I am going to start to publish early drafts of some material for the book in the hope of feedback, criticism or maybe even words of encouragement. The books introduction is currently called “The Curious Case of Insecure Software” and has five sub-sections (all subject to change of course). Its targeting 20,000 words or around 50 pages.
- Introduction
- A Brief History of Information & Computer Security (a timeline)
- Who Are The Hackers
- The Economics of Insecure Software
- A Call To Action
- Hacktivists
- Computer Criminals
- Terrorists
- Industrial Espionage
- Insiders
- Security Vigilantes
Who Are the Hackers?
Wether you get your news from the Internet, the television, newspapers or the local water-cooler it’s hard to imagine anyone that hasn’t heard stories of the chaos caused by computer hackers. When talking about hackers I am of course referring to the type of person generally considered to be ‘bad’ but the term hacker has several meanings. The Internet Request For Comments (RFC) numbered 1392 published by the Internet Engineering Task Force in 1983 defines a glossary of computing terms in which it lists the term hacker:
A person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. The term is often misused in a pejorative context, where “cracker” would be the correct term. See also: cracker.
The same document defines a cracker as:
A cracker is an individual who attempts to access computer systems without authorization. These individuals are often malicious, as opposed to hackers, and have many means at their disposal for breaking into a system.
Technically I should probably use the term crackers to describe ‘bad’ hackers but the term hacker is so pervasive in modern vocabulary that I am going to use it casually throughout this book. That might upset the purists who I am sure will point out that the worlds most famous hacker today is in-fact Mark Zuckerberg but I don’t think it’s important to obsess over titles. What is important however is understanding who the hackers are, what motivates them and how they do what they do. While it is true that few people have the ability to influence their adversaries and change their behavior, understanding them allows you to be prepared and design systems that are resistant to their ‘modus-operandi’.
The US National Institute of Standards publishes the Risk Management Guide for Information Technology Systems (800-30) in which they provide an excellent taxonomy of hackers that has worked well or me in many situations. I have extend it here to include a group of people that I feel can’t or at least shouldn’t be ignored that I call Security Vigilantes. As we will see they have a different profile that other groups but can inflict an equal negative impact on a business. In the following sections we will explore each group diving beneath the surface of who they are, what motivates them and how they typically operate. For each group I will highlight a case study to make it real.
The groups are:
- Hacktivists
- Computer Criminals
- Terrorists
- Industrial Espionage
- Insiders
- Security Vigilantes
Hacktivists
It seems fitting that the first group we examine are probably the closest group to the classical definition of a hacker. The term Hacktivists describe a group of people that are motivated by ego and rebellion and who generally unite behind political ideologies. Those ideologies were traditionally focused around free speech, freedom of information and human rights but in recent years have been driven by a backlash to the challenges in the worlds financial systems. The term hacktivist was first coined in 1996 by a person with the online handle “Omega”, a member of the hacktivist group the Cult of the Dead Cow. Based in rural Texas the Cult of the Dead Cow or ‘cDc’ were themselves active in releasing tools used to bypass Windows security and in politically motivated campaigns against China. In my college days I confess to having played harmless havoc with some of my fellow students using a cDc tool called Back Orifice or BO. BO was essentially a remote control agent that when installed on a Windows computer allowed the human controller to issues commands as if you were sat at the keyboard. Early in the morning on the way back from drunken nights in the student bar I used to backdoor machines in the college lab environment, hide in the corner and amuse myself opening and closing the CD tray or logging keystrokes of innocent victims working late into the night on their dissertations. BO could be used to stop and start Windows processes, redirect TCP/IP and in many more malicious ways than my innocent fun and can be considered as an early example of what we have now come to know as bot nets!
While the Cult of the Dead Cow were revered in their day, their prevalence and impact has been surpassed en-mass by a modern hacktivist group calling themselves Anonymous. Anonymous have become such as force to be reckoned with that books have been written about them, documentaries made about them and Google returns news about them as the first hit for an Internet search query for the term Anonymous. The prowess of a number one search ranking on Google is however nothing compared to the impact they have had on the world. Anonymous are believed to have originated in 2003 from the image board 4Chan and polarize the Internet with some calling them modern day Robin Hoods and others labeling them as pure criminals. To understand Anonymous is probably to understand the cosmos of of how users form social relationships on the Internet but its certainly fair to say that Anonymous aren’t like groups we have seen before. Anonymous can’t really be described as a group in the traditional sense; it’s a flock, a loose collective or perhaps even better described as a concept. There is no membership, if you want to be apart of Anonymous you are simply considered a member by your desire, there is no joining per se. There is no leadership although there is believed to be a high council that makes decisions.
Anonymous generally rally against Internet censorship and Internet surveillance but have engaged in campaigns against governments, the Church of Scientology and on behalf of the Lesbian, Gay, Bi-Sexual and Transexual communities. In an interview called the Face of Anonymous on the Internet radio show “Search Engine” they described themselves in the following way.
We [Anonymous] just happen to be a group of people on the internet who need—just kind of an outlet to do as we wish, that we wouldn’t be able to do in regular society. …That’s more or less the point of it. Do as you wish. … There’s a common phrase: ‘we are doing it for the lulz.’
