As I sit here right now, the country of Egypt is a black hole on the Internet.  All 3,500 prefixes originated by Egypt’s four major ISPs have been withdrawn from the global BGP table.  There is no route into or out of the country, save the one ISP utilized by the Egyptian Stock Market, most likely in an effort to keep the country’s economy from collapsing.  This follows on the heels of other government interference in cybercommunications in Tunisia this past month and Iran last year.  Egypt, however, is the first country to completely darken the Internet in an effort to keep services such as Twitter and Facebook from coordinating resistance and allowing information to be disseminated to the world at large.  I learned a very long time ago that arguing about politics never leads anywhere.  What I would like to comment on, however, is the trend toward censoring information by disrupting network communication.

Egypt yanked all Internet access for its citizens in an effort to control information.  Tunisia has been accused of affecting Internet traffic for its citizens as well, blocking certain routes and causing outages on the Web.  Iran limited access to social media and even attempted to severely rate limit Internet traffic during the election protests last year.  This trend shows that governments are starting to realize the power that the Internet provides to disaffected groups of people.  No longer to “subversives” need to meet in underground basements or abandoned warehouses.  Those places have been replaced by chat rooms and e-mail.  Relying on one or two trustworthy individuals to get the word out by smuggling rolls of film to the mass media has been replaced with instant pictures being uploaded from a cell phone to Twitter or Flickr.  The speed with which protests can become revolutions has become frighteningly accelerated.  So too is the speed with which the affected government can slam the door shut on the ability for these revolutionaries to use the very media which they rely on to spread the word.  Egypt was able to successfully cut off access within a few hours of the first rumors of such a thing being contemplated.

For those of you that think that something like that could never happen here (here being the US), let me direct your attention to the Protecting Cyberspace as a National Asset Act.  This hotly debated bill would give the government more ability to combat large-scale cyber warfare and allow them to protect assets deemed vital to the national interest.  The biggest concern comes from a provision inserted that would give the president the ability to enact “emergency measures” to prevent a wide-reaching cyber attack.  This includes the power to shut down major networks for a period of up to 120 days.  After that time, Congress must either approve an extension, or the networks must be reactivated.  I won’t delve into some of the wilder conspiracy theories I’ve seen surrounding this bill, but the idea that our networks could be shut down without our consent to protect us is troubling.  According to my research, there is no provision that defines the situation that could cause a national shutdown.  The president, acting through the National Center for Cybersecurity and Communications (NCCC) Director, is supposed to inform the affected networks to enact their emergency measures and ensure the emergency actions represent the least disruptive means feasible to operations.  In other words, the NCCC director just has to tell you he shut you down and you should try to make things work as well as you can.

Using this as a possible scenario, assume some kind of external driver causes the president and the NCCC director to shut down a large portion of the Internet traffic.  It doesn’t have to be a revolution or something so sinister.  It could be a Stuxnet-type attack on critical power infrastructure.  Or maybe even a coordinated cyber attack like something out of a Tom Clancy novel.  In an attempt to deter the attack or mitigate the damage, let’s say the unprecedented step of withdrawing a large number of BGP prefixes is taken, similarly to what Egypt has done.  What kind of global chaos might this cause?  How many transit ASes exist in the US that would pass traffic around the world.  I’ve seen stories of how the World Trade Center attacks in 2001 caused a global Internet slowdown due to the amount of traffic that was passed through the networks located there.  That was two buildings.  Imagine withdrawing even half the traffic that flows through the US and networks located here.  What impact would that have?  The possibilities would be mind-boggling.  Even a carefully coordinated network shutdown would have far reaching impact that no one could foresee.  Chaos is funny like that.

The Internet, or cyberspace or whatever your term for it, is now something of a curiosity.  It exists on its own, independent of the laws of nations or man.  Those who seek to control information flow or restrict access find themselves quickly thwarted by the fact that packets and frames do not respect political boundaries.  For every attempt to shutdown The Pirate Bay, a simple move to different location allowed them to stay active.  Even when pressure was applied to the people behind the site, it was quickly seen that their creation had taken on a life of its own and would persist no matter what.  What of the Wikileaks saga, where the attempt to behead the organization by targeting its leader has only fanned its flames and most likely ensured its survival no matter what may happen to Julian Assange.  Those of us who live our lives in this electronic realm see differences in the way culture is developing.  There are lawless places in the Internet where mob rule is the law of the cyberland.  Information is never truly forgotten, merely pigeonholed away until it is needed again.  Attempts to impose political will upon the citizens of the Internet are usually met with force, protest, and in some cases, retribution.  I keep wondering when organizations are going to figure out that attempting to erase information is tantamount to daring the Internet to publicize it.  In the same way, attempting to shut down access the Internet and social media at large is a sure way to force people to circumvent these restrictions.  As we watched Egypt vanish from the cyber landscape last night, many of my friends remarked that it would only be a matter of time before someone challenged the blockade and won.  Someone could hack the edge routers and reestablish the BGP peering with the rest of the world and the floodgates would be opened again.  Whether or not that happens in the next few days remains to be seen.

