Scenes from the 2010 Cyberwar between the US

advertisement
Scenes from the 2010
Cyberwar
between the US and China
Marcus J. Ranum
CSO
Tenable Network Security, Inc.
Joking Aside
• There is a tremendous amount about
the “cyberwar” rhetoric that utterly
puzzles me
– I’d like to share my puzzlement with you
The Run Up
• Some historians date the beginning of
the cyberwar to May 19, 1998
– Pieter Zatko (AKA “Mudge”) testimony to
congress claiming “I could take down the
entire Internet in 30 minutes”
– Based on
• publication of books like “hacking exposed’
• organizations like SANS training thousands in
penetration testing
• annual DEFCON attendance
The Run Up
(cont)
– People’s Liberation Army commanders
determine that they have a “hacker gap”
and begin cyberwar catch-up program
• First step: recruit and train 180,000
cyberwarriors
Joking Aside #1
• It’s extremely weird that the US is
complaining so much about hostile
“cyberwar” preparations considering
that we’re the most open about:
– proliferating “cyberwar” technologies (think:
Core Impact, Metasploit)
– training and promoting hacking techniques
(think: hacking exposed, SANS, DEFCON,
pwn2own)
Joking Aside #1
(cont)
– DARPA is constantly funding research in
security technologies (Mudge is now a
program manager there)
– We “own” the search engines (think: what
value would there be to knowing what the
whole world’s searches look like?)
– We publish more articles on hacking
technique than anyone else
Accusations of Targeting
Dissidents
• The Chinese Government is accused of
targeting dissidents’ accounts on Gmail
– Additionally, researchers working on
analyzing botnets discover huge botnets
and apparent focus on collecting
information on dissident activities
Joking Aside #2
• Meanwhile, it is revealed that every
major carrier in the US sells wiretaps
– What?
It’s a
profit
center
Accusations of Censorship
• China, of course, practices censorship
• Thursday Jan 10 2010:
– “Hillary Clinton today called on Beijing to
hold a thorough and open investigation into
the hacking of human rights activists' email
accounts”
Joking Aside #3
• Every ISP in the US is required to retain
a variety of transactional data in case
the US Government wants it
– I.e.: FBI don’t need to hack, just ask
– At least we were smart enough to require
the ISPs to retain the information at their
own expense
Joking Aside #3 (cont)
• I wonder whose capabilities are more
advanced, the US’ or China’s?
– Either way: it sucks being a “dissident” or a
“terrorist” or “online sexual predator” or
whatever excuse du jour works to justify
government snooping
Joking Aside #4
• I probably shouldn’t even mention
USC18:2257
– Intended to protect children’s eyes from
crippling pr0nzography
• It has been repeatedly found to be
unconstitutional but a mix of administrations’
Justice Departments keep re-tuning it and
trying to put it back in place
– At an enormous cost to taxpayers
• At least we can see online video of Tienamen
Square, though, thank goodness!
Suppressing Dissidents
• March 2008: The US DOD considers
hacking wikileaks in order to shut it
down
– Chinese Government spokesperson calls
US Secretary of State Hillary Clinton “a big
fat hypocrite” (OK that didn’t happen)
The US Fires Back (albeit in a
different direction)
• US Officials encourage Twitter to stay
online in Iran to support organizers of
anti-government protests that are using
Twitter to coordinate operations
– The Iranian government is not amused
– June 2006, Congress targets social
networking sites for data retention
• Presumably the FBI could get access to those
tweets but nyah nyah you Iranian secret police
can’t have ‘em!
Joking Aside #5
• March 2010, Iran arrests 30 in USinspired “cyberwar”
– Twenty-nine Websites hacked to prevent
further espionage, Iranian government
says among other things, they were
distributing US-made anti-censorship
software
• I wonder if it was TOR, or what?
180,000 Script Kiddies
• Classified FBI report on Chinese
cyberwar capabilities is shown to a
reporter
• Note: Yes, the FBI is in the business of leaking
its own classified materials
– Report alleges 180,000 Chinese
cyberwarriors
– Report alleges these spies launched
90,000 attacks last year
Joking Aside #6
• That’s 1/2 attack per cyberwarrior!
• Thought:
– they should download metasploit
• This is unbelievably lame! Are they
going to do a human wave attack?
Charges of Cyber Economic
Espionage
• Too many instances to cite; tremendous
concern voiced in Washington by FBI
and others regarding Chinese
cyberespionage aimed at economic
information
Joking Aside #6
• Duh?
But, Seriously… Case Study
• Founded in 1979
• 3Com initial partnership with Huawei
formed Chinese subsidiary H3C in 2003
• Manufacturing and R&D done in China
– Build LAN switches, Routers, firewalls, etc
• Then Huawei starts competing with US
router manufacturers like Cisco
– Lawsuits start, etc.
Case Study
(cont)
• How to steal intellectual property from
capitalists:
• Offer them a new tax-free home in a place
where manufacturing is cheap
• This is nothing new! It has been going
on since before the industrial revolution
… and it’s a lot easier than stealing it over
the Internet
More Cybereconomic
Espionage
• 2003: In order to secure access to
Chinese market, Microsoft “opens
source code” to Chinese Government
– Chinese are concerned about trapdoors
and want to look at it
– Government also wants to know how to
write better spyware for watching its
citizens
Joking Aside #7
• How do you steal economic secrets
from a capitalist?
