The infiltration of the American newspaper by hackers reckoned to be
working for the Chinese government is a demonstration of the layered
model of hacking: from noisy to silent, amateur to professional.
The hack of the New York Times,
almost certainly by Chinese hackers working for the military and/or
Chinese government, provides a number of important lessons about the
modern world of hacking.
They are: antivirus won't help if you are being targeted by top-level hackers: the New York Times was using Symantec's offering; but out of 45 pieces of custom malware, Symantec's software identified just one.
And:
universities and other academic locations are prime stepping stones for
hackers looking to get into bigger, better protected systems: the
Chinese hackers used systems at the universities of North Carolina,
Arizona, Wisconsin and Nex Mexico, as well as a number of smaller
companies.
(By the way, "hackers" here is used as "people who
break into systems without the owners' permission". The older use, of
"someone who plays around with what computers can do", has long since
been subsumed into the newer one.)
The full story of the attack - in its four-month full detail - is hair-raising reading.
But
the reality is that while everyone might have heard of Anonymous, the
hackers you really need to worry about are the ones you haven't heard
of.
In fact it's very easy to understand the world of hacking. It
splits into three layers, each almost hermetically sealed off from the
other, and each almost indifferent to the other.
The three levels, in increasing order of ability and decreasing order of visibility, is:
• the amateurs.
The prime example of these is Anonymous, the loose collective of
hackers who are roughly organised around a few ideas - that anyone can
be a member, that anyone can speak for them, and that if enough of you
(even if not most or all) can agree on a target, then they'll go after
it. Some of them aren't particularly great hackers;
to quote Judge Peter Testar, who was in charge of the trial of three
British members of Anonymous recently, "The defendants were actually
rather arrogant," Testar said. "They thought they were far too clever
to be caught and used various methods to try to cloak and preserve
their anonymity. It seems to me that the police were a little bit more
clever than the conspirators."
Sometimes it's hard to know whether the claims are correct: in September 2012 some Anonymous members claimed to have hacked an FBI agent's laptop and stolen a million user details stored on it. Instead, they'd been taken from a web publisher, BlueToad.
Some
Anonymous members are, howeer, pretty accomplished; "Sabu" - real name
Hector Monsegur - certainly showed aptitude, and led the LulzSec crew
during what we might call the Summer of Lulz in 2011. They were able to
cover their tracks and carry out various incursions against small and
large sites, and it may have only been Monsegur's complicity (he had
been caught by the FBI, and was in effect a double agent) that led to
their early arrest.
But the point about Anonymous, and pretty
much any amateur, is that they're doing it to get noticed, for whatever
reason. Even though Gary McKinnon wasn't trying to deface sites, he was
looking for "hidden" evidence about UFOs - and you can be that if he'd
found it, he would have made it public.
Next up are
• the commercial hackers. These are the people who steal and trade credit card details, write (or tweak) the software that infects machines to create spambots, do browser hijacks, and so on. They're very much focussed on the commercial side; making money is the name of the game. To them, Anonymous are those annoying kids who go around bringing too much attention onto the weaknesses of computers. There's a definite tension between the commercial hackers and Anonymous; although they're both aware of each other, Anonymous can't take down the commercial hackers - it's risky to take on people who might resort to real violence.
• the commercial hackers. These are the people who steal and trade credit card details, write (or tweak) the software that infects machines to create spambots, do browser hijacks, and so on. They're very much focussed on the commercial side; making money is the name of the game. To them, Anonymous are those annoying kids who go around bringing too much attention onto the weaknesses of computers. There's a definite tension between the commercial hackers and Anonymous; although they're both aware of each other, Anonymous can't take down the commercial hackers - it's risky to take on people who might resort to real violence.
Commercial
hacking is a gigantic business; the estimates vary, but in terms of the
cost to companies, they're always in the billions. The trading of
stolen data is common on hidden web forums; you have to know someone to
get to them.
But the commercial hackers aren't necessarily the
most capable. That prize goes to the next group, who are barely ever
glimpsed - except at times like this:
• government and military hackers.
These are the people working for the National Security Agency (NSA) or
MI6 or Israel's Mossad or whichever country's secret service you'd like
to focus on. These are the people who write software such as Stuxnet,
which is so stealthy that it was deployed in 2008 but wasn't detected
until 2010, having wreaked havoc on Iran's uranium processing systems.
As a strategy, you have to say it was brilliant: a bomb attack on the
facility would have caused a gigantic political row, and might not have
succeeded (because the facility is deep underground). But as long as
its computers are connected, the right piece of malware can get in.
These are the people behind attacks like that on the New York Times, for while there might be some angry keyboard warriors in China
about the fact that the NYT sometimes isn't totally supportive of the
Party line, the fact that the attacks began ahead of the publication of
the first story, and continued for four months using zero-day hacks
(which is why Symantec's AV couldn't detect them) tells you that these
were not angry amateurs. Instead they were professional - to the
extent, the investigators at Mandiant said, that they would start at
8am Beijing time, and work normal hours, with the occasional burst
going through to midnight in Beijing - equivalent to 11am in New York.
In effect, the Chinese hackers were starting at 7pm New York time, and
rooting through the systems as fewer and fewer people were in the
office. For a hacker, that's ideal.
Government also have access
to those sorts of zero-day exploits - and the best reason to deploy
them: they're trying to attack well-defended cyber-targets. There's
actually a thriving market in zero-day exploits, with a number of companies selling them to the highest bidder.
In fact Charlie Miller
- an ex-NSA staffer who has demonstrated remarkable and
previously-unseen hacks at a number of conferences - says that he once
sold a zero-day exploit to the US government. As he put it to the
Washington Times: "Do I do the thing that's good for the most people
and not going to get me money at all, or do I sell it to the U.S.
government and make $50,000?"
For the government hackers,
anonymity - the real sort, rather than the mask-wearing, visible
Anonymous sort - is an essential currency. They have to remain
invisible both in their daily life, and their online life. Miller was
pretty much unknown before he emerged from the NSA; in a revealing
interview a couple of years ago, he explained
that "I've liked tinkering around with computers since I was a kid, but
got a degree in Mathematics. After that, it was five years of
on-the-job training at the NSA."
His training and work is being
repeated around the world by hundreds - perhaps thousands - of
full-time professional hackers. Yet we don't know their names; they
don't have an organisation, don't parade, don't seek any attention at
all. Though the people in the other two layers know that these elite
hackers must exist, they'll hardly ever come across a trace of them.
Quite what state-sponsored hackers think of the amateurs or the
commercial hackers isn't clear; not enough of them have ever been
interviewed to make that clear. But the difference between them and the
amateurs is like that between any professional and an amateur; the gap
is vast.
The doesn't ease the challenge for the New York Times (nor, indeed, the Wall Street Journal, which says that it too was attacked
to find out about its China coverage). Knowing that you might be the
target of top-level hackers is only helpful if you know what to watch
for. The New York Times was able to ask AT&T to monitor its
networks for "suspicious behaviour", but that's not available to
everyone - and some networks might not show it up.
Is there an
answer? Unfortunately, no. All you can say is that the more visible the
hacker, the less - generally - you have to worry about. Being hacked by
Anonymous and having company data (usually usernames and hashed
passwords) sprayed around the web is uncomfortable, but it won't
usually destroy your business. The risk from state hackers is far
greater - because they can effectively be standing over your shoulder
(or under your keyboard), watching everything without you having the
least idea it's happening.
No comments:
Post a Comment