industry. Every firewall gets hacked even before it’s delivered to the first customer. On a daily basis we hear of “big” cases that one or another organization has been hacked with huge losses for millions of people. And don’t forget that only a small fraction of hacks is detected. We never hear about the undetected “big” cases and thousands of smaller ones. But nobody is held responsible despite of many billions of dollars in losses incurred by individuals, companies, and governments. The Government does promise to prosecute hackers – if they can catch them.
The interesting twist here is that every company assures its customers that their personal information and the money in their accounts is secure. Ironically, they assure their customers before they are hacked, while they are being hacked, and after they’ve been hacked. Somehow we listen to them and nod in agreement.
Three – the cybersecurity industry gets countless billions of our dollars for research and development of cybersecurity products. In fact, we spend more on this in a year than the entire cost of the Apollo program that put a few good men on the Moon. Amazingly, these funds seem to be going into a black hole. Nothing comes back. No product, no results, no responsibility for wasted money– the taxpayers money.
The most remarkable thing about this is that we, the people, have put up with this situation for over thirty years.
On a positive note: this industry should be a bonanza for investors — assured high returns with no risk. Stock brokers should take a note.
Encryption: panacea or just an expensive “do something”?
Once in a while we see a common cyber call to arms: “Let’s use data encryption and, voila, our problems will be over.” A typical example of this is the AP article http://cnsnews.com/news/article/no-encryption-standard-raises-health-care-privacy-questions.
This is a very common misconception. Encryption per se does not protect against hacking. Surely, encrypted files look impressive, with their very long strings of seemingly random characters. It must be mindboggling for a casual observer to imagine that anyone can actually decipher that without the secret key.
However, the reality is vastly different.
Strength of encryption is based on two main ingredients – the encryption algorithm and the secret key. Most encryption algorithms, and certainly all commercially available algorithms, are well known. They have been researched, and solutions—the ability to decrypt them without the secret key—have been found for most of them. The only undefeated algorithm so far remains the so-called “one time pad,” where the key is used only once. But even that algorithm’s strength rests on the quality and security of the key — issues that are far from trivial.
However, the main practical problem with encryption is the distribution system for the key. As in the example of a health system cited above, we are talking about a massive database with many millions of records. Sure, it’s not too difficult to encrypt all that data. But then what? The database has many legitimate users, sometimes thousands, and each one of them must have the secret key. It’s not difficult to obtain the key, one way or another, from at least one of them. Such a single breach would defeat the whole encryption scheme. I’ve often heard someone proudly declaring at a party, “I encrypt all data files in my computer.” Sometimes I will casually ask, “But where do you keep your key?” The answer invariably is, “In the computer.” Usually that person doesn’t understand that the key in his computer is also available to anyone who bothers to hack into his computer.
All in all, data encryption is a good concept, but the practicality of its deployment in databases with many users can only protect against middleschoolers. It would have marginal protection against smart highschoolers, and it would certainly be fruitless against professional cyber attackers.
Encryption per se would be just another expensive exercise in wishful thinking. It should be clearly understood: ENCRYPTION PER SE DOESNOT PROTECT AGAINST HACKING.
Power grid: when cyber lines cross
We have very little time to cure our stone age cyber defensive technology.
The CNN story citing testimony by Admiral Michael Rogers, head of U.S. Cyber Command, to a House Select Intelligence Committee November 20 sounded like shocking news. He stated that China can take down our power grid. http://www.cnn.com/2014/11/20/politics/nsa-china-power-grid/index.html
Shocking as it may be, if this is still “news,” surprise, surprise — it’s been known to everyone who was anyone in cyber security for over 25 years. First it was just the Russians, then the Chinese, then some vague criminals acting on behalf of “nation-states” were gradually added to the list.
Never mind the Russians and the Chinese – they also both have enough nuclear weapons to kill every squirrel in America. What is really troubling is the cyber security trend. Our cyber defensive capabilities have hardly improved for over a quarter-century. However, hackers’ attacking capabilities are improving constantly and dramatically. This is not a good equation — sooner or later these lines will cross. This means that a large number of unknown hackers will be able to take down our power grid and also decimate our power-intensive facilities, such as oil refineries, gas distribution stations, and chemical factories.
