Read Reverse Deception: Organized Cyber Threat Counter-Exploitation Online
Authors: Sean Bodmer
Tags: #General, #security, #Computers
Reverse Deception: Organized Cyber Threat Counter-Exploitation (111 page)
Step 5: Reduce Infrastructure Costs (Victim: Rackspace)
More than 100,000 customers around the world use Rackspace’s web-hosting services in the cloud. Its client base includes over half of the Fortune 100 companies. Wow, what a great asset to control! Even if this were the only company that was exploited by the APT, it would be a gold mine.
More and more companies are looking to the cloud for storage and computing services, as it is an economical solution. As companies migrate to using the cloud and other creative solutions, the business of compromising those solutions becomes more lucrative to the adversary.
The Rackspace exploit is an interesting study in that, as with other service organizations, this penetration gives unrecognized access to all of the company’s clients because there is no differentiation between malicious and legitimate access. Long-term penetration in a company like Rackspace could be used as a launching point for future exploitations throughout an industry of the adversary’s choosing.
Step 6: Repeat Steps 3–5 (Victims: Adobe and Northrop Grumman)
The exploit has also victimized Adobe and Northrop Grumman. Much like Rackspace and the others, these two companies touch hundreds and hundreds of customers worldwide.
Interestingly enough, all the victims listed have published active services running on different ports for various reasons. It is like the road map to exploitation is given to the adversary in the same way as it is given to the network defenders, but for the exact opposite purposes. This information can either be used to help program and license validation or as an inherent vulnerability to assist the APT owner maintain access.
One thing is for sure: a major change in how we do things must take place if there is going to be any marked increase in computer security. And we must broaden our perspective of what we are willing to consider as imperative to computer security.
APT Investments
Business leaders must understand that APTs are threats that are designed to defeat an organizational pattern; in other words, they are tailored for a specific purpose. Tools and techniques to defeat APTs cannot be single-focus, and they are not enough to secure a corporation. Defense-in-depth is considered a good start in an increased information assurance and computer network defense posture designed to prevent APTs. If there were a barometer that indicated how the APT battle were going, consider that in many cases the resources required to muster a formidable response to an APT are equal to or greater than the initial investment by the adversary. The numbers are definitely against businesses, and the trend is not a favorable one.
Although APTs require a more substantive investment, their payoff is more lucrative and therefore makes good business sense. If you invest $100 and your return is 5,000 percent, that’s an incredible investment. With an ATP, we could consider a return of well over 10,000 percent or higher. Any accountant worth her weight in salt would see that the cost-benefit analysis of investing in ATPs is a moneymaker. Also, because ATPs are made for specific targets, the adversary is not plagued with gigabytes of potentially useless data. Oh sure, there is benefit in all that data somewhere, just like spending every day in the sun on the beach mining a few pennies here or there. How much better to get trained and master investing in the stock market, and then relax on your beach vacation while you watch others scrap for the pennies in the sand?
APTs and the Internet Value Chain
Quietly sipping a latte and sitting in the shade of the tall trees that line the river Styx, where the butterfly of reality meets the dragon of fate, there’s hell to pay
.
—Anonymous
The Internet value chain is unique in that it closes the gap between tangible and intangible value. This can be observed by the increasing blur between traditional and virtual economies.
It’s All Good(s)
The issues surrounding virtual “property” have increasingly been in the forefront of civil and criminal law, taxation, and even human rights (“Chinese Prisoners Forced to Play World of Warcraft, Detainee Says,”
FoxNews.com
, May 2011). Originally framed as a copyright issue as traditionally analog media (music, photographs, and video) was digitized, current discussions include ownership of UGC, probate law on digital accounts and data, and virtual economies.
The original virtual economies were designed as an augmentation of multiplayer online games, and the virtual money is typically referred to as “in-game currency.” In many games, the currency, and hence the economy itself, is designed to be completely isolated within the game. This is no different than the purpose of fake money used in the original Monopoly game.
