Pretty Complex

Pretty Complex

Article from Issue 218/2019
Author(s):

Modern cyberwarfare and its resulting monetary allocations have significantly impacted the exploit market, but where does that lead?

In October 2018, at a European Union data privacy conference, Apple CEO Tim Cook attacked competitors, Facebook and Google. According to Cook, Facebook and Google's business models had become a "surveillance industry" and likened their services (unlike Apple's devices) to a "data industrial complex" [1].

Analysts quickly agreed that Cook's underlying intention might have been to spin better public relations for Apple after several unfriendly articles about Apple's tax-evasion strategies. However, Cook's comments provoked more than the expected rebukes from Google and Facebook – it drew the attention of people who have been following American politics and military strategies since WWII.

Many were reminded of US President Dwight D. Eisenhower's legendary farewell adress in 1961. The former five-star general and commander of Allied forces in Europe warned the American public about the risks and dangers the "military-industrial complex" (installed during and after WWII) posed for the free and democratic Western world. Even though Eisenhower wrote his speech in a time when tanks and oil dominated warfare, some of his words remain as powerful today as they were during the cold war [2].

Today, this military-industrial complex has advanced into a new domain: If data is the new oil [3], then access to data is crucial for corporate and national prosperity. Detailed information about people and companies is considered the decisive factor in elections, polls, and nearly every product's selling point. The more the government and companies know, the better, as witnessed by the size of the NSA's hard drives and data centers. Needless to say, the Big Four (Facebook, Google, Apple, and Amazon) hold many keys in this game, which also makes them a target for hackers – much like certain operating systems are targeted. Data breaches happen: In September 2018, Facebook reported a cyberattack that affected 30 million users; just a few weeks later, Google admitted that its social network Google Plus had been compromised since March 2018. In both cases, "software glitches" had been exposed and used by hackers to access customers' data.

Windows, Android, and iOS are known for their flaws and backdoors, as shown by a recently published German government report on IT security [4]. Hackers continue to reveal zero-day exploits (see the "What Is a Zero-Day?" box), like when SandboxEscaper recently disclosed a new and scary Windows problem [5]. Security holes like the new Bleedingbit vulnerability for Cisco, Meraki, Aruba, and other wireless access points [6] show that even hardware isn't immune; this is a general IT problem, one that cannot be solved through open source alone.

What Is a Zero Day?

A "zero day" is a software bug, a vulnerability that has not been patched by the vendor. It usually is unknown to those responsible for closing it, which would prevent third parties from gaining unauthorized access. It's like knowing about a house's unlocked back door. At the moment, nothing serious has happened; whoever finds the unlocked back door might just inform the owner, who could then lock the door or fix the lock. Zero day references the fact that the home owner or software vendor has zero days of knowledge about the flaw. Once informed, the time counter starts, and the zero day is not a zero day anymore.

On the other hand, a less honest person might sell that back-door knowledge, maybe anonymously, to a third party, perhaps on the darknet. Let's assume the back door was locked, but a lock-picking burglar found a way to open the lock with a specially created key (i.e., through "advanced" technology). The third party might be ready to pay even more now, so the burglar might sell the key and the information to them. In IT, this key would be called an exploit, in this case a zero-day exploit. Using this exploit to enter the back door would make this a zero-day attack. With a Windows, Apple, or Android operating system monoculture, imagine huge neighborhoods of homes that all share the same bad, exploitable back-door lock: Once uncovered, every house is vulnerable until every single owner has fixed the flaw.

Of course, this kind of knowledge might be valuable to more than just criminals searching for treasure. A widespread open backdoor gives governmental intelligence an untraceable means for slipping through security to install spyware, bugs, or other surveillance equipment – and there is a lot of proof that these intelligence services are busy now acquiring zero day exploits.

The Exploit Market

Over the past decade, fewer and fewer exploits seem to be available, and at much higher prices than before. Depending on who you ask, you will hear different reasons for this. Activists and politicians claim that a financially well-equipped (read tax money) malware-digital complex keeps stockpiling and buying exploits so that there are simply no other influential buyers available. If a hacker finds a flaw, he'll sell it to the military or an affiliated institution and happily receive a decent reward. Early in 2018, Motherboard published a 2015 letter [7] from the Israeli Ministry of Defense asking hackers for zero-day exploits (see Figure 1).