The Lulz moniker, a corruption of the Internet acronym LOL (Laugh Out Loud) coined on the Encyclopedia Dramatica has become a calling card in online postings and wether you despise or secretly approve of Anonymous it is hard not to snigger at some of the college humor used in their messages. Humorous or not, Anonymous and their offshoots like the LulzSec group that splintered off in 2010 are very serious. When Aaron Barr, the CEO of computer security company HB Gary claimed to have infiltrated Anonymous and threatened to identify a member called Commander X as a San Francisco gardener, HB Gary found 70,00 of their corporate emails dumped unceremoniously online along with a their entire company document repository. They even took over Aaron Barr’s Twitter account and published his home address and social security number and published a report implicating HB Gary in a plot to take down the Wikileaks site. For a computer security company being hacked and humiliated in public is the biggest black-eye you can get. I hope the majority of readers of this book are not security companies and therefore you may not be able to directly relate to the HB Gary saga. Kicking the hornets nest after all is rarely good business unless it is your business but hopefully most readers will relate to what happened to Sony.
Sony started to catch the attention of activists when one of their music divisions decided to add additional copy protection measures to compact disks as early as 2005. Sony BMG added software called Extend Copy Protection (XCP) and MediaMax CD-3 to around 100 music titles that automatically installed when the CD was played in Windows operating systems. Not only was the software itself considered to be a root kit that circumvented the way the Windows kernel enforced security, the software itself contained critical vulnerabilities that allowed malware and viruses to attack the system. Sony had effectively silently installed a vulnerable backdoor for the bad guys to use on their legitimate customers machines. On the 4th of April 2011 Anonymous put Sony on notice:
Dear Greedy Motherfuckers SONY,
Congratulations! You are now receiving the attention of Anonymous. Your recent legal actions against fellow internet citizens, GeoHot and Graf_Chokolo have been deemed an unforgivable offense against free speech and internet freedom, primary sources of free lulz (and you know how we feel about lulz.)
You have abused the judicial system in an attempt to censor information about how your products work. You have victimized your own customers merely for possessing and sharing information, and continue to target those who seek this information. In doing so you have violated the privacy of thousands of innocent people who only sought the free distribution of information. Your suppression of this information is motivated by corporate greed and the desire for complete control over the actions of individuals who purchase and use your products, at least when those actions threaten to undermine the corrupt stranglehold you seek to maintain over copywrong, oops, “copyright”.
Your corrupt business practices are indicative of a corporate philosophy that would deny consumers the right to use products they have paid for, and rightfully own, in the manner of their choosing. Perhaps you should alert your customers to the fact that they are apparently only renting your products? In light of this assault on both rights and free expression, Anonymous, the notoriously handsome rulers of the internet, would like to inform you that you have only been “renting” your web domains. Having trodden upon Anonymous’ rights, you must now be trodden on.
If you disagree with the disciplinary actions against your private parts domains, then we trust you can also understand our motivations for these actions. You own your domains. You paid for them with your own money. Now Anonymous is attacking your private property because we disagree with your actions. And that seems, dare we say it, “wrong.” Sound familiar?
Let Anonymous teach you a few important lessons that your mother forgot:
1. Don’t do it to someone else if you don’t want it to be done to you.
2. Information is free.
3. We own this. Forever.
As for the “judges” and complicit legal entities who have enabled these cowards: You are no better than SONY itself in our eyes and remain guilty of undermining the well-being of the populace and subverting your judicial mandate.
We are Anonymous.
We are Legion.
We do not Forgive.
We do not Forget.
Expect us.
Immediately Sony started experiencing Distributed Denial of Service (DDoS) attacks on the Sony Playstation Network where malicious users were flooding the system with seemingly legitimate traffic that saturated the systems capacity to serve its legitimate users. Later in this book well explain why application level denial of service attacks are a complicated problem to deal with effectively and describe approaches to creating DDoS resistance in your systems. On April 26th Sony took the PlayStation Network offline among rumors of piracy but within days it emerged that a major hack had occurred and 77 million names, addresses, email addresses, birth-dates, usernames and passwords, profile data and credit cards had been stolen. Sony publicly blamed Anonymous who denied the breach. Within 24 hours Sony customers were complaining online of credit card fraud and very publicly blaming Sony. On April 27th staff from the Sony Online Entertainment division were actively informing people that “We have been conducting a thorough investigation and, to the best of our knowledge, no customer personal information got out to any unauthorized person or persons”, but a week later it was a very different story when it was reported that 25 million customer dates of births, email addresses, phone numbers, 13,000 credit card and 10,000 direct debit banking records had been stolen.
The Sony Playstation Network and Online Entertainment businesses were offline for 24 days and on May 24th Sony posted a loss of $3.1 BN for the year 2011 quoting the earthquake and the PlayStation network failure. In their statement Sony made a provision of $171M for the associated costs of dealing with the PlayStation breach and if you think thats bad things weren’t over yet. Regional sites and Sony divisions were being hacked on a seemingly daily basis and then on June 2nd over 1,000,000 users passwords, email addresses, dates of birth and more were stolen from the Sony Pictures systems. The attackers had used a SQL Injection vulnerability something well cover in detail later in the book. LulzSec published the following statement online:
“Our goal here is not to come across as master hackers, hence what we’re about to reveal: SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks? What’s worse is that every bit of data we took wasn’t encrypted. Sony stored over 1,000,000 passwords of its customers in plaintext, which means it’s just a matter of taking it. This is disgraceful and insecure: they were asking for it.”
In the time that has passed since the initial assaults over the summer of 2011 Sony has continued to be under constant attacks across many areas of their business; more user accounts have been compromised, hackers have posted fake celebrity stories on Sony entertainment web sites and stolen intellectual property. Legal class actions by Sony customers are in full flow.
As you can see by the actions of one hacktivist group against one companies systems the impact can be dramatic. Hacktivists use a range of techniques from social engineering to simple and sophisticated technical attacks to get their message across however they can.
</end of draft>
I will post the drafts for the others groups (Computer Criminals, Terrorists, Industrial Espionage, Insiders & Security Vigilantes) in the coming week but as always feedback is always appreciated.