The New Reality Cyberwar
© 2012 FrontLine Security (Vol 7, No 2)

View pdf

A Key takeaway from this article: Cyberwar is getting real. Really, really real.
Whether it’s nation states attacking each other in a new, 21st century form of age-old spycraft, strange attacks coming from unexpected sources, secretive armies of faceless hackers wreaking havoc worldwide, massive security breaches on a breathtaking scale, theft of intellectual property from companies once thought impregnable, or even the simple fact that almost everyone is carrying a wireless supercomputer in his or her pocket – cyberwar is no longer just theory. It’s fact. It’s happening. It’s constant. And it’s unrelenting.Let’s take a brief look at the major trends that have transformed cyberwar from a ­theory to a hot war fought right inside your own network. If you think you’re safe, you’re not. If you think this is science ­fiction, congratulations, you’re now living in the future.

Preemptive Cyberattack on a Nation-State Level
Unless you’ve been living under a rock, you’ve probably heard of Stuxnet. You may have also heard of Duqu, Flame, and Gauss. These are the names of malware weapons that have been used against Middle Eastern nations like Iran and Lebanon.

Stuxnet was carried into Iranian nuclear facilities on USB thumb drives. It is reputed to have destabilized and severely damaged nuclear centrifuges, setting the Iranian nuclear program back years.

Duqu is an industrial espionage worm used to tunnel into industrial facilities and exfiltrate confidential information about how those facilities operate.

Flame is something of a substitute for the age-old technique of gathering human intelligence. It turns on computer webcams and microphones to record what it sees and hears; it captures keystrokes; and intercepts Bluetooth transmissions. The information is then sent to its masters for further action.

Gauss is also an espionage tool, but it appears to be aimed specifically at Middle East financial institutions, carrying out the cyber equivalent of “follow the money.”

Almost all such tools – developed by North Korea, China, Russia, and many other nations – are either aimed at making money for their masters, gathering information, or both.

What makes Stuxnet, Duqu, Flame, and Gauss particularly curious are the accusations that these tools were developed by the United States government, in some level of cooperation with Israel. The New York Times claims this to be true, but provides neither supporting facts nor confirmation from America’s government.

Regardless of their origins, once these weapons were released into “the wild” of the Internet, they became accessible by ­talented technologists working for other nations, organized crime groups, terrorist organizations, and the like. The design behind these tools is likely being reverse engineered. It’s only a matter of time until these weapons of destruction and espionage are firmly in the hands of any number of destructive organizations.

Unexpected Attack Vectors
We’re all familiar with malware attacks that arrive via email attachments, or are downloaded when ­visiting a Web page of particular ill-repute. But cyberattack engineers have gotten even more creative in distributing digital disease.

One example of this is the Power Pwn. It’s a power strip that looks just like one you’d use under your desk, but the Power Pwn contains a wide variety of spectrum-scanning hardware, designed to explore your facility wirelessly from the inside. It then sends that information via wireless connection back to its operators.

On the consumer front, Web sites have become easier and easier to build. Much of that is because of the prevalence of “themes,” pre-built looks for Web sites that can be bought and installed by regular users, transforming the look of a site or a blog.

Criminals have picked up on the enormous popularity of these themes, and are now packing them with malicious payloads. They make the themes available online for free download, thereby assuring relatively widespread adoption. The themes aren’t meant to attack the Web site operators themselves. Instead, the Web site operators unwittingly become virtual mules after installing the themes on their Web sites. Once the theme is installed, every visitor to these legitimate sites can now be infected by the corrupted themes.

And then there’s social networking. A few years ago, social networking services like Twitter and Facebook didn’t exist; today, they have more than a billion users. That’s what you’d call a “target rich environment,” because every one of those billion users is a target. Whether it’s through URL shorteners like that take Twitter users to unknown and malicious Web sites, or Facebook applications that exist to separate users from their money, social networking attacks are on the rise.

Hacker Collectives and Massive Password Breaches
Hacker collectives with now-famous names like Anonymous, LulzSec, and AntiSec are groups of individuals – hidden behind strange-sounding, mysterious user names and “handles.” Their members, said to be the digital “everyman” (teenagers, doctors, programmers, gardeners, laborers, teachers, cops and cabdrivers), are unified by a few simple elements: anger, the desire to extract ­retribution, boredom, and a need for Lolz (online amusement).

Hacker collectives have become a major force – causing disruption on an epic scale. Using Low Orbit Ion Canon, a distributed denial of service attack weapon designed to disrupt systems, groups have aimed vast amounts of digital data (think of it as millions of fire hoses firing on a single target) at organizations as diverse as the U.S. Department of Justice, the Church of Scientology, the Recording Industry of America, and even PayPal.

The penetration of networks and the publication of user names and passwords is a newer trend. Within the past year, ­millions upon millions of login credentials have been stolen and published online, including 8.24 million Gamigo credentials, 32 million RockYou credentials, 6 million LinkedIn credentials, 1.5 million eHarmony credentials – the list goes on and on. This, of course, is after massive penetration attacks of banks, government facilities, and the famous Sony gaming breach.