As the world becomes more reliant on the Internet to provide information to everyone, we as cyber citizens must also remain vigilant to keep the information flowing freely.  The Internet by design lends itself to surviving major disruptions without totally crashing.  It is our responsibility to show the world that information wants to be learned and shared and no amount of meddling will change that.

I’ve learned a couple of important lessons in my time as an Internet citizen.  First, don’t taunt the Internet Hate Machine known more colloquially known as “Anonymous”.  Secondly, keep your passwords secure and complex and don’t use them for every website.  Should you do #1 and neglect #2, be certain that #1 will bite you in the ass.  As the people at Gawker Media learned this past week.

A group known as Gnosis posted a 500MB torrent containing various data pulled from a variety of Gawker Media websites.  They claimed the hack was due to Gawker’s hubris and their mocking of previous hacks.  There is also evidence to support the idea that some in Gawker may have taken a stance against the actions of Anonymous in their crusade against those that were involved in the Wikileaks debacle in early December.  While the file contains things like chat logs and FTP servers for various sites that probably don’t want them published, there was a singular gem amongst the chaff.  The most critical piece of this file is the dump of the Gawker MySQL database.  Gnosis was able to access the database and pull the table containing the list of user IDs and passwords.  According to the README.TXT contained in the torrent (and reposted across several websites), they decided to stop dumping the database after about 1.3 million users.  Gnosis then turned to using John the Ripper to decrypt the passwords, which were stored in the table in DES-encrypted format.  The good news is that Gawker decided to store the passwords in a non-plaintext format.  The bad news?  DES is limited to using 8-character keys for encryption (Check this out for more information).  That means that only the first eight characters of the passwords were encrypted and stored.  So, if you were diligent and created a super hard password like “passwordc4n7b3|-|4ck3d”, it would only store “password” in encrypted format.  So, armed with a password database, a sophisticated cracking tool, and a weak encryption algorithm, Gnosis set out to see what they could see.

What did they find?  Well, for one, people violated my second rule by making some pretty easy-to-guess passwords.  Like “password”.  No kidding.  It was the second most popular password out of the bunch, with about 2,100 people out of the 300,000 released hashes using it.  What was more popular than that one?  How about “123456”?  More than 3,000 people used that one.  And the third most popular one was “12345678”.  For a full list of the most popular passwords, check out the Wall Street Journal Blog.

Guess what?  Those passwords SUCK!  Yes, they are easy to remember.  Yes, it’s slightly more secure that not having a password.  Guess what?  They’re also quite easy to guess.  Thanks to rainbow tables, it’s not hard to find the DES hash for password.  In fact, just so you know, it’s “uDGdyZA2EBdWk”.  Just search for that string in the database and you’ll know tons of accounts with unsecured passwords.  Because I know that everyone reading this knows how to make a secure password, I won’t patronize you with password policy.  But, just in case my mom ever decides to read this, a proper password includes ALL of these things:

• At least EIGHT characters (the more, the better)
• A number
• A capital letter
• A symbol
• Non-obvious (see above for a list of some obvious stuff)

If you password doesn’t meet those guidelines, it’s probably not that secure.  The longer and more complex the password, the more likely it is to stand up to a dictionary attack or brute force attempt.  However, even if you have a nice, complicated password, reuse of it all over the place can still get you in trouble, as the Gawker people found out on Monday.

Once the Gnosis people got finished having their way with the the Gawker MySQL database, they took their hack to the next level.  They thought to themselves, “I wonder if these people use the same password everywhere?”  So, armed with a list of e-mail addresses and usernames and passwords, they started checking around.  Getting into GMail and Yahoo mail accounts.  Logging into Twitter and Facebook.  Causing general chaos.  Like Twitter accounts randomly tweeting about acai berry products.  The first thought was a new URL-exploiting worm.  Then they realization that a lot of people that were singing the praises of the lowly acai berry were victims of a hijack attack from people that had downloaded the torrent from the Gnosis hack.  Because these users had utilized the same password across multiple accounts, a security breech in one had exposed all of them.

