• No results found

BMeet Alice and Bob They

In document Cybersecurity and Cyberwar (Page 57-76)

HOW IT ALL WORKS

BMeet Alice and Bob They

would like to talk to each other securely.

Alice and Bob each have a pair of mathematically linked keys, sharing one and keeping one private.

private key

private key

Bob receives the message. He then decrypts the message with his private key, and uses Alices’s public key to verify her signature.

To send a message, Alice encrypts the message with Bob’s public key, and signs with her private key.

A B

A

B

A

How public key encryption works

Encryption protects the confidentiality of the message, while the digital signature preserves integrity by preventing modification.

A B B B B 41 ed a3 a6 96 02 56 05 20 39 41 ed a3 a6 96 02 56 05 20 39 “Hello Bob” “Hello Bob” (shared) public keys

1

3

2

4

encrypt inscribe verify signature message decrypt message signature Figure 1.2

(CAs), they sign the certifi cates, and their public keys are known widely enough so that they cannot be spoofed. If you trust the CA, then you can trust the public key signed by the CA.

Every person online uses this system on a daily basis, even if we do not realize it. When we visit HTTPS web addresses and get the little lock icon to verify the secure connection, we are visiting a secure website and are trusting the certifi cate authorities. Our web browsers ask the secure domain for its public key and a certifi - cate signed by a CA, tying the public key explicitly to the Internet domain. In addition to verifying that the server our browser is talk- ing to belongs to the organization it claims to belong to, this also enables trusted communication by exchanging encryption keys. Such trust serves as the basis for almost all secure communication on the Internet between unaffi liated parties.

As the source of trust, certifi cate authorities occupy a critical role in the cyberspace ecosystem, perhaps too important. If someone can steal a CA’s signing key, then the thief (or whoever they pass the key on to) could intercept “secure” traffi c without the victim noticing. It is hard to pull off, but it has been done. In 2011, someone (later leaks fi ngered the NSA) stole a Dutch CA’s keys and used them to inter- cept Iranian users’ access to Google’s Gmail. Some have complained that there are too many CAs around the world, many in countries with less than savory histories in security and privacy. As attacks evolve, the roots of trust will be even more at risk.

If one side of trust online is about the user feeling confi dent about the system and other users, the other side is how systems should trust the users. After identifi cation and authentication, a system must authorize the user to use the system. Most systems use some kind of “access control” to determine who can do what. At its sim- plest, access control provides the ability to read, write, or execute code in an operating environment.

The core of any system is the access control policy, a matrix of sub- jects and objects that defi nes who can do what to whom. This can be simple (employees can read any document in their small work group, while managers can access any document in their larger division) or much more complicated (a doctor may read any patient’s fi le, as long as that patient has one symptom that meets a prespecifi ed list, but may only write to that fi le after the billing system can verify eligibility for pay- ment). Good access control policies require a clear understanding of

both organizational roles and the architecture of the information system as well as the ability to anticipate future needs. For large organizations, whose users make extensive use of data, defi ning this policy perfectly is incredibly diffi cult. Many believe it may even be impossible.

Failures of access control have been behind some of the more spectacular cyber-related scandals in recent years, like the case of Bradley Manning and WikiLeaks in 2010, which we explore next, and the 2013 Edward Snowden case (where a low-level contrac- tor working as a systems administrator at the NSA had access to a trove of controversial and top-secret programs, which he leaked to the press). These cases illustrate poor access control in all its glory, from low-level individuals being granted default access to anything and everything they wanted, to poor efforts to log and audit access (for several months after Edward Snowden went public with leaked documents about its various monitoring programs, the NSA still didn’t know how many more documents he had taken, but hadn’t yet released).