Now, think terrorists. They would be delighted to do exactly that, whether you kill them afterwards or not. This isn’t news, but it’s an increasingly troubling reality. We have very little time to cure our stone age cyber defensive technology. But that requires changing the current equation and making cyber defense inherently more powerful that the offense. That won’t happen until the doomed legacy password and firewall paradigms are abandoned and replaced by fundamentally different technologies.
EU Cyber Incompetence
Utter incompetence of high-level officials is not exactly a scarce phenomenon. However, it’s rarely displayed so vividly as it was by Troels Oerting, the head of Europol’s Cybercrime Center, in his recent interview with the BBC’s Tech Tent radio show.
Mr. Oerting proudly declared that international law enforcement just needs to target a “rather limited group of good programmers.” He went further, proudly stating “We roughly know who they are. If we can take them out of the equation then the rest will fall down.” Voila, easy and simple. Arrest the 100 known dudes and cybercrime disappears. He didn’t specify what it means to know “roughly”–you either do or you don’t, and that is exactly, not “roughly.”
The man obviously hasn’t a clue. The trouble is that he’s speaking for Europol and the EU. And the idea that the EU’s main cybercrime law enforcement unit assesses the cybercrime situation this way is truly troubling. It would simply mean that the cybercriminals don’t have much to worry about.
The reality is drastically different. There are many thousands of programmers around the world good enough to hack most of the attractive targets. Many of them, for one reason or another, are disappointed with their employment or personal situation. Given the current dire state of our cybersecurity, making a few bucks off easy targets is really tempting. This temptation looks even more attractive if the target is a rich bank or some large allegedly unethical company. This often satisfies the conscience of many of the hackers. The continuing deterioration of the European economy worsens the situation.
Add the “script kiddies” to the equation and Mr. Oerting’s job becomes even harder than he probably can envision in his worst nightmares. He should also know that really good programmers only publish their crumbs for the script kiddies, scripts they developed long ago. They keep their best stuff for themselves.
Furthermore, many of these off-the-grid programmers have their own very large botnets capable of performing rather sophisticated operations that they can offer to all sorts of customers as a service.
All in all, Mr. Oerting should urgently realize that he is mainly dealing with the mediocre cybercriminals who are not good enough to be stealthy. Really good “top-100” programmers don’t get caught. I wouldn’t be at all surprised if one of them, having read Mr. Oerting’s statements, would hack his next target through this top EU cyber cop’s computer, just to demonstrate the point.
JPMorgan Chase Tooth Fairy Hack
JPMorgan Chase is the latest victim of a cyber attack. The company announced that unknown hackers broke into their computer system and stole over 80 million customers’ names, addresses, phone numbers and email addresses. This is a really odd announcement for a serious company. Believing that a hacker broke into a bank’s system only to get what he can get from the White Pages is more naïve than believing in the Tooth Fairy. It’s like believing that a burglar broke into the house just to look at the clock because he lost his watch.
The company somewhat hedged its conclusion by stating that there’s no evidence of hackers stealing anything else, but still assuring their customers that there’s nothing to worry about.
The reality is that this tells us that whoever did it is a competent hacker. He either obtained all the financial data right away and covered his tracks well enough that neither JP Morgan nor the FBI could find anything, or left malware that will be sending him that data later. This type of malware is extremely difficult to detect, and the JP Morgan/FBI failure is typical.
This is also indicative of a well-heeled hacker who is financially already very comfortable and can afford to wait until a later date when he can safely start milking the golden cow.
The scariest part of this story is that if this hacker is so good technically and astute financially JPMorgan Chase and its millions of customers are in for a very interesting future. At this time most banks can afford to absorb losses from cyber fraud (but of course passing on the cost to us in interest and fees). It remains to be seen for how long this is going to be the case.
