The Insecurity of Security: A Hacking Retrospective

Suspected Anonymous vandalism on Parliament Square from this November's #OpNov5 protests, done in the name of hacktivism (Photo credit: John Walker)
Suspected Anonymous vandalism on Parliament Square from this November's #OpNov5 protests, done in the name of hacktivism (Photo credit: John Walker)

It was the mid-1980s, and I found myself looking at an enhanced positive vetting form, which by inference means I was off to some sneaky-beaky world of intelligence. But little did I realize, at that time, this eerie world would introduce me to the early days of IT security – a world of spookiness I remained locked into for 10 years.

Thinking back to early experiences, the task of securing systems was much easier – fat Tandem mainframes, with limited input/output (I/O) opportunities, protected by an LU62 interface, natural firewalling of unfriendly protocols, all tucked-up in a Sensitive Compartmented Information Facility (SCIF), hosting an inner-sanctum, and equipped with a secure-earth Faraday cage. These security attributes made the task of infosecurity easy, simply by maintaining system operations, formal accreditations and doing a few spot checks of logs. Then, one day, the PC came into that secure world, running MS-Dos 5.0/DR-DOS, with all the challenges that came with such promiscuous toys. From that point on, life for IT security professionals would never be the same.

A Passing Nuisance?

The first indication of what the PC would impose was the subject of early research by Fred Cohen, who was investigating computer viruses. Not too many years after that, society saw these new little nasties manifesting in the wild, seeking to infect PCs with malicious ‘File’, and ‘Boot’ (MBR) code. It was around this time that Ralph Burger published his book, Computer Viruses: A High-tech Disease, along with other writings from the likes of Jim Bates and Vesselin Bontchev, not to mention the early days of Virus-L, a mailing list and discussion forum.

It was about this time that I was inclined toward believing in an impending danger, and I penned a signal to the UK’s GCHQ/CESG, alerting to this new viral risk. The response, however, was dismissive: “the computer virus is considered only a passing nuisance, and serves no long-term danger”. Really!? – I thought to myself.

Shortly after this inaccurate assessment, the UK’s Ministry of Defence saw the first infestations introduced by floppy disks, booting in malicious code to the unaware resident hard drive boot sectors; or from file carriers of unwelcomed malicious code. The ‘good guys’ were unprepared to deal with this “nuisance”, and early-day clean-ups were performed with a free Dr Solomon’s 5.25” floppy pulled from the cover of PC Plus, equipped with five anti-virus signatures.

After this incident, the computer virus become a very common occurrence, including Elk Cloner, Cascade, Brain, Coffee Shop, and many others – closely followed by helpful virus construction kits, polymorphic variants and, of course, those nasty worms like Sasser, which some had already gone on record to state were simply a product of imagination. And let us not forget Robert Morris and his worm namesake, which the then-student released into the wild and became one of the first worms distributed over the internet. In fact, even today, I still have around 5000 live viruses and construction kits locked away on air-gapped systems for private lab work only – some of which can still bypass scanners.

A Community is Born

It was during this same period that the word ‘hacker’ transitioned from meaning someone who worked with code, to the more sinister connotation of an adversary who broke (hacked) into computers. Magazines and periodicals the likes of Ultra, NHA, and 2600 sprung up, supporting hacking, with some borne out of the early days of phreaking, blue-box antics and the trailblazing telephony exploits of Captain Crunch. Green shoots of 2600 hacker communities started meeting up, at favorite UK haunts like the Trocadero in London, where they huddled, and swapped code, ideas, and plans – and yes, I did attend some events.

By the late 1980s/early 1990s, the new age of hacking had taken off, with the identified risks outlined by Cliff Stoll in his The Cuckoo’s Egg (still recommended reading today), through to Takedown by Tsutomu Shimomura and John Markoff, which followed the antics and capture of Kevin Mitnick. When you pick up these early works, you really can appreciate the level of intensive, technological dark-art activities during those early days, and may note the first indications of state-sponsored espionage.

As this rebellious science advanced, hacker conferences arrived soon after, with Dark Tangent (Jeff Moss) kicking off Defcon, followed by an early forage in the UK called ‘Access All Areas’, planned and managed by Simon Gardner, who I am pleased to say, I have association with even today. Then we saw Robert Schifreen and Steve Gold find their way into the mailbox of His Royal Highness, the Duke of Edinburgh, resulting in the first attempted and failed conviction under the UK’s Computer Misuse Act.

What transported us from the comfortable world of mainframes, to high degrees of insecurity, was the confluence of the PC and widespread interconnectivity. When enabled with internet access, even at relatively slow speeds, the opportunities and dangers took a big jump to the black hole of adversity full of miscreant extracurricular activities. Whereas early hacking exploits mostly sought to establish flamboyant, infamous statuses, it wasn’t long before the realization that there was gold in them-there machines – enter e-crime-for-profit, with enhanced opportunities for exploitation.

