May 17, 2014
Attack Of The Super Hackers: A Group Of Ex-Soldiers Crack Safes, Pick Locks, And Steal Data — All In The Name Of Corporate Security
Kenneth Rosen published an online article yesterday, May 16, 2014, on the website — Narratively, with the title above. He begins by outlining a scenario we witness almost everyday. “On a balmy spring afternoon, Ian Amit stands at the counter of Starbucks in Midtown Manhattan. As customers check FaceBook, Twitter, and Gmail, through the free and open AT&T Network, Amit monitors it all. One keystroke could activate a script that would capture all the information passing through the network. He could, but he refrains.” It is not ethical, and in his words, just “less legal.”
“As Director of Security Services for IOActive, a firm that offers comprehensive computer security services, Amit is a problem solver,” writes Mr. Rosen. “Today’s demonstration at Stsrbucks,” he notes, “is a look at Open Source intelligence, or OSINT, and how the trail of data, left by the most innocuous of tasks carried out on SmartPhones, map out day-to-day activities coalesce into vivid portrait of everyone’s lives. As a corporate security specialist, it makes for an easy day’s work.”
“Don’t check your email,” Mr. Amit says, “plugging an external wireless antenna
into his laptop. “He shields his antenna,” says Mr. Rosen, “in his black backpack on the ground. To anyone watching, it looks as if he’s charging his phone and connecting to an external device, as his penetration and security tools boot onscreen in small command windows.” “It’s not about the tool. The tool is irrelevant,” he says once code begins streaming across the screen like out of the 1995 film “Hackers.” “The data is already out there.”
“But, the coffee shop is child’s play compared to his real work,” writes Mr. Rosen, “the clandestine operations known as “red teaming.” “A red team is a group of security specialists, usually with military experience, that functions without much regulation in the private intelligence sector. They challenge organizations to improve effectiveness in security by, among other things, breaking into systems to expose vulnerabilities. While the technique is rooted in military operations, it is frequently used in real world and civilian operations — some of which happen every day, right before our eyes.”
“Though he has the capability to steal a Starbuck’s customer’s identity while they’re waiting for their latte,” notes Mr. Rosen, “Amit is one of the security professionals whose life’s work is keeping data safe. As Amit explains it, most of what we see as security — the two-step passwords, the ID cards — is the idea of security, not security itself. In that way, security efforts rarely focus on the one or two outliers. Rather, they choose to manifest as long lines and security checkpoints, providing a sense of security through large signs and heavily armed guards.” “Security theater,” as it’s called in the business: the TSA agents and Paul Blart mall cops of the world. Red teams, on the other hand, are practitioners in the art of security, attacking from every direction, beyond the metal detectors and security patrols, until they expose weaknesses, and propose fixes to fortify them.”
“Members of these teams are often former military personnel,” says Mr. Rosen, and “are considered, in hacking terminology, “penetration testers.” Amit oversees about a dozen employees, though he contracts out work for different red team operations. Defense and intelligence contracting firms such as IBM and SAIC, as well as a litany of federal agencies, all use teams like this — sometimes referred to as “tiger teams,” — to reverse engineer security processes and business operations — in order to spot weaknesses that would uncover gaps in security.”
“These engagements can cost anywhere from tens of thousands of dollars to upwards of six figures,” writes Mr. Rosen. According to Amit, few know when a team like his is on the job. Maybe one or two of the higher-ups within a company, fearing a major loss, be it through a malicious digital attack or physical break-in, know of the red team’s intentions. But, even they don’t know when to expect them.”
“The particular skill-sets for any red team operation vary on a project-to-project basis,” writes Mr. Rosen. Amit garnered valuable experience — analytical thinking and reasoning, paired with observational techniques that go beyond the passive observer — through his time in the armed forces. He grew up in Tel Aviv, tinkering with computers and gadgets — taking apart televisions, as he puts it, to find the little green man inside — before spending four years in the Israeli Defense Forces (IDF). In the IDF, he was a tank driver, air force cadet and tank company commander.”
“One of the big tipping points for me was the catch-up after four years of almost not touching computers at all. It’s like a decade of computer innovation to catch up with,” he says.