Whether the organization is the NSA or a cupcake store, the questions about how data is compartmentalized are essential. Unfortunately, most organizations either greatly overprovision or underprovision access, rather than trying to fi nd a good medium. Overentitlements grant too much access to too many without a clear stake in the enterprise, leading to potentially catastrophic WikiLeaks-type breaches. In many business fi elds, such as fi nance and health care, this kind of overaccess even runs the risk of violat- ing “confl ict of interest” laws that are supposed to prevent individu- als from having access to certain types of information. Finally, and most relevant to cybersecurity, if access control is poor, organiza- tions can even lose protection of their intellectual property under trade secret law.

At the other extreme, underentitlement has its own risks. In busi- ness, one department may inadvertently undermine another if it doesn’t have access to the same data. In a hospital, it can literally be a matter of life and death if doctors cannot easily fi nd out informa- tion they need to know in an emergency. Former intelligence offi cials have implied that the stakes are even higher in their world, where a lack of information sharing can leave crucial dots unconnected and terrorist plots like 9/11 missed. 

What this all illustrates is that even amid a discussion of technol- ogy, hashes, and access control, trust always comes back to human psychology and the decisions used to make explicit risk calcula- tions. Pac-Man isn’t an actual man, but the system that allowed him to enter a voting machine, and the consequences of that access, are all too human.

Focus: What Happened in WikiLeaks?

bradass87 : hypothetical question: if you had free reign [ sic ] over classifi ed networks for long periods of time . . . say, 8–9 months . . . and you saw incredible things, awful

things . . . things that belonged in the public domain, and not on some server stored in a dark room in Washington DC . . . what would you do? . . .

( 12:21:24 PM) bradass87 : say . . . a database of half a million events during the iraq war . . . from 2004 to 2009 . . . with reports, date time groups, lat-lon locations, casualty fi gures . . . ? or 260,000 state department cables from embassies and consulates all over the world, explaining how the fi rst world exploits the third, in detail, from an internal perspective? . . .

( 12:26:09 PM) bradass87 : lets just say *someone* i know intimately well, has been penetrating US classifi ed networks, mining data like the ones described . . . and been transferring that data from the classifi ed networks over the “air gap” onto a commercial network computer . . . sorting the data, compressing it, encrypting it, and uploading it to a crazy white haired aussie who can’t seem to stay in one country very long =L . . . ( 12:31:43 PM) bradass87 : crazy white haired dude = Julian Assange

( 12:33:05 PM) bradass87 : in other words . . . ive made a huge mess.

This exchange on AOL Instant Messenger launched one of the biggest incidents in cyber history. WikiLeaks not only changed the way the world thinks about diplomatic secrets, but also became a focal point for understanding how radically cyberspace has changed our relationship with data and access.

In 2006, the website WikiLeaks was launched with the goal of “exposing corruption and abuse around the world.” With an agenda

that scholars call “radical transparency,” the concept was to reform powerful actors’ behavior by exposing documented evidence of their wrongdoing online. Led by the now-iconic “crazy white haired dude,” Australian Julian Assange, it used the Wikipedia model of an “open-source, democratic intelligence agency,” where activists from around the world could upload information and share it through a central but communally archived repository.

The group quickly gained a reputation for “releasing information relating to a range of very different countries, and to potential cor- ruption, malfeasance, or ineptitude.” Early projects exposed alleged wrongdoings by Kenyan politicians, Church of Scientology lawyers, and international trade negotiators. It soon won accolades from anticensorship and human rights organizations.

In turn, the dangers of radical transparency quickly became apparent to organizations that depended on secrecy. In a 2008 report, the Pentagon noted, “WikiLeaks.org represents a potential force protection, counterintelligence, OPSEC and INFOSEC threat to the U.S. Army.” (Ironically, we only know about this classifi ed assessment because WikiLeaks itself published it in 2010.)

The Pentagon’s prescience was remarkable, as the website was poised to publish a massive cache of documents that ranged from diplomatic cables to memos and videos directly related to the US military’s war efforts in Iraq and Afghanistan. This story’s beginning goes back to “bradass87,” the online handle of Bradley Manning, born in 1987.