The Dark Path

Hacking really started to hit the headlines in 1998–99, with antics coming from characters like the Devil’s Advocate, and exploits being published to assist hacking into anything from a basic Windows box, through to the tool Back Orifice being released into the wild in 1998 by Cult of the Dead Cow (CDC). Then, when Satan arrived, predictions of widespread doom proliferated, with opinions expressed that nothing would be secure again. While these panic statements were a tad theatrical – considering the landscape of insecurity in 2012 – in hindsight maybe they were, after all, right on the money.

"From those days of primitive computer viruses, right up to 2012, we have come a long way down a very dark path"

It was around 2004–05 when there were indications that hacking had evolved to be a skill-of-choice for state-sponsored activities, seeking to impose cyber conflict conditions on a selected target, or to leverage technology in a Cuckoo Egg-style attack for the purpose of intelligence gathering. This came to a head in 2007 with the advent of Titan Rain, when attacks emerged from the Chinese electronic frontier, targeting the US, UK, and German governments. Since Titan Rain, such cyber conflicts have grown out of multiple geographic locations – including Iran – that target both government and commercial assets alike.

Considering the emergence of smart malware and the threat of advanced evasion techniques (AETs) originally researched and published by StoneSoft, it’s time to appreciate that the current White Hat position of set-and-match is likely to remain the status-quo, with the balance tipped in favor of cybercriminals in whatever shape they appear. In my opinion, until such time that security is taken back to basics and away from the world of over compensatory, soft-focused compliance, I anticipate that nothing will change. Consider ‘smart malware’, and spare a thought for the code that inserted itself into the US military drones, while consulting the recent Symantec report on Duqu outlining a strong relationship between the two entities. Then understand the military ramifications of a malware variant intercepting communications between, say, a drone, a satellite, and a downlink, possibly capturing ephemeral data from that closed, compartmented conversation. Trust me on this, the implications are severe.

Although a ‘cyber war’ has not yet occurred, we must nevertheless acknowledge that within a conventional theatre of conflict, the association of logical tools employed to target the operability of air defenses, communications facilities, hospitals, and utilities would impose a high impact on the morale of a populous, or even promote internal insurgency. As such, from those days of primitive computer viruses, right up to 2012, we have come a long way down a very dark path.

We should also acknowledge the current success rate of unauthorized cyber incursions, and ponder some implications by association. Some time back, a journalist friend of mine shared that he had interviewed a group of international hackers, and asked them about their cutting-edge skills that enabled them to circumvent high-grade perimeter security. The answers this journalist received, in summary, were unexpected: it’s not the case of being smart, but the stupidity, bad configurations, and hapless administrations that made [their] lives easy.

Acknowledgement must also be given to those with a political conscience and cyber axe. With ideological motivation, they march under the banner of hacktivism. These are dark operatives in the form of Anonymous and LulzSec, who are out to counterbalance the wrongs they feel need to be corrected. Their activities range from exposing the names of pedophiles, through to the taking down of sites unfriendly toward sympathetic personalities, such as Julian Assange. I know it may not be politically correct, but given what history has taught us, at times, I do appreciate the point they are trying to make in a form resembling Sherwood Green – albeit, they are wearing the mask of vengeance.

What’s Next?

As for the future, in my opinion the IT security industry must jump off its invasive hobby-horse of over-focused PCI-DSS compliance, and get back to the core basics and values of technological, operational security. There must be an acceptance that – notwithstanding some organizations like McAfee that have gone on record with what appears to be marketing hype stating ‘we are winning the war on cyber conflict’ – we are not.

The time has arrived, no matter what we call the threats, to admit that something isn’t right. And, above all, if we are to listen to just one voice, then take head the words of Baroness Pauline Neville-Jones on the subject of cyber skills, who has gone on record to admit that we must do a better job in developing. Snake oil may have kept many in pocket for years, but right now, I am sorry to report, the can has just run dry. As Richard A Clarke, former US counter-terrorism advisor, said: “The genie is out of the bottle, and it won’t go back in”.

John Walker is the CEO of Secure Bastion Ltd. He is also the director of cyber research at Ascot Barclay, visiting professor at Nottingham Trent University’s School of Computing and Informatics, a practicing Expert Witness, and fellow of the British Computer Society (BCS). Walker is the chair of the London ISACA Chapter Security Advisory Group (SAG), an ENISA CEI Listed Expert, editorial board member of the Cyber Security Research Institute (CSRI) and member of the ISACA International Guidance & Practices Committee.

What’s hot on Infosecurity Magazine?