Authors: Mark Russinovich
Digital Security News
Cyber Threats More Serious than Terrorism
By Wilson X. Heller
FBI Deputy Director Walter Chase argued Friday that cyber-security attacks will soon be a greater threat than terrorism. “Though terrorism remains the FBI's top priority, it is now apparent that cyber threats will soon pose the primary menace to our national security,” Chase said in a speech before the American Cyber-Security Conference.
As a result, he added that the FBI “is taking lessons it has learned from fighting traditional terrorism and applying them to cyber-crime.” The FBI agents specializing in cyber-attacks will have the most “sweeping skill set in the bureau.” He urged attendees to consider a career with the FBI.
At the desk in his San Diego hotel room, Jeff Aiken stared at his computer screen. He had fifty-five minutes. CyberCon was being held just around the corner, not five minutes away. He'd started this current project from his home office in Georgetown, D.C., and brought it to an initial point of conclusion. On the cross-country flight, he'd expanded his work and now was busy completing another fix. For some weeks his client, RegSec, had been threatened by the hacktivist group Anonymous. “Justice will be swift!” had read one posting. “Prepare to be extinguished!!!” read another. Anonymous had even named their attack “Operation Desolation”. Given their track, RegSec's management had every reason to be concerned.
RegSec, a major investment group and bank, was in the news, having just been cleared by a federal court for its part in the financial meltdown. Through their vast offshore holdings RegSec had been short-selling derivatives under suspect circumstances in the months leading up to the financial collapse. The Court of Appeals had reversed the earlier adverse verdict, ruling that the offshore entities were sufficiently independent of corporate control as to not violate United States law. There was no doubt that RegSec had engaged in unethical and contemptible conduct, amassing billions at the expense of hapless homeowners lured into overpriced houses, but legallyâtechnicallyâthe company had broken no law.
The flamboyant founder and principal owner of RegSec, Reginald Hinton, had celebrated the victory in typical style by flying a bevy of Las Vegas showgirls to his private Bahamas island for a party and making a series of off-the-cuff media statements.
That was when Anonymous had announced its cyberattack. Anonymous was the name given to an Internet meme that originated online in 2003. The concept was for a multitude of committed hackers to act simultaneously to form a vast anarchic, digitized, global brain trust, which would crush targets. Though primarily concerned with antidigital piracy laws, Anonymous had evolved into a broader based, international organization, if the word even applied to such a disparate group.
They'd been roundly criticized in the mainstream media, called “hackers on steroids” and even “domestic terrorists.” Unfazed and undaunted, they'd continued their assaults on select targets. Because of its aggressiveness and notoriety, Anonymous was the epitome of hacktivism, which was the general theme of this CyberCon. Jeff was going to make a presentation later in the afternoon at the conference, but a good friend from his days with the CIA was appearing in a panel discussion inâhe glanced at his wristwatch againâforty-nine minutes, and if rumor was true, even Anonymous itself planned to take part in it.
Comprised primarily of teenagers, though with a number of gifted adult hackers, Anonymous lacked any central control. Proposed targets were posted online and if a sufficient number of hackers in sympathy with the operation joined in, the subsequent attack could be digitally devastating. In recent years Anonymous had successfully penetrated the United Nations's databases, those of the Bank of America, and even the U.S. Department of Defense (DOD).
As part of its antisecurity effort the group had stolen a gigabyte of data from NATO, posting on a Twitter account “Hi NATO. Yes we haz more of your delicious data. You wonder where from? No hints, your turn. You call it war; we laugh at your battleships.” Juvenile, yes, but the group had successfully stolen highly confidential information.
Anonymous also had launched a cyber-attack on media giant Sony as part of its self-described Operation PayBack. This was done reportedly as retaliation for Sony taking legal action against the man who'd engineered the successful jailbreak of Sony's PlayStation 3. Waves of Anonymous attacks against Sony began with a distributed denial-of-service (DDoS) attack that temporarily took offline several Sony Web sites and continued with breaches of the Sony Online Entertainment and the Sony PlayStation Network sites. This resulted in the theft of account details for over 70 million Sony customers.
In one of its most embarrassing attacks, Anonymous had secretly recorded a conference call between the FBI and Scotland Yard in which they discussed their investigation into Anonymous hackers. Anonymous then published the call on the Internet. It developed that they'd gained access by hacking the personal e-mail account of one of the intended participants and lifting the log-in information from him. Most recent, they'd accessed local and state police records, making them available online. In addition, Anonymous was commonly believed to work hand-in-glove with WikiLeaks.
For all their vaunted successes, not every operation succeededâmost in fact did not, but when highly motivated, Anonymous had proven itself capable of widespread destruction against its targets. They subjected companies to relentless probes, searching for any weakness. Once they had their foot in the door anything was possible. This could include defacing the company's Internet Web site, stealing customer financial information, disclosing confidential management information, even looting accounts.
The RegSec CEO had tossed kerosene on the fire by publicly condemning Anonymous and demanding the Department of Justice take criminal action against the group for its efforts at intimidation against his company. He'd gone on to brag that the company's Web site was impervious to hackers and to DDoS attacks. This had only served to increase the threats against the company and to make a concerted attack more likely.
For nearly three weeks following the court decision, Anonymous had drummed up support on the Internet by posting YouTube videos in support of its plan and spreading word through Twitter. Then they'd launched a DDoS attack, bringing on board hundreds of sympathetic volunteers in the effort.
The plan had succeeded for two hours, bringing the Web site crashing down, and that was when Jeff received a frantic call from the IT director at RegSec, hiring him to stiffen its Web site defenses in preparation for the next phase of the ongoing effort by Anonymous. That phase would involve stealing of information, then the public disclosure of it. Failing that, Anonymous would be content with simply defacing the Web site. Either would create a loss of confidence with the public and cost the company tens of millions in lost revenue, as well as drive down the stock price.