It’s important to note that these ­password breaches aren’t just political statements. They’re destabilizing the very nature of computer security. With so much data now available about how people think about their passwords, hackers have been able to develop password hacking kits derived from their now vast sociological knowledge of human behavior. Where passwords used to provide a moderate level of security, they’re now vastly easier to breach than ever before.

Other breaches are even more famous, and not all were accomplished by hackers. Wikileaks, for example, published a tremendous amount of top secret government diplomatic information. The data was removed by a soldier entrusted with access. Even though the breach wasn’t from the outside, Wikileaks has been the center of its own firestorm, and hacker attacks have been perpetrated far and wide – both on behalf of, and against the activities of Wikileaks.

IP Theft and the Danger of Counterfeit Goods
In a recent study conducted by IT vendor GFI, 44% of the responding businesses indicated that their company networks had been breached. Another 6% indicated that they had no idea whatsoever whether or not their networks were secure. In a ­different survey, conducted by Verizon, respondents indicated that hundreds of millions of records had been stolen.

Intellectual Property (IP) theft is actually more dangerous than you might expect – especially when it comes to the theft of medical and drug information. After all, you might not be happy if your pair of counterfeit designer jeans splits open at an inopportune time, but that’s far different than ingesting poisonous compounds when you think you’re taking your medicine.

Fake medications are on the rise. Drugs (particularly in the U.S.) can be wildly expensive, so patients are turning to the Internet for discounted medications. In many cases, these discounted pills are knockoffs, counterfeited to look like the real pills made by the pharmaceutical industry. Patients are relying on them for their health. It’s bad enough that the fake pills don’t contain real medication. Even worse, they often contain dangerous compounds. So rather than the pills keeping patients healthy, they’re poisoning patients, causing severe damage.

Of course, it’s not just counterfeit medication. Intellectual property theft has resulted in counterfeit computer chips and even counterfeit military gear – all less safe than their originals. Speaking on the topic, U.S. Attorney General Eric Holder stated, “Put simply, when fake goods find their way into our nation’s marketplace, the health and safety of our people can be severely ­compromised.”

The Digital Mobilization of the World’s Population
Each of these trends may be disturbing, but they pale in comparison to the big kahuna of them all: the rise of ubiquitous smartphones. According to Gartner Inc, worldwide sales of smartphones hit 419 million units in the first quarter of 2012. There are billions of smartphones in use across the world, and each has more power and reach than many of the most powerful desktop PCs from just a decade ago.

Each smartphone is both a network node and a pocketful of trouble. While some phones – like Apple’s iPhone – are moderately-well hardened against intrusion and malware, other smartphone environments are almost purposely vulnerable to attack.

The combination of an app-hungry populace with the desire for instant ­gratification and a lack of interest or belief in the need for security plus a lack of technical know-how, makes the billions of smartphone users worldwide very juicy targets indeed.

Not only are smartphones being breached and financial and account information being stolen, but more and more smartphones are being turned into roving malware zombie robots. They’ve become nodes on a widely distributed attack network, teaming up from the pockets of unsuspecting owners to carry out attacks or gather information – all while moving about from ever-changing locations.

The Times, They Are A-Changed
The great singer/poet Bob Dylan once sang, “The times, they are a-changin’.” Although I’ve been very busy in the world of cyberdefense, the last article I wrote for FrontLine Security was back in 2009. While social networks were on the rise, and cyberattacks were an issue, we thought of cyberwar as something that would soon be upon us, but not as something that was that much of a current threat.

Those times have already changed. Cyberespionage and cyberattacks are now constant and unrelenting. They are an ever-present part of the industrial, military, government, and consumer worlds. It’s a digital arms race out there.

The worrisome fact is: there is often more motivation on the part of ­criminals and attackers than there is on the part of their victims.

I can’t give you a single recipe to protect your company, your organization, your agency, or your loved ones. But I can ­recommend you practice some of the same best practices we’ve recommended for years. Keep up with security updates. Be careful what you open and what you visit. Be sure to use a secure firewall. And, if you’re the one making the financial ­decision about whether or not to pay for additional cybersecurity in your organization, remember that, on average, a single cyberattack costs companies well in excess of $2.5 million – yes, per attack.

The bottom line: it’s become a dangerous digital world, and it’s up to security and IT professionals to keep everyone safe. No law will stop a virus, no politician will dissuade a distributed denial of service attack, and no lawyer can litigate away a cyberspy that’s taken up residence inside your network.

Diligence and best practices are your very best defense.

David Gewirtz, distinguished lecturer for CBS Interactive, is also director of the U.S. Strategic Perspective Institute, cyberwarfare advisor for the International Association of Counterterrorism and Security Professionals, and IT Advisor to the Florida Public Health Association.
©FrontLine Security 2012