In my opinion, Gawker’s response to the hack wasn’t quite as effective as it could have been.  They posted banners on all their websites advising users to change their passwords.  Except they had taken down the database for some time to patch the holes in it.  Which left their password reset mechanism offline.  What should have happened was an immediate, blanket password reset of EVERY account in the Gawker database.  Gawker already had their e-mail addresses, which would be used to mail the password after a manual reset.  It should be a simple matter to reset the password automatically and send off the new temporary password to the account in the database.  Instead, the users were forced to take the steps themselves or risk further exposure.  A little forethought and perhaps some heavy-handed security admin 101 might have gone a long way to restoring user faith in Gawker.

What we have here is a case of the perfect storm of an older system riddled with insecure passwords that was compromised by a determined foe and then exploited far beyond what anyone except the most pessimistic security expert could have imagined.  Hacks of this magnitude are becoming more and more common, and as we spend more and more time online the information exposure becomes worse each time.  It is quickly reaching the point where it will be necessary to start compartmentalizing our lives in order to keep ourselves secure.  Many people I know have instituted something like this already.  Sites like Facebook and LinkedIn get one type of password.  E-mail and banking sites get a totally different password that is more secure.  For IT professionals, keeping track of multiple passwords isn’t that difficult, especially with password management tools such as 1Password to help us keep our lives straight.  But, to be fair, IT professionals aren’t the true targets of these kinds of hacks.

IT professionals and technology-savvy people are hard targets.  We rotate passwords.  We make secure logins.  We’re always conscious of what information is being stored and shared.  We make lousy hack targets.  But, people like my mom that use the Internet for Facebook and e-mail and shopping are prime targets.  They make accounts on websites like the ones run by Gawker to make a comment on a story.  They use the same password that they use for their Yahoo Mail account and Facebook.  And when something like this comes along and upsets everyone’s apple cart, those people are the ones that suffer.  They aren’t walled off and sure of what information may have leaked.  And they aren’t sure of what passwords to change or when to do it.  And so they might find themselves on the news talking about getting hacked and all the doom and dismay that it has caused.  And who knows?  Maybe someone will autotune my mom into an Internet meme.  Let’s hope not.  Because if there’s anything worse in this world than password database leaks or FBI backdoors into IPSec, it’s listening to my mom sing, autotuned or not.

“Doesn’t that bother any of you? Because it scares the living piss outta me!” – Lloyd Bridge as Admiral Tug Benson

That pretty much sums up my feelings about the Stuxnet worm the more and more I read about it.  It seems like every week brings more and more dastardly information about this worm and its consequences for cyber warfare in general for the foreseeable future.  First, a refresher course for those that might not be totally familiar with this little gem.

Anatomy of a Scary Virus

A Belarusian security firm got it’s hands on a sample of a new worm in mid-June of 2010.  It was a Windows-based attack that seemed to be quite virulent from the very beginning.  More disturbing, however, was the complexity that lay just beneath the surface upon further examination.  Stuxnet targetted 4 separate zero-day exploits in Windows.  In the security arena, this is the equivalent of showing your hand too early in a poker game.  Zero-day exploits have great value on the black market for virus writers, so they tend to be hoarded and exploited only when a significant advantage can be had.  For a virus to use four of them at once meant that it was serious about infecting things.  Secondly, it installed a rootkit on the target system.  While this isn’t necessarily new in and of itself, the way it succeeded was brilliant.  The writers of the virus hijacked to signed security certificates from trusted manufacturers JMicron and Realtek.  This meant that the kernel mode drivers necessary for rootkit operation could be installed without so much as a blip of a warning.  Also disturbing was the method in which the virus was constructed, a mish-mash of C and C++ code.  This is quite odd for a trade that typically uses simple coding techniques.

After digging into the payload and operation of the virus, the malicious intent cranked up two or three more notches.  The virus used a data cable connect between the PC and a Siemens Programmable Logic Controller (PLC) to hop into the PLC where it really started its nefarious work.  Firstly, a rootkit was installed to hide the infection.  Then, using the PLC it started messing with variable frequency drives that were slaved to the unit.  Specifically, it was looking for drives that spin between frequencies of 807 Hz and 1210 Hz.  Why so specific, you ask?  Because drives that run at those frequencies just happen to be of the same kind that are used in centrifuges, which are critical to process needed to enrich uranium in nuclear power plants.  Once it found the target, it didn’t make itself obvious by disabling the drive.  Instead, it varied the rotational speed of the unit, ramping it up to 1400 Hz then back down to 2 Hz then back up again.  To the outside observer, it would just look like the device was going haywire or having mechanical difficulties.  At worst, you might think to pull the drive out and replace it with another unit.  Of course, as soon as that unit was connected to the PLC, it would be infected by the Stuxnet worm and the whole process would begin all over again.

