2011 was a watershed year for cybersecurity, but it was evolutionary rather than revolutionary. Political hacking, industrial skullduggery, drones gone wild, and mobile malware all made 2011 a year, to borrow CrucialPoint amigo Matt Devost‘s phrase (since I’m already borrowing his image for the post graphic, why not?), to live cyberdangerously.
The Rise of the Political Hacker
Anonymous was, in many ways, the biggest cybersecurity story of 2011. You couldn’t go anywhere without hearing about a high-profile Anon #Op. From HBGary to the Mexican drug cartels, targets far beyond Anonymous’ original punching bag–the Church of Scientology–were attacked. While it may be a stretch to say that Anonymous affiliates’ campaigns against the Egyptian and Tunisian governments ignited the Arab Spring, it did play an important role in unearthing information that helped fuel protests. Anonymous’ virtual support for the Occupy Wall Street movement also helped the movement multiply, although there’s some dispute as to how deep (or effective) their movement really was. Less glamorously, Anonymous affiliate LulzSec cost Sony $171 million by shutting down the online Playstation Network for 44 days. Anonymous affiliate AntiSec’s attack on political risk company STRATFOR capped an extremely busy year for Anons. 2012 will probably feature even more hacks–not for money, but for, as they would say, the lulz.
Duqu and Industrial Cyber Operations
Duqu seem to share a common resource base, code base, and methodology in loading and running executables. Essentially we can think of the ways Duqu and Stuxnet install and launch themselves as being similar enough to warrant either worry that it is the same perpetrator of Stuxnet, or that they have access to the source code of the Stuxnet threat. …At first, Duqu was largely reported to have come from the same folks who created Stuxnet. This simply doesn’t have to be the case. The techniques could have been copied or even stolen wholesale by the malware authors. Duqu also behaves differently and uses different infection methods.
True, Duqu is an spy virus rather than an damage-inflicting agent like Stuxnet. So what’s the big deal? As Bryan says, the problem with Duqu is that the information it collects is probably recon data for future exploits. Stay tuned.
The Advanced Persistent Threat continued to be….advanced and persistent. Only this time the US is caught up in combining cyberforensics with active counterespionage–there is, after all, no such thing as purely defensive counterintelligence. The American probe found 20 groups–most of whom have ties to the Chinese People’s Liberation Army–responsible for the vast amount of Chinese cyberspying. The Russians continued to hack and spy for economic and technical goodies too, according to the National Counterintelligence Executive….along with erstwhile US allies also wanting to get their fingers in the cyber cookie jar. Thanks guys (not).
It’s worth pondering this quote from former French intelligence chief Pierre Marion: “It would not be normal for us to spy on the United States in political or military matters, but in the economic and technical spheres we are competitors, not allies.” Whether from the Land of the Pandas or the State of Escargot and Impossibly Cute Audrey Tautou Movies, technical espionage threats exist in both cyberspace and “meatspace” and are likely to continue to be both operational and political issues in 2012.
Drones Gone Wild
In the midst of all of this craziness, the drones went wild. Err, not perhaps the way you might think of it, but something very disturbing happened at Creech Air Force Base. As Danger Room’s Noah Shachtman reported, the drone “cockpits” were infected with a keylogger virus. CTOVision’s Alex Olesker had a must-read blog on why the attack had grim implications for US cybersecurity:
In some ways, the official statement is more worrying than even the most sensational initial accounts as it suggests a disconnect from cybersecurity realities. First, it’s too quick to dismiss what may have been a real threat. According to Microsoft security architects, once a credential stealer gets a foothold on your network, it typically takes between 24 and 48 hours to gain Domain Admin credentials and access to every account and workstation. An anonymous official has claimed that the malware only targets online gaming accounts, but this has not been confirmed or attributed. If the 24th managed to isolate the virus, they may have squashed a nuisance or they averted a crisis. Their confidence in defensive measures is even more unsettling. “Our tools and processes detect this type of malware as soon as it appears on the system, preventing further reach,” the release claims, “We continue to strengthen our cyber defenses, using the latest anti-virus software and other methods.” That the Air Force feels safe behind a cyber Maginot Line, as Professor Rick Forno would say, does not fill me with confidence, especially when the virus has already penetrated “air gaped” systems, the gold standard in network security.
Alex would later return to the subject, reporting on the new details that have come to light in the case:
While Kehler remains very confident in the Air Force’s defenses, he also set more realistic goals in line with a “plan to fail” paradigm. ”We see multiple deliberate attempts to try to get into our networks, almost daily,” he noted, but thankfully “ the systems that we have put in place to detect such viruses worked… Perfect defense is probably not something we can achieve, but the idea of mission assurance is something we must achieve.” …Still, if current defenses worked as well as the Air Force claims, the virus would not have spread and become so hard to eradicate. The difficulties in cleaning infected computers and identifying the attack vector imply insufficient remediation and forensics tools, important elements of “plan to fail” and presumption of breach based security.
It’s still unclear how exactly the cockpits were infected, and we may not find out for a very long time.
A more mundane, but equally serious, cybersecurity threat has been the rise of mobile malware. Criminals took in $1 billion from Android users, and more feeding is likely to come. Mobile malware-infected apps for Android jumped 472% between July and November 2011 alone. Halfpap had some strong words on the subject:
Android is supposedly secure from the ground up, running a Linux kernel (with many adaptations), a walled-garden application model, system architecture to increase security (DEP, ASLR), application permissions, and more. Unfortunately, holes or bypasses have been found in nearly all of these security features. Some, like the application permissions model, may require significant overhauls in order to maintain security. …The security of the platform in question is not just notable for what has been broken or evaded, it’s notable for what it doesn’t include: fine-grain enterprise management and mature management tools. Android from its inception has been primarily a consumer device and its somewhat meager corporate tools reflect this path.
While the problem seems to be overwhelmingly Android’s, Apple fanboys should not get cocky. A red teamer was able to sneak a malware-laden app past Apple’s walled garden into the App Store. Mac users could face their own potential mobile malware nightmare.
2011 was more cyberdangerous than 2010. And 2012 is likely to also surpass 2011. But while it may seem hard to believe, the greatest dangers in cyberspace for most users are not Anons or master foreign hackers but the online equivalent of petty theft and burglary–or over-friendly Nigerians seeking a business deal. Despite overheated claims of cyberwar, we’re currently enjoying a (somewhat criminally-prone) cyberpeace. But who knows—maybe that’s just the lull before the storm.
- What You Need to Know About Duqu (ctolabs.com)
- The Cybersecurity “Wake Up Call” and the Snooze Button (bobgourley.com)
- Stuxnet, Duqu Date Back To 2007, Researcher Says (fedcyber.com)