The dark arts

"No, Mr. Sullivan, we can't stop it! There's never been a worm with that tough a head or that long a tail! It's building itself, don't you understand? Already it's passed a billion bits and it's still growing. It's the exact inverse of a phage -- whatever it takes in, it adds to itself instead of wiping... Yes, sir! I'm quite aware that a worm of that type is theoretically impossible! But the fact stands, he's done it, and now it's so goddamn comprehensive that it can't be killed. Not short of demolishing the net!"
John Brunner, The Shockwave Rider 1972(?)

It was another ordinary Thursday1 in the office for Sergey Ulasen2, head of the antivirus research team of a small computer security company, VirusBlokAda, headquartered in Minsk, Belarus. He had been emailed by an Iranian computer dealer, whose clients were complaining of a number of computers stopping and starting. Was it a virus, he was asked. He was given remote access to one of the computers and, with the help of a colleague, Oleg Kupreyev, set about determining exactly what was the problem.

The answer, as the situation unraveled, was that he was looking at more than a virus. Indeed the “Stuxnet worm”, as it became known3, was one of the most complex security exploits the world has ever seen. It used a panoply of attack types, from viral transmission via USB sticks, through exploiting unpatched holes in the Microsoft Windows operating system, to digging deep into some quite specific electronic systems. Unbeknown to Sergey, its actual targets were the Programmable Logic Controllers of some 9,000 centrifuges in use by Iran at its Natanz Uranium enrichment plant. These controllers — simple computers, made by Siemens — were used to control the speed of a number of centrifuges: run them at too high a frequency for too long, and they would fail. As the controllers could not be targeted directly (they were too simple), the malicious software, or ‘malware’ took advantage of the Windows consoles used to control them. However, the worm knew every detail of the centrifuges and the speeds at which they would fail. “According to an examination4 of Stuxnet by security firm Symantec, once the code infects a system, it searches for the presence of two kinds of frequency converters made by the Iranian firm Fararo Paya and the Finnish company Vacon, making it clear that the code has a precise target in its sights,” wrote5 Kim Zetter for Wired. It’s these frequency converters that control the speeds of the centrifuges; furthermore, the only known place in the world that they were in such a configuration was at Natanz.

As it happened the centrifuges had been going wrong for at least a year. Indeed, inspectors from the International Atomic Energy Agency confessed6 to be surprised at the levels of failure. However the malware had done well to hide itself, making operators believe that the controllers were working correctly — it must just be the centrifuges that are unreliable, they thought. A previous version of the worm (known as7 Stuxnet 0.5) had been used to steal information from the nuclear facility a year before, including how the centrifuges were set up. While the malware was designed to work on the Natanz centrifuges, it didn’t stop there. By the time it reached its full extent and Microsoft had issued patches for the vulnerabilities it exploited, Stuxnet had been infecting computers in “Iran, Indonesia, India, Pakistan, Germany, China, and the United States,” according to reports8 from the US authorities.

But here’s the twist. While nobody came out and said so directly at the time, as the nature of the worm was established, the consensus became that the source of Stuxnet could be none other than a joint effort between US and Israeli security forces. Journalists were circumspect at the time — stated9 the UK Guardian for example, it was “almost certainly the work of a national government agency… but warn that it will be near-impossible to identify the culprit.” Interestingly, it was America’s own ‘insider threat’ Edward Snowden, a contractor who happened to have access to a wide range of government secrets, who blew the cover on the two nations’ involvement. “NSA and Israel co-wrote it,” he said succinctly, in an interview10 with German magazine Der Spiegel in 2013.

This was, of course, major news. Traditionally, viruses have been associated with ‘the bad guys’, a nefarious underworld of criminals whose intentions range from the amusing to downright corrupt. Ever since there was technology, there have been people looking to turn it to their own ends, be it the use of a whistle given away in cereal packets to fool telephone exchanges (a technique made famous by John Draper, a.k.a. “Captain Crunch” after the cereal), or through stories such as Clifford Stoll’s The Cuckoo’s Egg, in which the author managed to trace Hannover-based hacker Markus Hess, who was selling secrets to the Russian KGB. This spectrum of behaviours has made it difficult to categorise bad behaviour, with the result that innocuous breaches have sometimes been treated with the full force of law. Indeed, even the term ‘hacker’ is in dispute, with some members of the technological fraternity maintaining it refers to very good programmers, nothing more.

Whatever their goals, computer hackers have several options — to find things out (thereby breaching data confidentiality), to change things (data integrity) or to break things (data availability). Sometimes they exploit weaknesses in software; other times they will write software of their own, called such sci-fi terms as viruses and worms. Indeed, in good life-imitating-fiction style, Xerox Research’s John Shoch used John Brunner’s ‘worm’ to describe a program he had created to hunt out unused processor use and then turn it to more useful purposes. While such worms occasionally got the better of their creators, it took until 1988 for such a program (known as the Morris Worm11) to cause broader disruption, infecting (it is reckoned) one in ten computers on the still-nascent Internet. The worm’s unintended effect was to take up so much processor time, it brought machines to a standstill, creating one of the world’s first distributed denial of service (DDOS) attacks.

