Cyberattack.... The Invisible War

Computer, engineering, and other technical assistance.

Moderators: genlock, sportsvoice

Post Reply
CoolBreeze
Member
Member
Posts: 1874
Joined: Mon Sep 05, 2005 10:30 am

Cyberattack.... The Invisible War

Post by CoolBreeze »

In June, hackers took down cia.gov, compromised the main site of the United States Senate, and shut down an Atlanta-based website devoted to tracking cybercrime.

The same month, hackers released personal information—names, addresses, phone numbers, complete online details—for Arizona police officers, painting a target on men serving in one of the most dangerous parts of the country. By comparison, the tens of thousands of online passwords and bank accounts compromised this year might seem less important, but these could still have both societal and military implications.


Millions of computers have been compromised and are sometimes used by hackers without their owner’s knowledge or permission to launch attacks. It was this sort of blunt attack that crippled Estonia in 2007—proof positive that an entire nation can be brought to its knees by even a crude cyberattack.

In previous years, the vast majority of cybercrime stories in the news were about blunt attacks: lots of compromised computers overwhelming a network with too much data. Though this requires little sophistication, its effectiveness as a military device is proven.

This was what crippled Estonia in 2007, in the first concerted attack on an entire nation’s computer systems. At the height of Estonia’s weakness, ambulance and fire services were down. The attack affected the websites of the presidency, the parliament, almost all of the government ministries, political parties, news organizations and banks. It is possible that more than a million computers were on the attacking side. Though the details of the Estonia attack were somewhat unique, one aspect of it returns in every form of cybercrime: Its nature made it impossible to positively identify the attacker. Was it the Russians? Probably—but how can a nation respond based on probabilities? And was it the Russian government, or rogue hackers in their basements? There’s no way to know. New technologies coming online make it virtually impossible to trace attacks back to their point of origin.

Humbling Sony

One of the highest-profile hacks in the last year was when 21-year-old George Hotz—known in the hacking community as “Geohot”—in January compromised the Playstation 3 (ps3), giving users complete access to the video game console. Just another video game device? No. The ps3 is a computer—a supercomputer, by some definitions. In 2009, the U.S. Department of Defense bought 2,200 ps3s to supplement its supercomputer cluster, which itself was implemented on 336 ps3s. Long story short, these are powerful machines. A couple of months later, Sony was briefly in danger of losing control of all its consoles.

In April, after penetration by hackers, Sony took down its entire ps3 network for more than a month, leaving its customers unable to play games or music online. Why? A primary reason had to be this: Sony didn’t want to be responsible for the largest botnet the world has ever seen. Hackers might have used Sony’s own update mechanism to take over millions of consoles—many times the computational power that took down Estonia.

Sony has sold over 50 million ps3s, and these machines are all over the world. “With an army of literally millions of zombie ps3s under their control, hackers would own a supercomputer at par or superior to those possessed by most nation-states, and they wouldn’t even have to foot the power bill” (Register, April 29).


It may seem to some that the losses corporations have suffered in the last year are simply a matter of poor security that needs to be corrected. Make no mistake: Security lapses do account for almost every successful hacking attempt, whether it’s Sony, Paypal, Apple, or the security specialists themselves. But no computer is totally secure. “The only secure computer,” wrote former hacker Paul Day, “is one that is disconnected from the Internet, turned off and locked away in a cupboard.” At times, the hackers even hack each other.

On February 4, the ceo of HBGary Federal—a highly respected security firm—announced that he could identify the leaders of several founding members of Anonymous, a group well known for going after the Church of Scientology, as well as hacking MasterCard, Visa and anyone else it deemed as an enemy of WikiLeaks (an organization that, itself, has made its name by profiting from gross examples of cybercrime).

By February 6, the ceo’s Twitter account was under some hacker’s control, and his mobile number and Social Security number had been published. By February 7, Anonymous had “exposed Social Security numbers, publicized private e-mails, deleted company files, replaced the phone system, and attacked the LinkedIn accounts of employees …” (PCMag.com, February 7). The security company’s reputation was crushed. One report said that even the company backups were deleted. But again, no one knows who carried out the attack.

If angry hackers can humble Sony and security professionals, don’t think governments are immune. Since June, there has been a major cyberattack on the International Monetary Fund, a defacement of the cia website that led to the publishing of its member database, and a penetration of Senate e-mail. These hacks all made the newswires. But we should hardly believe that governments and corporations feel a duty to report to the public anytime a breach occurs.

The Achilles Heel

When the U.S. military created the arpanet, predecessor to today’s Internet, the idea was to create communications that could not be disrupted, even if large portions of the network were destroyed by war or natural disaster. But now everyone uses the Internet, and the thing that made it so appealing—its broad-based structure—has become its greatest weakness. Disruption of the Internet can upset everyone’s way of life, our communication systems, our financial systems. And the military may be the most vulnerable of all.

“One of the main reasons we won World War ii was because the British broke German radio code. We knew about most of their war plans in advance! Quite a gigantic advantage. Some experts think we would have lost the war without that knowledge,” he wrote. “We could lose the next war before we even begin, if somebody breaks our military codes.”

Clearly the United States is at terrible risk because of its technological dependence. Military codes, the U.S. power grid, the systems that keep Hoover Dam and other dams from releasing a flood—even nuclear power plants—all rely on computer systems that are vulnerable to cyberattack.

These types of breaches have already occurred. In 2010, the U.S. military bought 59,000 microchips that turned out to be counterfeits from China. In 2008, the most significant breach of U.S. military computers ever occurred. U.S. Deputy Secretary of Defense William Lynn explained it: “The flash drive’s malicious computer code, placed there by a foreign intelligence agency, uploaded itself onto a network run by the U.S. Central Command. That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control. It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary” (Foreign Affairs, September/October 2010).


We now see frequent cyberattacks on government facilities. Pentagon computers are probed 250,000 times per hour for vulnerabilities, according to the head of the U.S. military’s Cyber Command.


We have reached the stage where computers are used to fight against corporations, against police officers, against our military. We have witnessed a demonstrated capability to take out industrial facilities with weapons like Stuxnet. If we couldn’t clearly see the danger posed by our technological dependence 20 years ago, we should certainly see it today. It is all around us.
"I know I've got a lot against me: I'm White, I'm Protestant, I'm hard working. Don't you have an Amendment to protect me"? Archie Bunker
Post Reply