Exploring cybersecurity

Everyone is talking about cybersecurity and cyberwarfare these days. Security experts like former NSA director Mike McConnell have been warning about a cyber-Pearl Harbor or September 11th for years; others say the threat is overblown and that fearmongering could destroy our civil liberties. The extremely sophisticated Chinese hack of US corporations has put the issue back in the news. The military is scrambling to put together cyberwarfare units and figure out what exactly they should be doing. Universities, think tanks, and government organizations are brainstorming how to rebuild a secure Internet from the ground up. And you and me, the user, have to deal with security restrictions that seem increasingly asinine and make our military networks almost unusable for daily work. I write repeatedly about this, but Starbuck's recent rants here and here prove that I am outclassed.

It's good we're talking about cyberwarfare, but there's a problem: although everybody knows the issue is critical, very few people really understand it. I know I don't, and I'm a pretty computer literate guy. I was on the Internet when it was just a UNIX prompt and I've been programming computers and robots since I was a kid. I know scattered bits of hacking knowledge here and there, but if you put me in CYBERCOM and said, "Tell me exactly what it is we're supposed to be doing here", I would have no idea. I have to imagine that a lot of policymakers, especially those who didn't grow up in a digital generation, understand even less.

That raises an interesting question: given the technical complexity of cyber issues, how can we teach the layman about them?

I decided this is something I need to know more about, so I started a crash course in the digital underworld (as if I don't have enough going on). I started with the very basics this week. I downloaded the open-source tool VirtualBox which allows me to run a second operating system in a window inside my existing operating system (my wife uses the same program to run Windows on her MacBook). Next I downloaded and installed Ubuntu 9.10, one of the most popular distributions of the open-source operating system Linux--the preferred operating system for most hackers. After that, I installed Tor for Ubuntu, which masks my IP address (did you know that every website you visit logs your IP address, and that your IP address can be mapped to a physical location?). I already use a subscription service called Proxify, which is a kind of intermediary allowing me to access websites that are firewalled in this country, so this combination of tools lets me surf with anonymity. I also downloaded the free Linux chat client Pidgin and played around for a while on IRC, an old chat and file-sharing protocol that predates all of our modern chat tools. I used it extensively when I was a young programmer and my Internet access just provided a UNIX prompt, but it's still a preferred hangout for serious coders and hackers.

The next topic I began to explore was encryption and digital signing. A few of my geekiest friends always signed their emails with PGP keys, but I never really understood how they worked, so I read the GNU Privacy Handbook. I then installed the free GNU Privacy Guard for Windows, and FireFPG for Firefox on both Windows and Ubuntu. Now I have the ability to digitally sign or encrypt my e-mails, or verify the identify of and decrypt documents from others using PGP (I have no idea when I would actually use this, but at least I know how). With these tools, my masked Internet connection, and an anonymous e-mail address, I could conceivably create a secure online identity that is very hard to tie to my real self.

I also began reading the non-technical primer Hacking for Dummies (yes, I know, all the real hackers are laughing at me) and the more technical security primer Hacking Exposed. I don't have the time or inclination to learn all the tools of the trade, but these books are giving me an idea of the way hackers operate, the tactics and tools they use, and the countermeasures to defend against them.

I'm amazed at the power of the free tools that would-be hackers can use to cause mischief. You really don't have to be an expert to launch attacks; you just have to download and employ the right tool. In fact, hacker culture uses the derogatory phrase "script kiddie" to describe juveniles who use off-the-shelf tools but have no real programming or hacking ability.

I'm also impressed at how important the human dimension is to hackers. Breaking into a secure network is hard; obtaining a password from a careless employee might be much easier. This is where I fear that the DOD might be going wrong with its strict network security. By making passwords so complex, requiring that they be changed so frequently, etc. the DOD is making it impossible for servicemembers to remember them. When I was flying C-17s I had to access a variety of DOD programs from the road. The only way I could remember all my usernames and passwords was to carry a card in my wallet with all of them written down. A lot of my friends did the same. Those programs were probably safe from brute-force attempts to crack passwords, but there is a soft underbelly. A lost wallet could give someone access to ten or fifteen DOD web applications.

A second example: every Air Force pilot maintains a list of identifying information that can be used by Search and Rescue forces. Among this information is a secret number. The rules for choosing a valid number were so complicated and changed so frequently that nobody could figure out how to pick a valid one. After I made five or six attempts, the Intel officer finally told me, "Just use XXXXXXX." The number was easy to remember because it corresponded to something we all knew (sorry, being vague here). I'm pretty sure half my squadron ended up using the same number. That is not secure.

Finally, I'm amazed at how much information you can dig up on a person or a company if you really try. This is where the technical and human aspects of hacking meet. If you want to target a specific company, you can quickly find all sorts of human information that could help you gain access--names, phone numbers, addresses, etc. When I was in high school, I used to hang out on a message board for aspiring young writers. One girl posted a "Goodbye world" message one Friday, informing us all that she was going to kill herself on Monday. Using just her e-mail address, I was able to get a phone number of somebody who knew her. It turned out to be a hoax, but she got the surprise of her life when the police showed up at her house Sunday evening.

I've only scratched the tip of the iceberg, but this is fascinating stuff. I will admit that I've gained a greater appreciation for the challenges that DOD must manage with its network security policies. Starbuck and I both come down on the side of openness and freedom, but I recognize that this needs to be balanced with careful security measures. I don't believe DOD has achieved this balance yet--it needs to find creative ways to open up the flow of information, while still preserving security. I will share some thoughts on how it might be able to achieve that in a future post.