A) Ask nicely
B) Threaten them with Linux
C) Dangle an opportunity to penetrate a new
market
D) Make protectionist rumbles
E) All of the above
Back To the FBI Report
• FBI report contains the spine-chilling
claim: “WMD-like” destruction
capabilities”
– If hearing about branches of the US
Government’s intelligence apparatus talk
about WMD doesn’t make you run for
cover, you must have been sleeping under
a rock the last decade
“We are fighting and losing….”
• Defense contractors Booz Allen
Hamilton run a “training exercise” for the
US Congress called “Cyber Shockwave”
• The scenario is,
<sarcasm>“credible”</sarcasm>
– A worm in smart phones
– Data networks collapse under DOS
– Which takes down Wall St
– Air travel is disrupted
“We are fighting and
losing….”
(cont)
– We all know that having “air travel
disrupted” results in massive economic
damage, civil unrest, and cannibalism
• Like the way Europe fell into chaos following
the Icelandic volcano’s ash cloud
• Joking aside, BBC did report that some
retailers in Hong Kong ran out of sales stock of
belgian chocolates
– OMG! Teh horrorz! Teh horrorz!
“We are fighting and
losing….”
(cont)
– and then the US collapses into chaos when
people’s iPads break
– But the real icing on the Cyber Shockwave
cake happens when “IEDs are used to
destroy part of the power grid”
• What?!
Joking Aside #8
• Scenarios like that make me wonder if
the guys who are writing the scenarios
understand networking or how networks
collapse under load
– It sure takes down your inline command
and control
– If it takes actual acts of physical war to
make “cyberwar” work what’s so “cyber”
about it?
• Compare/contrast with “commando operations”
Economic Collateral Damage
• CIA and FBI say that the US “Smart
Grid” power systems are broadly
compromised by state-sponsored
hackers
Joking Aside #9
• US Power companies bid on $3 billion+
program to help China build its own
“Smart Grid” for future power
– Sheer marketing genius!
– “Buy our technology! After all, it’s so user
friendly even a 15 year old living in his
mom’s basement can control it!”
Some Serious Thoughts for a
Moment
• If I may
What’s Really Going On?
• There is a revolving door between
spooks in the intelligence community
and beltway bandits
– The guys hyping this stuff are mostly
former NSA/CIA types
• It’s the China Cyberwar Economic Stimulus
package
• They’re greedy bastards whose lust for a quick
buck is probably a bigger threat to our security
than anyone hostile to us
“Specialize in - diseases
of the rich…”
-Tom Lehrer
Marx May Have Been Right
• How Do You Defeat a Capitalist?
– Load it down with enough parasites that it
dies of blood loss
• One of the quotes that sticks in my mind
from researching this:
– “Chinese hackers even managed to
penetrate DHS’ $1.5billion network…”
• WTF are they using to build networks these
days, platinum cat-5? Louis Vuitton routers?
Cybercriminal
• Agenda:
– Diffuse and profit-driven
– Tactical: short-term
• The threat:
– Profitably “hit and run”
– Cannot eradicate: more will take their place
– Creative
– Rapidly shift to where the money is
Cyber Spy
• Agenda:
– Surreptitiously gather secrets
– Suborn and manage trusted agents in
critical positions
– Strategic: long-term
• The threat:
– The cyber-era simplifies some technical
aspects of espionage a bit while
complicating others a bit
Cyberterrorist
• Agenda:
– Ideological maximum-damage maximumprofile highly visible attacks with no
restraint
– Tactical: “Hit and run” to Cause Fear
• The threat:
– Targets will be civilian infrastructure that
results in explosions, destruction and death
• Power, water, oil, shipping, vehicle control
Cyberwarrior
• Agenda:
– Be prepared to attack/degrade/penetrate
enemy command and control systems
as an adjunct to physical military
operations
– Strategic: Long-term covert warfare
• The threat:
– Targets will be high-value, high-cost, and
will have varying “hardness” against attack
Agenda Mis-Alignment
Cybercriminal
Cyberspy
Cyberterrorist
Cyberwarrior
Cybercriminal
Compete
Provide cover
Provide cover
Provide cover
Interfere with ops May provide tech Interfere with ops
Cyberspy
No effect
No effect
May detect
Counterintelligence
May compromise
ops
Cyberterrorist
No effect
No effect
No effect
No effect
No effect
May interfere
with ops during a
conflict
No effect
Direct engagement
during a conflict
Cyberwarrior
Defense Strategies
Response, by target
Government
Private Sector
“typical computer security” (firewalls,
antivirus, patch management, IDS,
system log analysis)
“typical computer security”
Cyberspy
Counterintelligence +
“typical computer security”
Expect the government to deal with it
Cyberterrorist
“typical computer security”
“typical computer security”
Cyberwarrior
Counterintelligence +
“typical computer security”
Expect the government to deal with it
for anything beyond “typical computer
security”
Cybercriminal
And There is the Rub
• There’s nothing more than “typical
internet security” or counterintelligence
– There are no secret government-only doodads to add atop “typical internet security”
because if there were, they’d already be
commercialized (thanks capitalism!) and
everyone would have them
– Counterintelligence is too expensive
• Except for the free-lance counterintelligence
effort we call “the honeynet project”
What Scares Me Most
• “We” are about to be browbeaten into
giving $billions to the same idiots who
built the government’s current networks,
in the name of improving them to be
more secure
– Give more money to the person who
caused a disaster and what you’ll get is a
bigger, better disaster
• Think $1.5 billion for DHS network, what will the
‘secure version’ cost?
The Cyberwar of 2010
• Didn’t happen, of course
– What did happen is that the money-valve
has been jammed permanently into the
“ON” position
– Security will get no better
Download