Bradley Manning was a private fi rst class in the US Army, and not a terribly happy one. As he described in instant messages sent to another hacker turned journalist, “im an army intelligence analyst, deployed to eastern baghdad, pending discharge for ‘adjustment disorder’ in lieu of ‘gender identity disorder.’ ”

Later investigations found that Manning fi t in poorly with other soldiers and that he had already been reprimanded for disclosing too much information in video messages to his friends and family that he posted to YouTube. In fact, he almost wasn’t deployed to Iraq because his superiors had described him as a “risk to himself and possibly others.” But the need for intelligence workers in the fi eld was too great, and he was sent to the war zone.

While Manning was trained to handle classifi ed information, he was not an analyst. Instead, his job was “to make sure that other intelligence

analysts in his group had access to everything that they were entitled to see.” His position thus gave him access to a huge range of data streams from across the government’s computer networks.

After growing increasingly distraught about the war, a reaction likely compounded by his personal troubles, Manning decided that “Information has to be free.” While the Department of Defense had banned USB storage devices for fear of malware and had tried to “air gap” the secure networks from the Internet, they did not close off writable CD drives. Manning would bring in CDs with music on them and then overwrite the music with fi le upon fi le of clas- sifi ed data. As he wrote, “I listened and lip-synced to Lady Gaga’s Telephone while exfi ltratrating [ sic ] possibly the largest data spill- age in american history.”

In April 2010, WikiLeaks published a provocatively titled video, “Collateral Murder,” depicting an edited, annotated video from a US Army Apache attack helicopter fi ring on civilians in Iraq, includ- ing two Reuters reporters. WikiLeaks followed this up in July and October 2010 by releasing immense troves of classifi ed documents relating to the wars in Afghanistan and Iraq.

While Manning had originally wanted to remain anonymous, as was the WikiLeaks model, his facilitator, Assange, instead sought to achieve maximum publicity. The video was fi rst displayed at a news conference at the National Press Club in Washington, DC. For the classifi ed documents, Assange worked with the New York Times, the Guardian , and Der Spiegel to verify, analyze, and present the docu- ments to the public. Unsurprisingly, US offi cials condemned the release of these documents in strong language and began to hunt down the source of the leaks.

Just a few months later, WikiLeaks dropped another virtual bomb. In what became known as “Cablegate,” Manning had also passed on 251,287 State Department cables written by 271 American embassies and consulates in 180 countries, dating from December 1966 to February 2010. Much of the communication was boring stuff, but there were also a number of embarrassing secrets, from what American ambassadors really thought about their counterparts to the fact that the United States had secretly eavesdropped on the UN Secretary General in the lead up to the Iraq war. Amusingly, the US government then ordered federal employees and contractors not to

read the secret State Department documents posted online, which the New York Times described as “a classic case of shutting the barn door after the horse has left.”

Originally, WikiLeaks relied on media sources like the Guardian, El

País , and Le Monde to publish the cables, which they did at a relative

trickle. The media focused on what they thought was most newsworthy and edited the content wherever it might endanger someone inadver- tently revealed in the cables, such as a secret informant. Only a hundred or so were released at a time, a tiny fraction of the stolen documents. A few months later, however, the password to the full data set was “acci- dentally” released (reporters from the Guardian and Assange each blame the other). With the site now accessible, WikiLeaks decided to publish the whole treasure trove of secret information, unredacted.

The leaking of documents was roundly condemned, and WikiLeaks was accused of putting people at risk, and not just American offi cials. In China, for instance, nationalist groups began an “online witch hunt,” threatening violence against any Chinese dissident listed in the cables as meeting with the US embassy.

At this point, WikiLeaks became more than just a nuisance to those in power. According to the US Director of National Intelligence, the leaks risked “major impacts on our national security,” and a senator called for Assange to be tried for espionage. Others sought to down- play the impact. As then Secretary of Defense Gates put it, “Is this embarrassing? Yes. Is it awkward? Yes. Consequences for U.S. for- eign policy? I think fairly modest.”