A New Chapter in Warfare

Once the security firm started tracing the command and control centers for the virus, the trail started going cold as servers were shutdown and erased from the face of the Internet.  Usually, those kinds of disappearing acts are perpetrated by the kind of three-letter agencies that don’t like to make the headlines.  And so it was that a large number of security researchers started speculating about the nature and purpose of Stuxnet.  Symantec believes that a well-coordinated team of 5 to 10 individuals spent several months writing the virus.  As well, the largest number of infected systems appears to be located in Iran.  Based on the specific target of the virus (industrial equipment known to be purchased by Iran), it seems quite plausible to assume that someone or something wanted to make sure that the equipment didn’t function correctly.  But, rather than take it out completely, the idea behind Stuxnet was to mask the damage done and make it look like mechanical failure.  Indeed, since it was looking for such specific target criteria, it might have laid dormant for months before unmasking itself.  The speculation currently is that the worm was designed to do one thing with brutal efficiency – cripple the Iranian nuclear program.  Not by airstrikes or conventional means, but with cyber warfare.

When you think back on many of the malware programs that have sprung up and been quite irritating over the last few years, realize that the authors wanted to make a statement with them.  Whether it was the theft of personal information or the hijacking of your PC for less-than-honorable purposes, each author left a stamp or calling card.  These are the kinds of people that do things for fame and fortune.  They want the exposure.  If someone finds out who wrote Code Red or Nimda, all the better for them.  Exposure gives credibility and prestige in that community.  Even something like the SQL Slammer worm was an attempt to exploit a known vulnerability, perhaps for use by someone at a later date.  Only the ham-handedness of the coding caused it to race out of control and be fought back so quickly.  And so security professionals see these viruses and malware infections and combat them as best we can.  But we only catch them because we can see the tell-tale signs.

Stuxnet appears to have been coded by a person or persons who don’t ever intend to be known.  Their job succeeds when no one knows they did anything.  These kind of people don’t leave marks or traces of any kind when they are done.  They are professional.  The pick a target and pursue it relentlessly until it is neutralized.  And when all is said and done, no one would think twice about the cause of the misfortune to be man-made or inflicted.

Imagine if this had happened in America?  Infected USB drives are scattered around a parking lot at a facility that services nuclear power plants.  Or mailed to key individuals that have access to sensitive areas.  Imagine the chaos that could ensue if the payload hadn’t been designed to subtly cripple, but instead was crafted to cause mayhem and disorder?  Imagine what might happen if it were to occur on the scale of something that we can’t live without, like the GPS constellation?  The idea that agencies and organizations that have made careers out of the kind of malicious and nasty tricks that mark intelligence and spying are now beginning to focus on cyber warfare is frightning.  Think about what could happen if the most prolific and successful malware creators were hired for a job that would pay a fortune, provided the attack was successful and left zero trace.  Would it be worth several million dollars if a country could cripple the military command and control functions of their enemy with a moment’s notice?  What would happen if an invading army had no fear about its ability to render any and all resistance moot with the press of a button from some previous malware infection that went totally undetected until it was too late?

Granted, this all pie-in-the-sky rambling, but the directions that these types of programs can be taken in boggles even the most die-hard security researchers.  Think about how many information system breaches we’ve seen.  Now think about what would happen if it was targeted to, say the Department of Defense.  Or the Social Security Administration? And no amount of money or threat of prosecution could deter the people doing it.  State-sponsored terrorism is bad enough today.  What happens when state-sponsored cyber terrorism becomes more prevalent?  And before you answer that question too quickly, look at what happened with GMail just a few months ago.  And realize that many in the security realm are starting to believe that those attacks were state-sponsored.

For those of you science fiction fans out there, my thought exercises may sound eerily similar to the reimagined Battlestar Galactica mini-series, where the Cylons were able to cripple the entire military effectiveness of the Colonials with a few well-placed programs.  We all laughed at it and said that it made for great story telling, but it was still just fiction.  Well, with the rise of Stuxnet and inevitably more programs like it, we can only hope that the escalation of cyber warfare doesn’t lead us to some kind of horrible conclusion.  Because it’s something like that which makes me truly afraid.