Jeff found the antics of the company CEO intolerable. He'd been sorry to see the court case dropped when he'd read about it. Exploiting corporate law loopholes for gain was not only immoral, it should be illegal. Still, in his line of work, this was a situation in which he occasionally found himself. While he had no regard for the corporation or its ostentatious founderâindeed, nothing but contemptâhe was concerned for its millions of innocent customers. He couldn't control the irresponsible behavior of the company's founder, but now that he was on the job Jeff took keeping the site and its customers secure as a personal mission. He didn't like failure and it was now him versus Anonymous.
By this time, he had completed most of his analysis and in the process cleaned up several problems. Prior to boarding the plane to San Diego, he'd brought other problem areas to the attention of the company's IT director. His personal fixes had included patching the operating system and encrypting the bank's database of customer account passwords, steps that should have been unnecessary if the bank had followed standard cyber-security hygiene. Now he was assured that the bank was logging all Internet traffic to a separate database from their front-end servers. In the event Anonymous managed to infect those servers and delete the local logs, Jeff hoped to be able to see where the attack came from and deal with it at that end.
He uploaded his final changeâfor now. When he had more time, he'd backtrack and be certain he'd secured the system to the best of his ability. And he'd check to confirm that the IT department had acted on his recommendations. Jeff glanced at his watch again. He just had time for a quick shower before heading to CyberCon.
He'd arrived late the previous night and only slept a few short hours as the RegSec project was so urgent. He couldn't help but wonder why the company hadn't hired him once Anonymous had threatened it rather than wait until after the DDoS attack. Well, too often that was the way these cases started.
He'd worked all morning, and was sorry to have missed the opening of CyberCon and in particular the morning talk and demonstration of an Android zero day vulnerability exploit. He'd been curious to see if it was one that he and his partner Daryl, also his girlfriend, had already discovered while working on a government contract for that purpose.
CyberCon was the creation of Clive Lifton, a diffident, slightly scholarly man of middle years. He owned a small but highly regarded security training and consulting company of about thirty employees. Clive ran the conference as an indirect way to advertise his company and its services to the security community. This year CyberCon was cosponsored by Combined Technologies International (CTI), a major DOD contractor. Upward of fifty of its employees were in attendance.
Clive was an old colleague and friend with whom he and Daryl frequently traded information concerning attack techniques and security gossip. He'd tried to hire them some months earlier but they'd preferred to continue working for themselves. Jeff was looking forward to seeing him again.
Showered and dressed in casual slip-ons, tan Chinos, and blue travel blazer, Jeff headed out of the hotel into the sun. He spotted the wide delivery alley he'd used earlier as a shortcut and ducked into it. There were two vans and one delivery truck busy off-loading. For a moment he caught the slightly unpleasant odor of rotting vegetables. He walked briskly the short distance to the next street, looked left, then right, before jaywalking to the hotel entrance where CyberCon was held. He'd booked too late to get a room there.
As Jeff stepped through the doors he heard a voice call his name. He looked over and there was Dillon Ritter, a well-known programmer with CTI. “Running late, aren't you?” he said as the pair shook hands. Ritter was of average height and recently had grown overweight. He wore frameless glasses and had already lost most of his hair. Jeff had heard of his recent divorce.
“Busy. I want to catch the panel. Aren't you on it?”
“Relax. I've got ten minutes. Come on. I'll show you where.”
“Is it true Anonymous is taking part?” Jeff asked as they went to the registration desk to pick up his credentials. Several attendees, two or three from CTI, spotted Jeff and nodded their head in recognition.
“Yes, it is.” Ritter's tone voiced his disapproval. He was well known for his hard line against hacktivism. He'd published several articles on the subject.
There were about six hundred attending this year's CyberCon, which made it a midsized conference, one of the more intimate. There was a ring of booths around the perimeter, some with scantily clad women known as booth babes. There were two rows of booths on the floor itself as well. These were run by various computer and Internet companies, some household names while others were known only to those working in the cyber-security industry. As always, there were fresh names Jeff would want to check out.
It was ten men to every woman, as was typical at these events. Dress ran from business casual to the genuinely nerdy and was an uncannily accurate means for predicting what the wearer did. Those in the occasional suit were either with one of the traditional computer companies or were from the FBI or another law enforcement agency.
“All the talk's about the Anonymous RegSec D-DoS,” Ritter observed. “That was something, especially after the CEO said it couldn't happen.”
“Not the smartest of moves. So how's Anonymous going to be here?”
“They're putting a monitor on one of the stools. Someone representing Anonymous is supposed to participate, using Skype.”
“This should be interesting.”
Ritter shrugged. “I guess. I don't know why they're giving these criminals exposure. It only makes them appear legitimate.”
Jeff had thought the same thing. “You have a point.”
“When's your talk?”
“This afternoon at three thirty.”
“Here we are,” Ritter said, and directed Jeff into a large meeting room. It was filled to overflow what with the rumored appearance of Anonymous. Love it or hate it, no one was neutral about the group, or about hacktivism for that matter.
“I'm glad I ran into you,” Ritter said, pausing at the entry to the room. “Want to grab a drink and then dinner after your session?”
“Sure, it would be good to catch up,” Jeff responded. A major reason to attend conferences such as these was to network with other members of the cyber-security community. Even if Ritter wasn't one of Jeff's favorites, their relationship went back many years and Jeff had been too busy leading up to the conference to set up dinner plans.
All the seats were taken so Jeff stood at the back of the room with other latecomers. He recognized the short woman to his left and nodded to her but couldn't recall her name or where he'd last seen her. Ritter was up front now, taking his place as Clive fixed a miniature mic to his lapel. He'd be moderating this discussion himself.