Other games, such as Second Life, actively support not only the exchange of real money for in-game currency, but also allow for a market of user-generated digital “goods.” This means that users can actually earn real-world money for their work and interaction in a virtual world. And involving real money naturally fosters crime and other human rights concerns (“Economy Second Life,” Wikipedia).
The impact of an APT on a virtual economy might seem obvious. But apart from the potential losses of the players or the game company itself, such a threat might not seem notable. The reality is that market trends and technology development are creating an emergent effect where the systems that manage our real and virtual goods, currencies, and economies are directly connected to each other (“Electronic Money,” Wikipedia).
An example of this convergence is the technical and social developments of a cyber currency called Bitcoin. Based on a document released in 2009 by someone using the name Satoshi Nakamoto, Bitcoin is a complete currency system that aims to support resiliency, privacy, and some anonymity (“Bitcoin,” Wikipedia).
At the level of technological implementation, Bitcoin includes sophisticated components to manage currency creation and internal coin exchange between users. Like any similar system, both the technical complexity and social novelty provide potential attack surfaces for an adversary (“Setbacks for Bitcoin, the Anonymized, Digitized Cash,” Nick Judd,
TechPresident.com
, June 2011).
One such example is the recent cyber theft at one of the largest Bitcoin currency exchanges, Mt. Gox. Like any other traditional currency exchange, Mt. Gox allows individuals to purchase and sell currency. Unlike traditional exchanges, however, Mt. Gox also incorporates multiple cyber currencies in the exchange.
A hacker used a very simple and traditional attack (SQL injection) to gain administrative access to the system. The hacker then altered the database to add fake US dollars and fake Bitcoins to the administrative account now controlled by the hacker. Then the real attack began. The hacker dumped the Bitcoins on the open exchange, prices crashed from over $17 per Bitcoin to mere pennies, and the hacker “purchased” 2,000 legitimate Bitcoins before the site was shut down (“Phony Bitcoins caused MT Gox virtual currency crash,”
Finextra.com
, July 2011).
Note that the only part of the Bitcoin system itself that was exploited in this attack was the anonymous nature of all Bitcoin accounts. This is an explicitly designed function that is still touted as one of the advantages of Bitcoin over traditional currencies that are controlled by nation-states and regulated financial institutions.
This attack also illustrates the key fear of the emerging interconnectivity within and across Internet value networks: without understanding the diversity of value and value exchanges in a network, we can’t create an accurate model of the network. Without a model, we can’t instrument the systems to detect penetrations, let alone understand adversary motives. Without motives, we can’t predict means. And without means, we can’t understand the second-and third-order effects of an APT.
And that is the crux of this chapter: as our global tangible and intangible value systems are increasingly interconnected at all levels of the system, we argue that the unforeseen network effects of an APT can approach the realm of an existential threat.
But how do we quantify this intuition and concern? What defines the limit of interconnectivity in a value system? Do we draw a line where the second level of abstraction is, or at the third? How far from the core of the value system do we look to identify things that positively or negatively affect that overall value system? The level of risk associated with this is now up for debate, leading to the investigative action needed to assess how we explore that in a structural fashion.
Bitcoin in the Future?
Imagine that Bitcoin continues its current trend as an ungoverned, transparent, and relatively anonymous currency system. As the adoption rate grows and matures, more and more services are available via Bitcoin. In this scenario, not every type of value or money needs to be directly exchangeable for Bitcoin. There is sufficient risk if Bitcoin is “upstream” of a key process within a value network.
So in this future scenario, Bitcoin has been adopted by the leading remittance service FilTranz (fictional), which allows migrant and nonnative workers in the developed world to send money to their families in their native country. Cross-border remittance quantities are significant and expected to grow in the future (for Filipino workers, in the first four months of 2011, this amounted to over $6 billion, per “Overseas Filipino Remittances,” published at bsp.gov.ph).
To build and support its business, FilTranz creates and publishes an application that ties into the various social networking sites used by migrant workers. This application allows the workers to easily send money to their family or anyone else in their social network.
Hackers looking to steal Bitcoins en masse follow a simple recipe:
Create a FilTranz account.
