Cyber War for Crash Test Dummies


A lesson from the old school

The first casualty of war, they say, is truth; and that is certainly the case with the current round of cyber – skirmishing. A man who can confirm this personally is Mark Jeftovic, CEO of EasyDNS, who found his company being vilified and subjected to cyber attack for something he had nothing to do with. You see, EasyDNS had been named by a number of prominent media outlets, including the Financial Times here in the UK, as the company that had revoked Wikileaks website Domain Name registration, thus making it effectively invisible to any Web Browser.

Every web address has a domain name (like wikileaks.org), but it also has an IP (Internet Protocol) address, roughly equivalent to a telephone number (213.251.145.96 in the case of Wikileaks.org). A DNS (Domain Name Server) performs the lookup that converts the name that you type into your browser to an IP address to make the connection. By deleting an entry from a DNS, you can thus make a website impossible to connect to, unless you happen to know the IP address – it’s like your name being removed from the phone book, but the phone number still works if anyone knows it. In fact, the outfit that had deleted Wikileaks’ DNS entry was EveryDNS, a not for profit company in the USA that has, since the early days of the net, performed this function by allowing users to register their domain name on the system. Jeftovic, despite what was said about him and his company, is in fact a supporter of Wikileaks and has since offered to host the site through EasyDNS.

It serves however to reveal a simple, but basic, insight into what the internet is. A series of communications protocols between US Government computers in the 1970’s that were then applied to any computer in the world that adopted that protocol and was connected to the global phone system – thus creating the internet; and it was there, in the 1990’s, that Tim Berners-Lee’s little programmatic masterpiece, HTML, gave us the web browser to navigate the new environment and create the world wide web. And so it was that an overnight ftp-by-email request to a NASA server for the image of the day, typed in to a green screen display, became a live video feed from the surface of Mars viewed in Google Chrome. Yet it was obvious from the green screen days that the biggest impact of the net was not just the communication, email, usenet and the like, but also the ability to access functionality and data on much more powerful remote machines.

This extraordinary explosion in functionality of the internet-enabled computer has been driven by the rapid commercialisation of the net as it entered the mainstream. The global internet might seem an odd place to fight a war, since it’s all virtual; but in the modern world it connects to an array of assets – government, military, commercial, industrial – that are targets in any war. It also affects something else considered to be fair game by some – civilians, like you and me.

First Manassas

The current round of cyber-skirmishing has broken out following the US Government’s attempt to swat back at Julian Assange as a consequence of his deft sleight of hand in receiving an archive of classified US diplomatic correspondence and then giving it to a number of news portals to publish. Not that Assange himself carried out or even sanctioned such attacks, but nonetheless his Edmund Ruffin – like release of the embassy cables inspired some of his supporters, and others simply up for rumble, to get engaged anyway. Principal among them was the group known simply as Anonymous; so named because it formed on the message boards of gaming sites like 4Chan as disparate users commented with the default id – “Anonymous”. It first attained cohesion when someone jokingly referred to it as a real person and then it took on a life of its own as an internet meme. Since it formed from a random sample of people who played cyber games in western countries, it became the cyber embodiment of Nigel Bagnall’s dictum that “nations are human beings writ large”; in the pure spirit of anarchy targets were agreed and a plan to attack them hatched. An early target, in 2006 was the website of white supremacist talk show host Hal Turner, which cost him hundreds of thousands of dollars and resulted in a lawsuit against 4Chan – and they also participated in setting up a news site in support of the Iranian Green Party during the disputed 2009 election. On the other hand the same group also took music site AllHipHop offline after a spat with some of their members and it was also widely blamed for hacking the Epilepsy Foundation’s website and displaying images of bright flashing lights. Their longest running and best known campaign is the ongoing beef with the Scientology movement; although a better insight into their membership’s psyche would be its long running tie – in with Pirate Bay, a Swedish website that allows users to locate and download copies of the latest DVD’s and CD’s without paying for them. Anonymous’ dislike of the Swedish government goes back to long before Wikileaks, as Sweden prosecuted Pirate Bay’s operators recently. As to who Anonymous really are, that is a matter of some debate. The only arrest made to date, following the pro Wikileaks attack, was a teenage boy in Holland; and given the pattern of actions to date, that might not seem so surprising.