In either case, the heat was turned up on the organization and its key players. Assange’s personal Swiss bank account was closed on the grounds that he had falsely claimed to live in Geneva upon opening the account. Even more damaging, Swedish prosecutors issued a warrant for Assange for sexual assault. After fi ghting and losing a legal battle for extradition, Assange sought asylum at the Ecuadorian embassy in London, where he remains at the time of this book’s publication.

In another illustration of how the cyber world intersects with the real world, the online group was also pressured via the online fi nan- cial front. PayPal announced that it would no longer allow individu- als to send money to WikiLeaks’s account, citing a letter from the US government declaring WikiLeaks’s engagement in illegal behavior.

MasterCard and Visa followed suit, making it much harder for sym- pathizers around the world to contribute to the legal and technical defense of the website.

Despite this pressure, the WikiLeaks organization survived. The leaked documents are still available around the Web on dozens of mirror websites to anyone who wants to see them (aside from federal employees), while the group has popped up in subsequent scandals from the NSA domestic spying revelations to the Syria Files, a release of over two million e-mails from the Syrian regime, including personal e-mails from Bashar al-Assad. More impor- tantly, WikiLeaks’s model has proved powerful, inspiring copycat attempts like Local Leaks, a website associated with Anonymous. Local Leaks came to prominence in 2012, when it posted evidence of a brutal sexual assault by prominent high school football players in an Ohio town.

As for Manning, his role was revealed by the very same person he shared his supposedly secret Internet chat with. A hacker named Adrian Lamo had told Manning, “I’m a journalist and a minister. You can pick either, and treat this as a confession or an interview (never to be published) & enjoy a modicum of legal protection.” Instead, Lamo turned Manning in to the FBI. Manning was subse- quently court martialed for data theft and espionage and sentenced to thirty-fi ve years in military prison.

In the end, those who wished to set information free are them- selves no longer free. Others may be deterred by what has happened to this episode’s main characters, or heartened by their enduring impact.

What Is an Advanced Persistent Threat (APT)?

We were at a meeting of Washington, DC, government offi cials and busi- ness leaders. A so-called consultant in cybersecurity (at least that’s what his website said, and who are we to question the Internet?) spent half his presentation talking up the massive boogeyman of cyber danger that loomed for us all, repeatedly mentioning the new specter of “APTs.” But fortunately, he spent the second half of his talk explaining how all that was needed to deter such threats was to be “good enough.” He made a joke that it was like the two friends chased by a bear. As one told the other, “I don’t have to outrun the bear, just you.” As long as you made sure

your defenses were slightly better than the next guy’s, he explained, the cyberattackers would give up and quickly move on. And, lo and behold, his fi rm had a generic package for sale that would satisfy all our cyberse- curity needs. The presentation was slick, effective . . . and wrong.

APTs are “advanced persistent threats,” a phenomenon that has gained more and more notoriety in recent years (Google reports the term as being used some 10 million times by 2013) but is still poorly understood. It illustrates the challenge in the policy world of calling attention to very real emerging challenges in cyberspace but also avoiding overreaction, hype, and hysteria.

If cybersecurity threats were movies, an advanced persistent threat would be the Ocean’s 11 of the fi eld. It’s not that APTs star handsome actors like George Clooney or Brad Pitt; indeed, they are more likely to be run by their polar opposites, clad in T-shirts instead of Armani suits. Like the high-profi le heists in the movie, however, APTs have a level of planning that sets them apart from other cyber- threats. They are the work of a team that combines organization, intelligence, complexity, and patience. And as with the movie, they are quickly followed by sequels. No one knows how many APTs are out there in the world, but one cybersecurity fi rm CEO told us how, “Five years ago, I  would get very excited, and very proud, if we found signs of an APT inside a client’s networks. It was something that might happen once every few months. Now, we’re fi nding them once a day.”

An APT starts with a specifi c target. The team knows what it wants

In document Cybersecurity and Cyberwar (Page 57-76)
Download now "Cybersecurity and Cybe..."

Outline

Related documents