Figure 1: In 2015, Israel's Ministry of Defense asked hackers to send them their newest zero-day exploits [8].

In the broader security world, few people were surprised by this letter being sent out to various companies. More interesting was its openness and clarity, since in 2015 it was not public knowledge that Western nations were involved in buying zero-day exploits. That knowledge came later, mostly in 2016 and 2017. In the US, the Vulnerabilities Equities Process (VEP) [9] was developed in 2008/2009 but was only unveiled in 2016, after the Electronic Frontier Foundation (EFF) filed a Freedom of Information Act (FOIA) request [10]. This was followed by a wave of ethical, philosophical, and political discussions circling around the question of whether a democratic state should engage in this type of activity.

Shadow Brokers and the VEP

In spring 2017, The Shadow Brokers (TSB), a hacker group said to have close ties to the Russian government, published several controversial NSA documents and tools. According to TSB, the NSA had been stockpiling exploits for Microsoft Windows and the international banking software SWIFT. TSB published proof of the claims, showing how US tax money had been used to put Windows users and banking customers in danger of being compromised rather than protecting them by informing Microsoft and the banks. The NSA's embarrassment over being hacked, which proved them incapable of protecting their own secret hacking tools, didn't last as long, though.

As one of the consequences, the US government took a more transparent approach in explaining the VEP in November 2017 [11]. Today, an Equities Review Board (ERB) decides on actions. The ERB meets monthly (or in emergency situations), and its members come from the US departments of Treasury, State, Justice, Energy, Defense and Commerce, the Office of Management and Budget, the CIA, and the Department of Homeland Security. With the NSA as the executive entity, the ERB follows four steps:

  1. Submission and notification
  2. Equity and discussion
  3. Determination to disseminate or restrict
  4. Handling and follow-on actions

Criticism of the VEP noted a number of deficiencies, from non-disclosure agreements to insufficient risk ratings to special treatment of the NSA to a missing default disclosure policy. While on paper the standard action defaults to disclosure, there are too many options to circumvent full discosure. Another unanswered question is whether these cyber weapons fall under the jurisdiction of any existing international arms treaties.

The Cold War Onward

If you take a deeper look at the history of cyberwarfare in the US, some surprising facts pop up. Perhaps the oldest record of an offensive cyberwar attack by the US government dates back to 1982 – if you believe Thomas C. Reed, an Air Force secretary in the Reagan administration, who claimed that a Trojan in CIA-doctored software was responsible for blowing up a Siberian gas pipeline [12]. It's a long read from there to Natanz, Iran, where alleged American-Israel cooperation sabotaged a nuclear facilities' centrifuges via Stuxnet [13], a malicious computer worm. Whereas Soviets denied US involvement in the 1982 explosion, the Obama administration half-heartedly admitted involvement in Stuxnet in Natanz (see the "Stuxnet and Wannacry" box for more information on two of the most successful malware attacks with government ties). Wikipedia offers a long and interesting entry on US cyberwarfare history [14], including a timeline. Then there is Donald Trump's National Cyber Strategy from September 2018 [15] (see the "DoD Cyber Strategy" box). Last, but not least, the United States Cyber Command (USCYBERCOM) "has the mission to direct, synchronize, and coordinate cyberspace planning and operations to defend and advance national interests in collaboration with domestic and international partners" [16].

DoD Cyber Strategy

The Department of Defense (DoD) Cyber Strategy 2018 outlines the following core points [19]:

"First, we must ensure the U.S. military's ability to fight and win wars in any domain, including cyberspace.

"Second, the Department seeks to preempt, defeat, or deter malicious cyber activity targeting U.S. critical infrastructure that could cause a significant cyber incident regardless of whether that incident would impact DoD's warfighting readiness or capability.

"Third, the Department will work with U.S. allies and partners to strengthen cyber capacity, expand combined cyberspace operations, and increase bi-directional information sharing in order to advance our mutual interests."