Since these less complicated times, a wide variety of malicious software has been developed with the intent to exploit weaknesses (software or human) in computer protection. We have seen the emergence of botnets – networks of ‘sleeper’ software running on unsuspecting desktops and servers around the world12, which can be woken to launch DDOS attacks, targeting either computers or indeed the very infrastructure underlying the Web. Such as an attack on the Spamhaus Domain Name Service (DNS), for example: what marked the attack13 was not only its nature, but also the rhetoric used to describe it. “They are targeting every part of the internet infrastructure that they feel can be brought down,” commented Steve Linford, chief executive for Spamhaus, in a strange echo of John Brunner’s prescient words.

Despite such episodes14 (or indeed, as demonstrated by them), the Internet has shown itself to be remarkably resilient — its distributed nature is a major factor in the Internet’s favour. For any cybercriminal to bring down the whole net, they would first have to have access to a single element which tied it all together – even DNS is by its nature distributed, and thus difficult to attack.

The botnet and malware creation ‘industry’ — for it is one — is big business. The bad guys also don’t particularly care about where the holes are. The black hat hacker world is a bit like the stock market, in that its overall behaviour looks organic but actually it is a consequence of a large number of small actions. Some exploits are happy accidents, flukes of innovation. Others are as a result of people trying to out-do each other. And the bad guys are equally capable15 of exploiting the power of the cloud, or to offer out virtualised services. And so it will continue, as good and bad attempt to outdo each other in a continuation of what is an eternal conflict.

But the admission, direct or otherwise, of government involvement in Stuxnet added an altogether different dimension. The principle was not untested: in 198216 the USA was making its first forays for example, using a trojan horse to cause an explosion in the Trans-Siberian gas pipeline. All the same, the idea of one government actively engaging against another using malware remained the stuff of science fiction. As many pundits17 have suggested18, the game changed19 with Stuxnet, the starting point of ‘proper’, inter-national cyberwarfare. In a somewhat ironic twist, US Deputy Defense Secretary William J. Lynn III suggested20 that once its intent and scale had been revealed, others could follow suit. “Once the province of nations, the ability to destroy via cyber means now also rests in the hands of small groups and individuals: from terrorist groups to organised crime, hackers to industrial spies to foreign intelligence services,” Which does beg the question — did the US Government really think it could be kept under wraps21, given the damage it wreaked? Citing a government-led attack as a reason why governments need to be better protected against attack, but so be it!

The Law of Unexpected Consequences is writ large in the world of cybersecurity, as different sides attempt to both innovate and exploit the weaknesses of the other. In business for example, corporate security professionals no longer talk about keeping the bad guys out, but rather how to protect data, wherever it happens to turn up. Many are represented by the Jericho Forum, an organisation set up to work out how to ‘do’ security when everyone has mobile phones, when working from home is a norm rather than an exception, and when people spend so much time connected to the Internet. In the words of the song, the corporate walls “came tumbling down” a long time ago. As we have seen, the corporation has been turned inside out; in security as well, cathedrals of protection have been replaced by a bazaar, where everything can be bought or sold.

This new dynamic — an open, increasingly transparent world in which both bad guys and governments are prepared to step over a line in order to achieve their goals — sets the scene for the realities of cybersecurity today. The immediate aftermath of the Snowden’s 'revelations' may have come as a disappointment to many activists, in that people didn't flee from their US-hosted online service providers in droves. Many industry insiders were neither surprised nor phased - as a hosting company CEO commented last week, “It would be naive to think [^the NSA] were doing anything else.” However, that we are in a post-Snowden world was illustrated by the decision of Brazil's President Dilma Rousseff to cancel a US gala dinner in her honour. To add potentially 'balkanising' insult to injury, Brazil also proposed creating its own email services and even laying a new trans-atlantic cable, to enable Internet traffic to miss out the US. Experts including Bruce Schneier have expressed22 their fears at such suggestions. After all, isn't this controlling traffic in similar ways to that “axis of Internet rights abuse” — China, Iran and Syria, who apply traffic filters to citizen communications?

From a technical perspective the router-and-switch infrastructure of the Internet doesn't really care which way a packet goes, as long as it gets through.Far from Brazil's proposals suggesting a reduction in the Internet's core capabilities, they actually increase them by providing additional routes and new, non-obligatory service options. Unless, that is, one believes that the US has a singular role in policing the world's web traffic — in which case it makes sense to route it all that way. Indeed Brazil's move doesn't actually prevent surveillance, rather, it delegates such activities to within national boundaries. As commentators have suggested, the indignant rhetoric from some nations can be interpreted as, “We don't want the USA to monitor our people, that's our job.”

