04 June 2009

Rise of online mercenaries

DOING governments' dirty work in cyber wars.

Steven Bellovin, professor of computing science at Columbia University, predicted the rise of online mercenaries prepared to carry out the "nasty things" governments did not want to be associated with. "Hackers are already doing nasty things for pay, and for covert operations deniability is useful," he told the AusCERT 2009 conference last month.

"I fear we may go back 200 years to letters of marque and reprisal, where governments commission somebody to attack another government's assets with perfect immunity under law."

A letter of marque is an official warrant authorising an agent to capture and destroy specified assets belonging to a foreign party that has committed an offence against the issuing nation. Professor Bellovin said the US constitution explicitly permitted the granting of such letters, "and the US has never disavowed the concept, unlike a number of other countries".

Aside from those scenarios, many governments were known to be engaged in cyber-spying or hostilities against regional rivals. "A couple of laptops are a lot cheaper than a couple of F16s (fighter aircraft)," he said. "If a US official said the Government was prepared to use nuclear weapons in response to cyber warfare, the other party doesn't need to engage in computer game playing. They just need to do nasty things to the US defence force's strategic communications network." Professor Bellovin said certain new blended exploits -- involving technical interventions and social engineering -- were beyond an average hacker, but not a nation-state.

"Suppose someone creates an innocuous-seeming flaw in a chip (used in particular devices), and plants code to trigger that flaw in certain applications," he said. "You could put a data file on a web page or in spam, the CPU (central processing unit) will execute that and a backdoor in the chip is triggered. "I see absolutely no reason why this would not happen." In one instance that came to public notice, a US government agency paid $US80,000 to an individual who had devised a Linux flaw. Hackers were already looking beyond the desktop and server stack, with the focus now on such things as a worm that targeted wireless routers and took them over.

"The hacker can spy on all the traffic and even turn the router into a botnet. Suddenly you have a virus on every computer in your house." Businesses and government agencies needed to be more cautious about "inside" attacks through their supply chains, particularly in relation to "software coding that is outsourced to dubious places". A recent report from Russia described how ATMs had been programmed to skim users' card details. When the attacker inserted a master-card, the machine printed out the account names and PINs of all users since the last download. Meanwhile, industrial spies after corporate secrets were achieving "high-end results for high-end customers".

"These are really broad-spectrum attacks involving networks," Professor Bellovin said. "One attacker got access to a network through U3 flash disks (essentially a USB stick and CD-Rom combined). The attacker left some flash disks lying around the parking lot, and people couldn't wait to install them to see what was on them.

No comments:

Post a Comment