The chosen targets on this occasion were far more mainstream – Visa (for refusing to collect Wikileaks funds), Amazon (for withdrawing hosting services from Wikileaks) and the Swedish Government (for trying to extradite Assange on sexual molestation charges); all considered to be part of a wider front opposing Wikileaks. Their chosen mode of attack was the DDoS (Distributed Denial of Service) – any computer, even a virtualised server existing within a cluster of physical servers in a datacentre, or even dispersed among various datacentres across the world (so called Cloud computing) is still just a machine with a finite capacity, it is vulnerable to being swamped. This is done by using a piece of software that simulates the actions of many users logging on to a webpage simultaneously, thus overwhelming the site and causing it to fail; even if the site doesn’t crash, it still stops people from accessing the functionality which has much the same outcome.

Ploughshares and Swords

This type of software in fact has legitimate uses, for instance to stress test a new server stack or fine tune the search algorithms of a large and complex database. The same technology applied to Malware (Malicious Software) results in a weapon that can be used to attack computer systems, or the public facing parts of them at least. There have been numerous instances of the technology being used by ad hoc activists, such as the group of Irish students in 2001 who brought down the Finance Department server in Dublin, or by governments, such as the attack launched against Georgian military and government systems during the South Ossetia war. Variants, created for criminal purposes, are now available on the net for download. The variant used by Anonymous is called LOIC (Low Orbit Ion Cannon), and was used by them in a voluntary BotNet (Robotic Network), that is a collection of computers, running into the thousands, all operating a copy of the software in synchronisation to take down the target system. An alternative method of attack is to hide the payload program inside a virus and then distribute it onto hundreds of thousands, maybe millions of computers, then have them all activate simultaneously in an enforced BotNet.

DDoS attacks can seem alarming and dangerous, and indeed they are – buts that’s what we thought about viruses when they first appeared on computers. The first true virus, as far as is known, was the Elk Cloner in 1981 which spread via infected floppy disks on Apple II computers; it had been created by Silicon Valley programmer and entrepreneur Rich Skrentka when he was still at high school, it being intended as a practical joke as all it did was display a message a set number of times. Nearly thirty years later viruses have come on somewhat, and we have adapted to defend against them – whether it’s those that try to damage our machines, harvest its data, spread spam or launch DDoS attacks.

Modern server installations are protected by a dual firewall system, consisting of outer and inner lines of defence; the area between is known as the DMZ (De-Militarised Zone) – an area of limited functionality and access where the system’s public facing functions are located; the core systems lie behind the DMZ. A DDoS attack would initially penetrate the outer wall and, sometimes, overwhelm the hardware running the web server but would be unable to penetrate the inner defence. Just as in the early battles against viruses, the defenders soon learned that because the virus was an identical copy of an original file, it had a signature that could be detected and deleted. Similarly, as a DDoS attack comes in the signature of the incoming requests can be detected and blocked. In the fight against the viruses, the Malware writers then developed strains that altered themselves slightly with every copy, the so called polymorphic viruses – this will now evolve into DDoS attacks that subtly alter each page request to confuse the firewall.

Such attacks, while alarming, mostly affect only the public facing parts of a system. In order to attack the core system a more sophisticated tool is required. Attempting to use brute force to penetrate an inner firewall is unlikely to work so an alternative vector must be found; this type of attack would attempt to introduce a virus from within the network itself, and then let the virus attack critical parts of the system. A classic example of this type of attack was the widely reported use of the STUXNET virus to attack the Iranian uranium enrichment facility at Natanz, by a person or persons unknown earlier this year. Probably inserted onto the network via an infected USB stick, the virus installs itself on a computer; it got around the windows digital certification system that identifies genuine commercial software by using two stolen certificates belonging to technology firms RealTek and JMicron, two companies with no connection except that they both have their HQ’s in the same business park in Taiwan.

Having installed itself it then searches the network for a specific type of Siemens industrial control software. When it finds it, it takes over the PLC (Programmable Logic Controller – its control panel) and issues a set of commands to, for instance, make the centrifuges rotate at an erratic speed until they break. So elaborate was this attack that it was described by the IT security firm who analysed it, as the most sophisticated piece of Malware they had ever seen – it is extremely unlikely that this was the work of a disgruntled individual or group. Some observers now believe that it should be linked with the recent targeted assassinations of nuclear scientists in Iran and originates either in Israel or some other Middle Eastern state. This is based on a registry key created by the virus called “19790509”, which can be read as 9th May 1979, the date a Jewish businessman was executed in Iran and a file path that includes the word Myrtus, said to be a reference to the plant Myrtus which represents the male force in some branches of Jewish mysticism. On the other hand, you could point out that the registry key is one of hundreds and could be a co-incidence and that MYRTUS could also mean My RTUs (Remote Terminal Units, a common component in computerised industrial machines).