Cyber Guns for Hire
Dawn of a New Era of Hacking
Last week I was trying to log on to the control panel of my blog and an annoying message came back. It announced that the host company was under a massive cyber attack by a botnet of some 90,000 infected slave computers trying to break into its customers’ blogging accounts by a brute force attack that was guessing its customers’ user IDs and passwords. Success would enable the attacker to take control over some blogs. So a login was not available.
My first reaction was mild annoyance at this déjà vu event of Internet daily life. Then something occurred to me: this was not business as usual, it was a sign of a new hacking era.
There are two important points to be made here. One is the type of the attack. Botnet attacks have been around for decades, but usually they are crude flooding-type DDoS attacks, with tons of cyber junk thrown at some entity’s servers, clogging up their communications channels and thus denying normal cyber services. This was dramatically different: the botnet was performing a crypto attack by a vastly distributed but coordinated force. And there was a fundamental qualitative difference here: instead of a dumb flooding the botnet performed an intelligent task by utilizing the vast computing power of the combined slave machines.
This is just the beginning of a trend, with the performance of more sophisticated tasks to come. It represents a frightening increase of the cyber powers of hackers not backed by a state, who by themselves possess limited computing power.
The second point here is that the attack was directed at the blogs’ controls server, which does not itself contain any of its clients’ financial information. Typically, hackers go after financial data or target a specific entity they don’t like. In this case the site attacked contains multiple blogs, so it was not itself the target. This, in turn, means that somebody – a hacker’s customer who does not possess the level of expertise necessary for such a major operation — was after a specific blog or two they didn’t like for some reason. So the entity behind the attack was not a typical hacker.
What does this tell us? That it likely was a hacking job for hire performed by a competent hacker for some customer motivated by unknown considerations. This means that a paying customer can hire the services of skilled but unscrupulous hackers with their powers vastly amplified by potentially millions of computers around the world.
This aspect of the event seems to signal the dawn of an alarming new era in cyberspace, when someone can actually use cyber guns for hire to mount sophisticated attacks far more devastating than just silencing a blog they dislike.
I addressed the theoretical potential of this dimension of hacking in my book (Cyberspace and Security), and it now looks like an upcoming reality.
A Hack Is Forever
Announcements by major companies and Government organizations that they’ve been hacked and have lost millions of private records that we entrusted to them are now as routine as the morning weather forecast on TV news. These announcements are usually followed by an assurance that from now on everything will be just fine, along with an urgent request that everyone change their passwords. Requirements for the passwords are getting more sophisticated – instead of a plain four-letter word they are supposed to be a little longer and include some characters requiring the shift key.
This is totally useless advice for two reasons: one is that these “sophisticated” passwords are in practice just as easy prey for a modern computer as the proverbial four-letter word, and the second is that no real hacker is going after your individual account unless he happens to be your curious next-door teenager or your nosy grandmother. In the real world hackers aren’t dumb. Why would they go after a few million accounts one-by-one if they can simply hack the organization’s server at the root or Administrator level and get all the data in every account with just a single hack? Any hacker worth his salt knows this, and this is exactly what hackers do – they hack the server, and that makes our individual passwords irrelevant.
These “change-your-password-for-a better-one” announcements likely have some other subliminal agenda. It looks like the real reason for asking you to change your password is to make you feel responsible for your data security. In other words, to blame the victim.
Furthermore, victims are majorly misled in a couple of other ways too. First of all, after a hack all your private personal data are gone, and they’re available to any criminal is cyberspace for a nominal fee. You cannot take them back. You can change your password, but you cannot change your name, date of birth, social security number, address, phone number; even changing your mother’s maiden name is difficult. All these are available to identity thieves.
And there’s another aspect that your favorite bank won’t tell you about: every competent hacker will leave a dormant cyber mole deep inside the hacked system. These are practically impossible to detect despite all political and marketing claims to the contrary. So even if the entire security program of a system is changed the cyber mole will report all the changes to its master. Including your new sophisticated password.
So a hack is forever.