The Cyber Battlespace

This Friday’s shoot-the-shit topic is “The Cyber Battlespace.” I selected the topic because of the recent incident with Sony’s hack and because I also said at the beginning of the year that I would write an piece on The Cloud; regrettably, that didn’t happen due to other editorial priorities So, I’ll give you a mini dose now.

Before I can talk about cyber-attacks, I need to develop The Cloud concept, just a bit, so things make better sense, and then relate that to the present cyber-attacks. What’s The Cloud and where did it come from?

The Cloud concept is a byproduct of academia; just like economic theory suggesting that service economies are better able to insulate themselves from the business cycle, when in fact empirical evidence shows they excel at producing low income jobs. However, in an academic setting, you can sit at a computer to model these concepts and it all looks good, but the one thing you must understand about academics is that none of them have ever had to sit up at night trying to figure out how to make a payroll. Clueless! So, it all sounds very impressive while sipping lattes discussing academic credentials; however, in practice, the story is much less elegant.

So, what is the cloud? If you listen to your professor discussing it, the concept assumes the role of a deity, especially if he or she has published anything on the subject. In practice, it is nothing more than an array of computational resources accessible, via the IP infrastructure, to designated and authorized users. Some of the benefits, or best said, lures, of Cloud Computing is that it eliminates duplication of resources, and is more cost effective and easier to maintain. The point here is, why does an organization need 40,000 PCs, and/or laptops, running individual copies of Microsoft Word when they can simply access that resource through the cloud. It’s clean; it’s nice and relatively simple but full of holes. However, to the hacker, or cybercriminal, MS Word is worthless; it’s the documents you create with it that are priceless because they reveal budgets, business plans, financial data, research and development, and technologies – a veritable plethora of information. Recognizing that data is the target, when you aggregate it in The Cloud you create a very valuable and attractive target; hence, criminals, rogue nations, intelligence services and militaries have the potential for enormous gains by hacking Cloud resources.

Corporations invest hundreds of millions to secure their computational resources and data; however, that investment is centered on protecting the enterprise from exposure to loss not its customers. In fact, many of these organizations benefit financially from offering transactional data collected from customers. Rest assured that protecting your personal information is not the real priority and you can see that from the hacks on Target, Home Depot, J.P. Morgan Chase, Sony Corp, and more recently Staples. How is data stored and organized in The Cloud?

Most data is organized in normalized relational data bases. I can babble on in meaningless techno jargon but a picture is worth 1000 words as they say …

Architecture

I’ll run you through a session to give you a good feel for what’s happening. I’ll start with the user represented by a happy face; however, something to note before I get started is that each of these barrels can be distributed globally. They don’t necessarily reside on the same computer, in the same building and geographic location but they are logically connected. Also note that a user can be a human or a device; for example, a POS terminal at a retail outlet (which is how Target was hacked), or a card reader at a building access point, etc.

  1. User needs access to cloud resources so he or she fires up the laptop and is challenged by access control.
  2. User enters login ID. Access control contacts password data base and if biometric access control is implemented it checks for a template.
  3. If there is a match, the user is granted access to those areas that he or she are authorized to access.
  4. However, unbeknown to our happy user, he previously visited a Website where he picked up undetected malware.
  5. Depending on the malware planted, the hacker can now capture every keystroke the person types and it could propagate itself to other users accessing Cloud resources. You now have multiple users with compromised laptops, tablets, smartphones, point of sale terminals, etc., etc.
  6. Let’s talk about the hacker’s prize, even if only one of these is hacked. Most hacks compromise a specific data table and not an entire data base; for example user I.D.s or e-mail addresses. Other types of vulnerable data include
      1. SSN, DL
      2. Name, address, and other personal data like D.O.B.
      3. account numbers
      4. password and or biometric templates

Now, imagine what can be done with biometric templates and name and addresses, or SSN and DL numbers. Making matters worse is the move to generating encryption keys from biometric data. Hack the template and you’ve broken the encryption key. So, as you can see, the value of these hacks is immense; therefore, it’s cost effective for individuals, organizations, agencies and nation states to develop the technologies to exploit these giant pools of data stored in The Cloud.

Hacks have two broad function, gaining access to data and disrupting computational resources, and I include IP infrastructure software and hardware in computational resources. We’ve seen what cyber-attacks can do in the commercial space but lets take a look at national security and what that means. Disabling space assets by either direct attack or cyber assault, disable communications networks or command and control computational resources. It is serious business and you can bet that nation states including the United States are developing cyber capabilities directed at the military and national defense fabric of other countries.

So, The Cloud is not the panacea we think it is, and less so without a serious and evolving attention to mitigating the massive risks it presents. I have to laugh because in discussing cloud security, some folks always talk about not using Cloud resources for sensitive material but let’s put that idea under the microscope for a second.

Hypothetical e-mail from a mil domain

Hi honey, I’m going to be gone for about 15 days. I don’t know where just yet but they’re looking for Spanish speaking guys so it’s probably in South America. Tell the kids, I love them and I’ll see you when I get back.

Certainly nothing sensitive in that e-mail; yet it’s full of intelligence, which when combined with other seemingly benign communiqués paints a pretty clear picture.

Just for drill, let’s take a look at the hypothetical e-mail message to see what intelligence it contains.

  • The originating e-mail address reveals the home domain, in this case mil.gov so a hacker can establish affiliation.
  • The destination e-mail address wife@gmail.com. From that we can see if the person has a Google + affiliation, so we may be able to get pictures of the recipient and immediate family members; as well as personal data. We can also check to see if there is a Facebook affiliation, and that opens up an entire can of worms.
  • We know that there is a planned deployment to a Spanish speaking region that is planned to last 15 days.
  • By looking at the date the e-mail was sent we can establish a time window.
  • We know the individual has children, which gives us an opportunity to exploit that in the event of a successful capture.
  • From the e-mail address we can identify the IP addresses involved and physical locations.

So, when Senator McCain calls hacks a new form of warfare he is spot on, and a relatively inconsequential belligerent nation can bring you to your knees, even without significant military prowess. Just imagine  prosecuting a war in an r.f. denied area? Imagine the Taliban with GPS spoofing equipment.

So, here’s what I think needs to be done.

  1. Congress needs to get to work to write legislation that explicitly requires both business and governments to secure customer and taxpayer data. If a company or agency sells consumer data they should be required to disclose it clearly and provide an opt-out.
  2. Create fiscal policy that rewards bringing technology manufacturing back in-house. This is particularly true of software development. H-1B visa policy needs to be looked at carefully. The way you deal with a shortage of technology workers is through the compensation process. Foreign students and workers are sometimes intelligence assets (possibly for both sides of the house)
  3. Rebalance the military budget to reflect the very real threats to national security in Cyber Space.

As true of all shoot-the-shits, no rules apply! So, we love to hear from you.

Have A Great Weekend Everybody!

This entry was posted in Shoot-the-shit and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s