By now it ought to be obvious that cyber war is anything but virtual. An attack by a militant group or a nation state consisting of massed DDoS assaults against online facilities, together with activation of previously planted Malware on computers in critical systems and followed up with a general virus attack to disable personal computers would have a devastating consequences. So forget about lurid tales of hacking the power grid, with everything that we now know about the inter-dependency of the banking system, what do you think would happen if say, a major bank’s system were taken down ?

Open and Shut

Whilst evidence of cyber espionage between the major powers is abundant, and concerns about attacks from another country natural enough, the cyber war that none of us saw coming was a western civil war. A conflict between ourselves over something that most of never imagined that we particularly lacked – free speech and transparency. Without wishing to seem complacent, if I look at the world as whole there does not appear to much of a “free speech deficit” in western countries, and certainly not in the USA. But before you offer the thought that there are many other more deserving targets if one wishes to punish lack of free speech, I would caution against such approach. You see we’ve been here before, in a desert kingdom far away that suddenly found itself catapulted in the super rich league by a huge supply of oil on their land. But no sooner had they started growing the economy and created a viable middle class then the sons of that middle class started complaining that it was lacking in Islamic values. It was of course pointed to them that there were more Islamic values there in the kingdom than any other place on earth, surely the Christian west is a more un-Islamic place ? And whilst it may have seemed a harmless way to let off steam by letting the youth sound off at the west, what they didn’t foresee was that it would produce a death cult that spread to the sons of wealthy expats in Europe who would then …. well I’m sure you get the drift.

As for the openness of the internet that is rapidly coming to an end. The fight for net – neutrality, the equal treatment given to all types of internet traffic is set to be lost, as user of hi capacity premium content won’t just be paying for the content, they will be paying for bandwidth priority as well. The whole concept of an open net is bogus anyway; this began as a government system, there were always rules of behaviour and there were always places that you couldn’t go. If it’s just letting off steam in chat rooms then it’s no problem, once it tries to take a major ecommerce site offline it becomes something more problematic.

Not everyone wants the chaos of an open web. For many, their primary use for it is social networking, so a better idea of what the future of the web is going to be like is Facebook. This is intended to be more than just a web site; it aims to be an alternative way of accessing web functions, for many people it has become their primary connection to the internet. A range of Facebook apps have appeared, that run only within Facebook and provide you, the user, with just the service stream. This aims to be an alternative environment for computer use, and in hosting its own apps, it is acting in many ways as an alternative operating system. With data and apps hosted in the Cloud, you will require only a basic, low power computer to access it, like an iPad for instance. Expect this trend to spread, with specialised environments growing up to service particular user groups. Also expect such services to go subscription based and to cut deals with ISP’s to provide enhanced bandwidth and connectivity to its paying customers. This is more like a Telnet experience was in the old days, i.e. a way of connecting to a server over the net and have your computer act as a terminal of that server.

Paying customers of these services will expect stricter rules of behaviour enforced; the situation where a youth downloading an illegal copy of a DVD from Pirate Bay gets the same priority for bandwidth as his grandmother using Facebook to keep in touch with her other relatives, will no longer exist. It may be impossible to stop Pirate Bay, but the days not far – off when it will have to operate in a low – bandwidth slow lane.

If the intention of Wikileaks was to improve transparency in government, then I regret that it will fail. Diplomats will carry on just as before, they will simply use a more secure system in future. As for free speech, that will survive in the west perfectly well without Julian Assange’s help, but the west doesn’t own the web – it’s a global system with other major powers, with their own conception of what internet freedom means. If this incident has done one thing it is to underline the growing divide between the west and, for instance China, on the subject of an open internet. Some might say that divide has already become unbridgeable, and that in effect the internet has already divided into two distinct segments, where different rules of behaviour apply.

The future of the internet is not openness, but fragmentation – what is also gone is the philosophy that said everything is free and you can say or do whatever you want. As for the World Wide Web, it was, and is, a misnomer. It should have been called the English-Speaking-World Wide Web, a reflection of the mores and opinions of just a fraction of the world’s people. With the rise of economies like China that have very different ideas what people should, and should not, be allowed to do online, expect the Web of the future to fragment into different geographical and cultural segments, where different sets of rules apply.

OpenNet, DiplomaticNet, AdultNet, ChildNet, ChinaNet, IslamNet, YouAintSeenNothingYetNet

Copyright ©2010 Savereo John

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s