The Victim and the Offender Were One and the Same.
My lawyer called, calmed me down: “No bad news”, and quickly introduced me to a colleague of his whose client was prosecuted for storing child pornography on his computer. The client claimed that he was unaware of the videos and has no clue how they got into his hard drive. “Everybody says so” quipped the lawyer, but as his attorney it’s my duty to explore every possible angle of defense. And so I come to ask you if there is any credible explanation to this tired “someone else did it” defense. “Of course” I replied, a hacker could have taken control of your client’s computer, and use it to store his illegal material, then stream it down for at-will viewing”. “Can you prove it?” the lawyer asked. “Sure!” I replied, and sent someone to install a copy stream for the Internet traffic from that computer. We copied the original disk which served as evidence, and waited. The next day someone went in, wiped out all the illegal files, and nothing further happened since. We did not have proof, but a strong indication that the client, a divorced accountant, was a genuine victim of a vicious hacker, only that it was strange that the hacker wiped out all his files just when we were ready to close in on him. How did he know? It was much later when in a casual conversation someone mentioned the name of that accused client as a uniquely clever hacker, and I hit my forehead with a hard blow: of course, why didn’t I think of it myself? The accountant hacked his own machine, and it got him scot free too!
Semantic Search — the Hacking Route
A lot of work has been published in the literature on the issue of semantic search of the Internet. Going beyond Google and discriminating documents by their contents and theme, not just using a stray keyword. And Web search is improving accordingly. It was natural then to expect that the dark side of the science will exploit the new technology much the same. Expected, in theory; surpsring in practice: when we found new malware that searches files on infected machine based on their appraised topic and theme. The new rootkits and worms can spot the ultra sensitive documents in the hard drive, copy them and send them over the Internet to their controller. One smart fellow in our shop thought of a counter attack — to infect sensitive-looking documents in our client’s machine so that when they are executed in the controller machine they explode there! We like our young and creative guys, but we also worry about mishandling — sending the explosive files to friendly targets… The unending cyber war goes on, this round is still showing advantage for the bad guys, but we are not done yet!
It Was Not The Secretary
Henry Mint did not believe that Linda, his trusted secretary, was outwitted by a stranger she met in the Gym. But that was the result of the inquiry into how his medical condition became public, and sorely hurt his chances to replace the aging CEO of the corporation. Linda admitted her fanciful talk with the good looking stranger; yes, it was one-on-one in the cafeteria, and yes they exchanged phone numbers, but no, she did not discuss her boss’ medical condition — no way! When we heard about it, we suspected the now quite common scheme of hacking-cover-up. An adversary will hire hackers to pry sensitive information from his opponent, and build a cover-up story to explain how he came to know these damning secrets. Nobody in corporate security has suspected as much. So we stuffed Henry’s computer with bogus data, which some days later appeared as a rumor around the water cooler. Case closed. The aging CEO is hanging on for now, but Henry promised us that if he gets the job he knows who he would hire to provide security. “I now understand better, what you keep repeating — that the cyber war is a contest of imagination!” he bristled, and pushed his way out as the elevator door opened.
The idea of fighting a worm with a worm has the intellectual charm usually reserved for science fiction. Here comes the cavalry — ‘good worms’ that spread through the Internet, hunting down the bad worms. Oftentimes the bad guys adapt with an immunized version (e.g. MyDoom.G which was immune to NetSky). So attractive is the idea that system administrators open their firewalls for the good guys. The client — handling millions in daily transactions — did so, not realizing that quick minded hackers released good-worms look-alike that got in. Their payload was rather harmless. And we discovered it through our intelligence services, not through internal work. But what else got through? We must suspect that the ground was laid for a big operation. And it is up to us to follow the hackers imagination and protect our client.
Data Overflow — a Hack in Disguise
He felt underappreciated. Don was the only one who could rescue a crashed system. It happened twice on his tenure but nobody showed any special gratitude. So Don decided to teach his company a lesson. He rewrote a piece of very active code in the old language C. The code was identical to a piece written in the modern language running on JVM that was in standard use by the company. Except that C does not check overflow of data arrays, and when the input data is too large it will crash the system. The data will simply overlay some memory area where some piece of code or some data would reside. It created a situation where every data overflow would crash the system. And every time it happened, (which was quite frequently) Don was called in. His critical contribution was felt every time he made himself hard to reach. At the peak of this manufactured charade, Don asked for an outrageous raise. He got it, and he was promoted too. He then removed his code, because he was too busy to handle system crashes, and went on to become the security chief for the company. He confessed his story to a good friend who later on came to work with us, and that is how this case shows up as a blog post.
HackPacks: now a Wavelet, tomorrow a Tsunami?
Not too long ago you needed to be fluent with HTML to post a website and create Internet presence. Today you have blogs and social sites that requires you just to type in, and your words are accessible through cyberspace. Hackers have learned the lesson. Not too long ago you needed to be a dark-side computer scientist to hack away at your targets. Today, there are a host of “HackPacks” that allow the average Joe to be a Kevin Mitnik. It started with denial of service kits and evolved to increeasingly more sophisticated tools. We have spotted cases where disgruntled former empolyees, out of work, and loaded with free time have used such tools to do a great deal of damage. In the future one should expect this to become a form of public protest. No longer will crowds parade outside the headquarters of a resented organization. HackPacks will be used by the multitude, putting their target under cyber siege. I mentioned this to our clients, but nobody yet, is taking it seriously.Will see.
Hiring a Chief Security Officer
Having pointed out in our reports that in both cases of penetration the security chief was the culprit, this medium size financial institution challenged us with writing guidelines to hiring a good person for the job. It was the first assignment of the kind for us, and we gave it a lot of thought. Here are some key finding: A security chief must first and foremost be a warrior — more than a technologist, more than a geek, more than a good communicator. All the above are very important, but most important is the engrained recognition that security is a war — tiring, demanding, unending. And consequently, a security chief cannot be a relaxed tenured professor on one hand, and not a nervous wreck, or a crying baby on the other hand. Does he or she handle stress well? Are they leaders? Why? Because a good security chief will have to marshal the many people with relevant knowledge, and put them together as an efficient team to give him clear actionable answers for how to manage this unending cyberwar. The two failing chiefs were individually exceptionally knowledgeable about computers and networks. So much so that they analyzed and evaluated all security issues on their own, ignoring the benefit of group wisdom. Both chiefs suffered a blow in a technological area they were not top-experts in (while others in the company were — but were not consulted). They both fell apart when the incident unraveled, and both took steps that aggravated the situation because smarts and intelligence is a separate attribute from self-control, composure, and work-ability under stress. When we emphasize leadership, we necessarily refer to character. Good security chiefs will treat people below with total respect, treat people above without fear and undue submission; and display sharp insistence on security compliance towards everyone. While leadership and character are critical, we must stress readiness to learn, to study, to keep up with technology. Alas, it is easy to teach one a chapter in technology, it is impossible to reshape the character of an adult applicant. Direct your vetting towards character, leadership, and the recognition of the unending cyberwar.