“Due to nondisclosure agreements, following Amit on an operation wasn’t possible” writes Mr. Rosen, “but, he offered insight into malicious software hacking and other digital attacks we might otherwise never see, both on a national and private scale.” “My observation starts with: what is your business about?” Amit says, standing by his laptop, the screen a mix of scrolling white and green text. “What would pain you the most? The teams I would assemble would have these kinds of skill-sets. Everyone’s vulnerable. Running a business is just practicing risk management,” Amit says, “and we just want to practice this better.”
“When assessing why someone would attack a given platform, a red team first look for what they call “threat communities,” said Mr. Amit. “In the case of bank accounts accessed at a coffee shop, it could be other banks trying to gain a competitive edge by scouring the name of its competitor, or the infamous hacking collective Anonymous, simply looking to make headlines, or possibly a bank employee who wishes his paycheck were larger. Then, we narrow it down to threat actors. We get hired to look at this and say, “how would you attack this?” It’s a little easier to gauge the system from both sides, the defender and the attacker — I play both.”
Will We See The Emergence Of A “Dr. No” In Cyber Space?
It is good that there are those cyber white hatters like Mr. Amit; because, we certainly have a large talent pool of cyber mercenaries who hire themselves out to the highest bidder for illegal activities. Indeed, in the September 25, 2013, online edition of Ars Technica’s Dan Goodin had an online article with the title, “Elite Cyber Mercenaries Adept At Infecting Windows And MAC.” He wrote that [cyber security] “researchers from the Russia-based Kaspersky Lab had [then] recently uncovered a gang of [cyber] hackers for hire, who specialize in surgical strikes that quickly infiltrate suppliers to Western companies, steal highly sensitive data, — then vanish.” Icefog, was identified by Kaspersky Lab as the, “group of cyber mercenaries made up of six to ten members who are able to infect both Windows, and MAC computers — with advanced malware that’s extremely hard to detect. Hidden Lynx, was a group of hired hackers that Ars Technica profiled about the time of the September article — that had 50 – 100 members. Mr. Goodin wrote that “in some ways, the Icefog gang is the hacking equivalent of a highly skilled cat burglar who spends weeks, or months learning where to find the diamonds, the fine art in a targeted penthouse so he can break in, immediately steal them, and make a quick get-away.
Last year, The Associated Press published a July 10, 2013 article highlighting a report by British Intelligence noted that nation-states were hiring hackers to launch attacks against their enemies — a trend it described as particularly worrying. Citing testimony from NSA’s British counterpart — the GCHQ — the report described the [cyber] mercenaries as “skilled cyber professionals undertaking attacks on a diverse set of targets — such as financial institutions and energy companies.
David Kearns, writing in the February 20, 2014 online website, Dark Reading, described these cyber mercenaries as “small packs (mostly less than 10 people), have a library of tools that can be combined to attack specific files — at specific sites.”
Geoffrey Ingersoll, writing in Business Insider, last year had an article titled, “Mercenary Hackers Will Turn The Internet Into An Afghanistan-Like ‘Warzone.” Mr. Ingersoll wrote that “Internet dissident and cyber-minded journalist Barret Brown referred to it [the purchase of cyber weapons and cyber mercenary expertise] as the “cyber industrial complex.” “The whole Internet has become Beirut, or Afghanistan, the whole thing is a war zone, basically fueled by nation-states giving money to people who develop these kind of exploits,” [zero-day],” said Professor Peter Ludlow, an Internet Culture expert and Professor of Philosophy at Northwestern University. “The Internet is a dynamic system,” said Professor Ludlow, “any attempt to tame the Internet will likely fail.” Referring to zero-day exploits, Professor Ludlow said “throwing money at the problem isn’t going to solve it. “There is no bottom to the hole when it comes to security gaps. There will always be breaches, and if government and corporations pay, the breaches will just get increasingly more complex and more nasty. If they keep paying for these exploits….you are going to have some very rich virus hunters out there, with incredible resources to continue this. These rich companies intend to see how deep the rabbit hole goes,” said Professor Ludlow, “and the Internet will be dragged along with them.” V/R, RCP
No comments:
Post a Comment