For those who would rather not have their data packets monitored, there is The Onion Network, or Tor. In another twist of the dance between light and dark, Tor was originally conceived by the US Navy in 2002 as a way to hide the source of Internet traffic, preventing anyone else knowing who was accessing a specific web site for example. The point of Tor was to enablethe military to cover its tracks: as a strategic decision therefore, the software was made generally available and open source. “It had to be picked up by the public and used. This was fundamental,” explained23 its designer, Paul Sylverson. “If we created an anonymous network that was only being used by the Navy, then it would be obvious that anything popping out or going in was going to and from the Navy,” Good call — but the decision may have backfired, given that Tor has become the place to hang out, for anyone who doesn’t want to be monitored — which includes a wide variety of cybercriminals, of course. Tor has become a Harry-Potter-esque Diagon Alley of the Internet, where anything can be bought or sold from drugs and weapons, to ransomware and cyber-attacks, to buying and selling the stolen identities that result from such attacks. Billions of identities are now available for sale on the Tor-based black market, to such an extent that they are relatively cheap, like bags of old stamps. While we should perhaps be worried24, the rumour is that there are simply too many stolen identities to be dealt with.

The dance continues, and no doubt will continue to do so, long into the future. Another of Snowden’s revelations (and again, this has not been publicly stated) was how encryption algorithms created by security software company RSA (now part of Dell) were given ‘back doors’, so that the US authorities could access the data they contained. The Tor network has also been infiltrated by the powers that be, as has the crypto-currency, Bitcoin (we’ll come to this). The one thing we can be certain about is that every technological innovation to come will be turned to dubious ends, and every unexpected positive consequence will be balanced by a negative. All eyes right now are on how the Internet of Things can be hacked to cause disruption — in the future the tiniest sensors will give us away, and our household appliances will hold us hostage (in some ways this is nothing new — toasters are already25 more dangerous than sharks). To repeat Kranzberg’s first law of technology, “Technology is neither good nor bad; nor is it neutral.”

As battle fronts continue to be drawn upon ever more technological lines, we continue to ask ourselves exactly what purpose technology serves, and how it can be used for the greater good. As pundit Ryan Singel has suggested26, “There is no cyberwar and we are not losing it. The only war going on is one for the soul of the Internet.” But can it be won?

  1. July 17, 2010 

  2. http://eugene.kaspersky.com/2011/11/02/the-man-who-found-stuxnet-sergey-ulasen-in-the-spotlight/ 

  3. http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html 

  4. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf 

  5. http://www.wired.com/2010/12/isis-report-on-stuxnet/ 

  6. http://arstechnica.com/tech-policy/2011/07/how-digital-detectives-deciphered-stuxnet-the-most-menacing-malware-in-history/ 

  7. http://www.symantec.com/connect/blogs/stuxnet-05-missing-link 

  8. https://cyberwar.nl/d/R41524.pdf 

  9. http://www.theguardian.com/technology/2010/sep/24/stuxnet-worm-national-agency 

  10. http://www.spiegel.de/international/world/interview-with-whistleblower-edward-snowden-on-global-spying-a-910006.html 

  11. http://en.wikipedia.org/wiki/Morris_worm 

  12. http://www.huffingtonpost.co.uk/hilary-wardle/computer-hacking_b_5607288.html 

  13. http://www.bbc.co.uk/news/technology-21954636 

  14. http://blog.cloudflare.com/the-ddos-that-knocked-spamhaus-offline-and-ho 

  15. http://www.techradar.com/news/world-of-tech/hackers-used-amazon-cloud-to-scrape-data-from-linkedin-profiles-1213888 

  16. http://www.theregister.co.uk/2004/03/16/explosive_cold_war_trojan_has/  

  17. http://www.langner.com/en/2010/09/14/ralphs-step-by-step-guide-to-get-a-crack-at-stuxnet-traffic-and-behavior/ 

  18. http://spectrum.ieee.org/podcast/telecom/security/how-stuxnet-is-rewriting-the-cyberterrorism-playbook 

  19. http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdf 

  20. http://www.defense.gov/news/newsarticle.aspx?id=54787 

  21. http://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html 

  22. http://bigstory.ap.org/article/brazil-looks-break-us-centric-internet 

  23. http://www.telegraph.co.uk/culture/books/11093317/Guns-drugs-and-freedom-the-great-dark-net-debate.html 

  24. https://www.riskbasedsecurity.com/2014/02/2013-data-breach-quickview/ 

  25. http://blogs.reuters.com/environment/2008/01/17/toasters-deadlier-than-sharks/ 

  26. http://www.wired.com/2010/03/cyber-war-hype/