In addition, the strategy puts forth the following objectives:

  1. "1. Ensuring the Joint Force can achieve its missions in a contested cyberspace environment;
  2. "2. Strengthening the Joint Force by conducting cyberspace operations that enhance U.S. military advantages;
  3. "3. Defending U.S. critical infrastructure from malicious cyber activity that alone, or as part of a campaign, could cause a significant cyber incident;
  4. "4. Securing DoD information and systems against malicious cyber activity, including DoD information on non-DoD-owned networks; and
  5. "5. Expanding DoD cyber cooperation with interagency, industry, and international partners."

Stuxnet and Wannacry

Stuxnet targeted supervisory control and data acquisition (SCADA) and programmable logic controllers (PLCs). It was so sophisticated that even experts failed to believe their eyes when it was discovered in 2010. Stuxnet attacked SCADA systems in Iran, combining four zero-day exploits (e.g., in the Windows operating system) and targeting PLC in order to falsify sensor data.

While SCADA provides GUI and high-level management, PLCs are usually the machine interfaces in industrial environments. With its roots in the 1960s, SCADA is basically used everywhere today, from power plants to any kind of industrial or commercial device or machinery. SCADA's age is also its main problem: There are huge security issues, most of them systematic, in data encryption, verification, or a complete lack of any security layer.

Stuxnet consisted of three components: a worm, a link file, and a rootkit. It was transmitted even to air-gapped systems through compromised USB sticks. The 2016 movie, Zero Days, explains why it's highly likely that Stuxnet was an Israeli attack with a US-built tool. The movie also includes the interesting diplomatic background story [17].

Analysts likened Stuxnet's use to "opening Pandora's box," since it legitimized for the first time digital warfare through sophisticated malware that was constructed by intelligence services with visible results. Furthermore, the broad public analysis brought about massive publications on the attackers' functions and proceedings. In late October 2018, news from Iran claimed a second similar attack, dubbing it Stuxnet II [18].

A few months after TSB released a bunch of the NSA's secret backdoors and tools, a worldwide cyberattack, using the ransomware Wannacry, rendered hospitals (much of the UK National Health Service), institutions, and millions of computers unusable. Until May 2017, Wannacry is said to have successfully attacked several hundreds of thousands of PCs in hundreds of countries, causing up to billions of dollars of damage. The NSA had known about EternalBlue, a Samba flaw used by Wannacry, and deliberately not told Microsoft. Microsoft, however, discovered the backdoor on their own and fixed it for their most recent systems. However, not all customers had applied all necessary updates, and users of older versions were on their own for even longer. The USA, UK, and Australia said North Korea was the creator of Wannacry.

Within the vast body of literature regarding US cyberwar strategy, the recent German publication Cyberwar – Danger from the Network, by Constanze Kurz and Frank Rieger (from the Chaos Computer Club Germany and the renowned Netzpolitik blog) provides insight into modern cyberwarfare tactics and strategies [20]. Kurz and Rieger deal with a variety of topics, including Stuxnet and the impossible task of deterring enemies, and they explain in detail why classical warfare and intelligence work won't succeed in cyberspace, but will waste taxpayers' money to a previously unseen extent.

Often cyberattacks are an attempt to hide prior failed covert activities to prevent discovery by enemy intelligence services or – at worst – secret tools being compromised. Standard tools, like the Territorial Dispute function used in government malware, check for the presence of other malware on the system before taking further actions. Territorial Dispute is one of the first functions called by the malware, right after a successful system break-in. Like an intrusion detection system or antivirus software, Territorial Dispute scans the machine and its files and returns errors such as "go get help immediately", "friendly service", or "get out of here" – it's a scanner for other malware! Kurz and Rieger's story gets even crazier: Future high-end malware will wait for Territorial Dispute's scan and force it to return the "get out of here" value immediately as a defensive mechanism. For the attacking intelligence service, a failed attack is far less dangerous than being caught or having their tools compromised. Kurz and Rieger's book also gives insight into where all the money is going.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News