Tuesday, June 14, 2011

Cyberwar, Stuxnet & People In Glass Houses


Recent cyberattacks have prompted the creation of the Pentagon's first formal cyber strategy document which addresses potential military responses to attacks [GALLO/GETTY]


The Pentagon Has Concluded That Cyber Attacks Are "Acts Of War" and May Therefore Merit A Full Military Response.

By Haroon Meer
Last Modified: 07 Jun 2011 09:07
Courtesy Of "Al-Jazeera"


People tracking stories on hacking or cyberwar have had a busy few months. 

Headlines this week were provided courtesy of the Pentagon's first formal cyber strategy document which concluded "that computer sabotage coming from another country can constitute an act of war", and "opens the door for the US to respond using traditional military force".

The same article carried a widely repeated (but not clearly attributed) quote from a military official who glibly said: "If you shut down our power grid, maybe we will put a missile down one of your smokestacks."

To many who work in information security, the threat of a full military response to a cyber offensive seems disproportional - especially when many pundits were claiming that cyberwar was not even a real threat - so where did this come from and what does it mean?

Most of the established military powerhouses have long realised the internet's potential as a battleground and many have been dipping their toes tentatively into cyberwar waters for a while. The first computer worm ever unleashed on the internet (in 1988) was written by a graduate student from Cornell, whose father happened to be the chief scientist of the American National Security Agency.

Reactions to that worm spawned the computer security industry as we know it today, which in turn spawned what's becoming known as the military digital complex.

The incident in February with US defence subcontractor HBGary and Anonymous gave people a glimpse into this world and opened the eyes of many to the millions of dollars being invested in offensive computer security research. What many suspected (and a few knew) was laid open for everyone to see. Huge investments were being made in Exploits & Rootkits, essential components of any self-respecting cyberwar.

Two incidents (separated by a few months) are worth noting here.

Stuxnet

In July of 2010, a worm was discovered by a Belarusian company with some interesting payloads.

The more the worm (dubbed Stuxnet) was examined, the more interesting it became. Today we know that Stuxnet was written to target SCADA systems relating to gas centrifuges. The worm contained multiple attack vectors that were previously unknown to the world and was in some ways, technically sublime.

It ultimately targeted Iranian nuclear reactors, and some experts claim that the worm set back the Iranian Nuclear programme by as much as two years. Estimates on the cost of building the worm swing wildly but even the highball figure of several million is a far sight cheaper than the traditional weaponry that would have been needed to achieve the same result.

We may never know for sure if the worm was written by Israel or the US as most experts believe, but we do know that it was effective, and that it made it clear that attacks in cyberspace have effects in the real world.

Comodo Hack

In March this year a Secure Sockets Layer (SSL) certification authority named Comodo was hacked. To understand the full repercussions of the hack, we need to take a step back for a (very) basic understanding of "SSL".

When you visit a website over SSL (as evidenced in your browser by the familiar padlock) your web browser and the website encrypt all traffic between them. This is how you know, while doing internet banking (or reading your mail), that nobody along the way is viewing your traffic.

For the browser and the website to set up this encrypted tunnel, they need a trusted intermediary who can (cryptographically) vouch for the server. Your web browser contains a list of these "trusted intermediaries" and you see the trusted padlock because a trusted intermediary has vouched for the site.

Comodo was one of those trusted intermediaries. After hacking into them, the attacker was able to generate several fake certificates. This allowed them to set up fake web sites and then have them vouched for. You would think that you were talking to internet banking (or Gmail) and your browser would happily display the padlock, but all your communication could be compromised.

The attackers created fake certificates (to vouch for) mail.google.comlogin.skype.com and login.live.com (among others) but once they had the ability to create certificates, they could have generated them for any site they chose. This could enable mass interception of traffic and few people would be any the wiser.

Comodo traced the attack to Iran and claimed that it was a state-sponsored attack. The media swallowed it whole (Iran targets Gmail and Skype with fake SSL hack).

A few days later, however, the attacker went public. In an online statement  he proved that he was indeed the real attacker, explained his motives and pointed out his age: "I should mention my age is 21... When USA and Israel write Stuxnet, nobody talks about it, nobody gets blamed, nothing happened at all... I say that, when I sign certificates nothing should happen (sic)."

We have seen this movie before; young, talented hackers being able to achieve results with enough impact that people attribute their actions to a nation state. In the end, all this power lay in the hands of a 21-year-old hacker with an ideology. As in the case of HBGary vs Anonymous, we were given a stark reminder of both our state of vulnerability and the problem of asymmetry.

The simple truth is that cyberspace is tough to police and near impossible to protect (with current technology). 

There are too many moving pieces and defensive technology has not yet caught up with attacks.

Stuxnet is probably the most analysed piece of malware in the world, and we still cannot say categorically who created it. The difficulty faced with attribution means that the threat of putting "a missile down one of your smokestacks" is vacuous at best, or irresponsible at worst.

Now we see an increased rush to develop cyber capabilities and, though cyber seems to be the new arms-race, there is an important difference.

Exploits can be worked on in private without tell-tale mushroom clouds or double-flashes of light which betray nuclear testing. Capabilities can be built and refined for fractions of the cost and most importantly: There is no hint of mutually assured destruction.

MAD kept the cold war cold, with both sides fearing the response to launching first. This has no cyber parallel and the possibility of false flag operations (or that even complex-looking attacks might have been perpetrated by idealistic youths) means that we are just not ready to consider military reprisal.

Then of course, we need to ponder just who would be most vulnerable in terms of cyber attacks? The answer is obviously those who are most connected. Losing internet access for a day would mean a lot more to Wall street than to Iran (who have shut down access to the internet in the past).

Firing off Stuxnet might have seemed like a good idea, but since everyone is vulnerable (and some are more vulnerable than others) it is possibly a road that was better avoided. When it comes to cyberspace, the connected world is living in a glass house, and we all know that people in glass houses shouldn't throw stones.

Haroon Meer is the founder of Thinkst Applied Research. He can be found on twitter as @haroonmeer or on his blog at http://blog.thinkst.com/

No comments: