How do I learn about Cyber-Warfare?
January 15, 2010 3:35 PM Subscribe
Cyber-War Filter: How do I become literate about wars fought over the internet?
The media has been buzzing about cyberwarfare, specifically the Chinese infiltration of Google servers. My interest has been piqued, and I want to learn more about what's going on. But I don't really have any technical expertise!
I'm certainly not computer illiterate, but frankly I don't know how to code, nor do I know anything about computers in any great detail. I would say I have a solid "general working knowledge" of computer systems, but not much beyond that.
Short of actually learning to program, is there any resource or book(s) that would give me a better understanding about what cyber warfare is, and how, on a tactical level, it is actually fought? Is there a blog or a news source that follows major internet events more closely than say, the New York Times? I'm just looking for resources that would allow me to speak and think about these issues in an intelligent manner. For instance:
-The Google hackers may have used some sort of Adobe pdf exploit to gain entry. How might this have worked?
-Google traced back the attack to a Taiwanese server. How does such a trace-back work?
-It turns out that the Taiwanese server was taken over by the hackers, and the attack launched from there. How does this process work?
-What distinguishes a primitive hacking attempt from what the media seems to refer to as "sophisticated attacks"? What are the likely signs that a computer intrusion was done by a government actor, rather than a nerdy teenager?
I would like to be able to extend my general knowledge of these issues beyond the immediate Google incident, and to cyber-warfare generally.
The media has been buzzing about cyberwarfare, specifically the Chinese infiltration of Google servers. My interest has been piqued, and I want to learn more about what's going on. But I don't really have any technical expertise!
I'm certainly not computer illiterate, but frankly I don't know how to code, nor do I know anything about computers in any great detail. I would say I have a solid "general working knowledge" of computer systems, but not much beyond that.
Short of actually learning to program, is there any resource or book(s) that would give me a better understanding about what cyber warfare is, and how, on a tactical level, it is actually fought? Is there a blog or a news source that follows major internet events more closely than say, the New York Times? I'm just looking for resources that would allow me to speak and think about these issues in an intelligent manner. For instance:
-The Google hackers may have used some sort of Adobe pdf exploit to gain entry. How might this have worked?
-Google traced back the attack to a Taiwanese server. How does such a trace-back work?
-It turns out that the Taiwanese server was taken over by the hackers, and the attack launched from there. How does this process work?
-What distinguishes a primitive hacking attempt from what the media seems to refer to as "sophisticated attacks"? What are the likely signs that a computer intrusion was done by a government actor, rather than a nerdy teenager?
I would like to be able to extend my general knowledge of these issues beyond the immediate Google incident, and to cyber-warfare generally.
Best answer: My advice - read Bruce Schneier's blog.
Here's his commentary on the bruhaha in Estonia in 2007.
I'm not sure the mass media is a good place to get the sort of well reasoned technical information you're looking for. In the post I linked to it is pointed out that after a large DDoS attack in 2000 some reporter asked Clinton if this was the electronic Pearl Harbor.
posted by Kid Charlemagne at 4:03 PM on January 15, 2010
Here's his commentary on the bruhaha in Estonia in 2007.
I'm not sure the mass media is a good place to get the sort of well reasoned technical information you're looking for. In the post I linked to it is pointed out that after a large DDoS attack in 2000 some reporter asked Clinton if this was the electronic Pearl Harbor.
posted by Kid Charlemagne at 4:03 PM on January 15, 2010
jaimev: "The Google hackers may have used some sort of Adobe pdf exploit to gain entry. How might this have worked?"
pdf is an extension of postscript. postscript is a programming language. A pdf file is technically not a document that is displayed, but rather a program that executes and generates the document dynamically. There are a huge number of ways to exploit bugs in a process like this.
More generally, things like this are almost always buffer overflows, most often exploited in such a way as to smash the stack. The program reads some data (in this case from a pdf file). The program has a bug where when the data is larger than expected, rather than opening up more space to store extra data, or ignoring the data past the storage limit, it actually destroys other data in the process of reading in the new data*. By doing this carefully you can make the program do anything you want it to (because you can write over the code the the program will be executing).
Buffer overflows are to a quite large degree a side effect of a design flaw in the commonly used C library function, gets. To quote the Linux manual page for the gets function:
In the open source world huge numbers of these bugs were fixed by simply searching the search code and eliminating all usage of this function.
* A loose and somewhat silly analogy would be breaking into someone's house by leaving a bulldozer with a big ribbon bow on it and keys in the ignition in their driveway, expecting them to try to park it in the garage, and then walking in via the huge hole the bulldozer knocks in the wall when it does not fit in the garage.
posted by idiopath at 4:23 PM on January 15, 2010 [2 favorites]
pdf is an extension of postscript. postscript is a programming language. A pdf file is technically not a document that is displayed, but rather a program that executes and generates the document dynamically. There are a huge number of ways to exploit bugs in a process like this.
More generally, things like this are almost always buffer overflows, most often exploited in such a way as to smash the stack. The program reads some data (in this case from a pdf file). The program has a bug where when the data is larger than expected, rather than opening up more space to store extra data, or ignoring the data past the storage limit, it actually destroys other data in the process of reading in the new data*. By doing this carefully you can make the program do anything you want it to (because you can write over the code the the program will be executing).
Buffer overflows are to a quite large degree a side effect of a design flaw in the commonly used C library function, gets. To quote the Linux manual page for the gets function:
Never use gets(). Because it is impossible to tell without knowing the data in advance how many characters gets() will read, and because gets() will continue to store characters past the end of the buffer, it is extremely dangerous to use. It has been used to break computer security. Use fgets() instead."
In the open source world huge numbers of these bugs were fixed by simply searching the search code and eliminating all usage of this function.
* A loose and somewhat silly analogy would be breaking into someone's house by leaving a bulldozer with a big ribbon bow on it and keys in the ignition in their driveway, expecting them to try to park it in the garage, and then walking in via the huge hole the bulldozer knocks in the wall when it does not fit in the garage.
posted by idiopath at 4:23 PM on January 15, 2010 [2 favorites]
Best answer: Before launching into a career of selling Klein bottles, Cliff Stoll wrote about his experiences as a system administrator at Lawrence Berkeley National Laboratory, tracking down a KGB-funded cracker in his book The Cuckoo's Egg. Well worth a read.
posted by Blazecock Pileon at 4:29 PM on January 15, 2010 [2 favorites]
posted by Blazecock Pileon at 4:29 PM on January 15, 2010 [2 favorites]
I'd describe myself in similar terms — while I'm not a coder, I probably have a strong foundation in what you refer to as the "general working knowledge" of computer systems. While I can't answer all your questions, I'll give most of them a shot. (Forgive me if any of my answers seem overly simplistic and/or patronising, because that's certainly not my intention.)
'Cyber warfare' is more of a distinction in language than in method, much as in the same way that an assassination is distinct from a murder. The end result is much the same, but the intentions are different. In this case, the fact that a state is behind attacks designed to compromise the economic and military assets of another state marks this out as a form of warfare.
An 'exploit' can mean many things, but in the case of the aforementioned Adobe PDF exploit is likely to mean a vulnerability in Adobe Acrobat that allowed it to be compromised in some fashion. All kinds of software — including the operating system you're using right now — have various flaws, many of which can be used to negative ends. Most likely is that someone planted software on a Chinese human rights activist's laptop via a PDF exploit which allowed remote access to their data, and/or a keylogger than enabled them to breach security on their Gmail accounts. This exploit could have been delivered by many methods, the most obvious of which is deception — think of the PayPal and bank phishing e-mails most people get on a weekly basis. Perhaps they received a PDF that had been compromised, or a virus that attached itself to Adobe Acrobat itself.
A trace back is essentially finding out where network traffic came from. On the most basic level, it acts as a general identifier; if I'm in the UK, for instance, I can't access Hulu, and Americans can't access the BBC's iPlayer service. Try and find out how to use the 'traceroute' function on your computer for a taste of this (your computer is bound to have it somewhere — Macs put it in Network Utility). Run it on a friend's IP address and you'll immediately see all kinds of identifying information — if I feed in metafilter.com, for example, moves from a server with 'london' in its IP address (I'm in the UK) and swiftly down to one with 'newyork', then 'dallas'. Conveniently labelled for sure, but I can reasonably surmise from this info that MetaFilter's web hosts operate out of somewhere in the U.S. This incredibly primitive method of trace back is obviously going to be fairly useless against a technologically savvy adversary who are likely put as many false flags between them and whatever they're trying to hack into as possible, but forensic detective work will overcome that most of the time.
To mask their work, the hackers compromised another device to conduct their hacking on. In a similar way to the Adobe PDF exploit I roughly described earlier, the hackers found a vulnerability on another server and then commandeered it for their own purposes. The reasoning for this is much the same as why someone would use a public payphone instead of their house phone to discuss illegal activity — it just puts extra steps between you and any wrongdoing.
What distinguishes these attacks from your garden variety 'nerdy teenager' is likely to be somewhat less a case of expertise but more of professionalism and intentions backed up by large resources. Large multinationals take their trade secrets very seriously, and Google — one of the highest-profile technology companies on the planet — is going to have some pretty severe security systems in place to prevent stuff like this happening. The Chinese government, like the American government, likely has one or several large teams of computer experts working day and night to pull off stuff like this. Again, it's more about scale and intent — one guy with a pistol in a grocery store is a petty robbery, half a dozen guys with assault rifles and a bank vault is something else entirely*.
Hopefully some of this is enlightening — this is a helluvalong post and it's late here, so apologies if any of it's incomprehensible. Hopefully I haven't waffled too much either, or indulged in too many generalisations.
*That would be the plot of Heat. Sorry, just got done watching it. :P
posted by jaffacakerhubarb at 4:38 PM on January 15, 2010
'Cyber warfare' is more of a distinction in language than in method, much as in the same way that an assassination is distinct from a murder. The end result is much the same, but the intentions are different. In this case, the fact that a state is behind attacks designed to compromise the economic and military assets of another state marks this out as a form of warfare.
An 'exploit' can mean many things, but in the case of the aforementioned Adobe PDF exploit is likely to mean a vulnerability in Adobe Acrobat that allowed it to be compromised in some fashion. All kinds of software — including the operating system you're using right now — have various flaws, many of which can be used to negative ends. Most likely is that someone planted software on a Chinese human rights activist's laptop via a PDF exploit which allowed remote access to their data, and/or a keylogger than enabled them to breach security on their Gmail accounts. This exploit could have been delivered by many methods, the most obvious of which is deception — think of the PayPal and bank phishing e-mails most people get on a weekly basis. Perhaps they received a PDF that had been compromised, or a virus that attached itself to Adobe Acrobat itself.
A trace back is essentially finding out where network traffic came from. On the most basic level, it acts as a general identifier; if I'm in the UK, for instance, I can't access Hulu, and Americans can't access the BBC's iPlayer service. Try and find out how to use the 'traceroute' function on your computer for a taste of this (your computer is bound to have it somewhere — Macs put it in Network Utility). Run it on a friend's IP address and you'll immediately see all kinds of identifying information — if I feed in metafilter.com, for example, moves from a server with 'london' in its IP address (I'm in the UK) and swiftly down to one with 'newyork', then 'dallas'. Conveniently labelled for sure, but I can reasonably surmise from this info that MetaFilter's web hosts operate out of somewhere in the U.S. This incredibly primitive method of trace back is obviously going to be fairly useless against a technologically savvy adversary who are likely put as many false flags between them and whatever they're trying to hack into as possible, but forensic detective work will overcome that most of the time.
To mask their work, the hackers compromised another device to conduct their hacking on. In a similar way to the Adobe PDF exploit I roughly described earlier, the hackers found a vulnerability on another server and then commandeered it for their own purposes. The reasoning for this is much the same as why someone would use a public payphone instead of their house phone to discuss illegal activity — it just puts extra steps between you and any wrongdoing.
What distinguishes these attacks from your garden variety 'nerdy teenager' is likely to be somewhat less a case of expertise but more of professionalism and intentions backed up by large resources. Large multinationals take their trade secrets very seriously, and Google — one of the highest-profile technology companies on the planet — is going to have some pretty severe security systems in place to prevent stuff like this happening. The Chinese government, like the American government, likely has one or several large teams of computer experts working day and night to pull off stuff like this. Again, it's more about scale and intent — one guy with a pistol in a grocery store is a petty robbery, half a dozen guys with assault rifles and a bank vault is something else entirely*.
Hopefully some of this is enlightening — this is a helluvalong post and it's late here, so apologies if any of it's incomprehensible. Hopefully I haven't waffled too much either, or indulged in too many generalisations.
*That would be the plot of Heat. Sorry, just got done watching it. :P
posted by jaffacakerhubarb at 4:38 PM on January 15, 2010
The RAND Corporation has published a lot of excellent unclassified monographs on cyberwarfare available online for free. Their National Security Research Division and Science and Technology Research Center publications are excellent resources, too.
posted by aquafortis at 4:43 PM on January 15, 2010
posted by aquafortis at 4:43 PM on January 15, 2010
Seconding The Cuckoo's Egg. For a slightly more sensationalistic story, dig up some of the writeups of the Tsutomu Shimomura/Kevin Mitnick affair.
As regards application/system vulnerabilities or other wide-scale events (worms and whatnot), I find SANS to be a good place to keep up with what's going on.
To further what idiopath says, and while it assumes at least a working knowledge of C, Aleph One's essay Smashing The Stack for Fun and Profit is one of the best overviews of stack overflow vulnerabilities out there.
posted by jquinby at 4:44 PM on January 15, 2010
As regards application/system vulnerabilities or other wide-scale events (worms and whatnot), I find SANS to be a good place to keep up with what's going on.
To further what idiopath says, and while it assumes at least a working knowledge of C, Aleph One's essay Smashing The Stack for Fun and Profit is one of the best overviews of stack overflow vulnerabilities out there.
posted by jquinby at 4:44 PM on January 15, 2010
Wars are not fought over the internet.
"Cyberwarfare" in actual wars tends to involve things like bombing power plants and stuff like that, which "cyberwar" hyperbolicists tend to claim because they want to inflate their importance.
What's going on here is espionage Corporate espionage happens all the time, but since China's government and it's corporations are closely aligned, you get the sort of mixing of government and corporate espionage.
posted by delmoi at 5:14 PM on January 15, 2010
"Cyberwarfare" in actual wars tends to involve things like bombing power plants and stuff like that, which "cyberwar" hyperbolicists tend to claim because they want to inflate their importance.
What's going on here is espionage Corporate espionage happens all the time, but since China's government and it's corporations are closely aligned, you get the sort of mixing of government and corporate espionage.
posted by delmoi at 5:14 PM on January 15, 2010
Thirding the Cuckoo's Egg and seconding the Shimomura / Mitnick saga. Check out Takedown and Cyberpunk as well. These chronicle older occurences of what you call "cyber warfare", often small-scale, childish and simplistic, but it's exactly for those reasons that they're a good place to start.
posted by CharlesV42 at 6:15 PM on January 15, 2010
posted by CharlesV42 at 6:15 PM on January 15, 2010
Best answer: Wars are not fought over the internet.
This point of view, I disagree with it.
As recently as the invasion of Iraq it was pretty easy to distinguish between "actual" warfare and cyberwarfare. That distinction is disappearing.
since China's government and it's corporations are closely aligned, you get the sort of mixing of government and corporate espionage
If you don't think the Cold War was thick with this sort of corporatism, I'm not sure where to start. For the most part that was a competition in which information flowed in one direction -- from the West to the Soviets, and thence to China. There wasn't much that either had that the US thought worth stealing, so our efforts were more protective and defensive (a tenor to things you can still hear today). The independence of China in this game probably became crystal clear around the time of the Loral Intersat explosion. Satellites seemed to be the game to play in the 90s, but a number of factors led to the decline of that idea. Today it's very clearly the internet where technological expertise resides and this isn't simply about business interests.
Just as "actual" warfare is moving toward the virtual, with guys near Las Vegas piloting drones over Afghanistan before going home to their wives, technological combat is moving onto the internet. It's apparently bloodless and certainly cheaper but the losses can be as significant as a bomb. We've already seen a serious attack on Estonia, and I wouldn't be surprised if we see a cyberwarfare Haiti in the next few years -- where a country is brought to its knees, perhaps a bank is looted James Bond style, or major infrastructure is damaged along the lines of the oft-worried dam or pipeline being opened. In fact this may already have happened on a smaller scale. It's especially tempting because it's inherently asymmetric -- the defending country has to expend greater and greater resources versus what may be effectively a small, ad hoc band of nationalistic hackers, whether or not they are working officially.
This isn't hypothetical -- we know the Chinese have openly studied it from a doctrinal standpoint. Personally, this Google attack gave me a sinking feeling like few others I've heard of. I think it's just the beginning.
posted by dhartung at 6:18 PM on January 15, 2010
This point of view, I disagree with it.
As recently as the invasion of Iraq it was pretty easy to distinguish between "actual" warfare and cyberwarfare. That distinction is disappearing.
since China's government and it's corporations are closely aligned, you get the sort of mixing of government and corporate espionage
If you don't think the Cold War was thick with this sort of corporatism, I'm not sure where to start. For the most part that was a competition in which information flowed in one direction -- from the West to the Soviets, and thence to China. There wasn't much that either had that the US thought worth stealing, so our efforts were more protective and defensive (a tenor to things you can still hear today). The independence of China in this game probably became crystal clear around the time of the Loral Intersat explosion. Satellites seemed to be the game to play in the 90s, but a number of factors led to the decline of that idea. Today it's very clearly the internet where technological expertise resides and this isn't simply about business interests.
Just as "actual" warfare is moving toward the virtual, with guys near Las Vegas piloting drones over Afghanistan before going home to their wives, technological combat is moving onto the internet. It's apparently bloodless and certainly cheaper but the losses can be as significant as a bomb. We've already seen a serious attack on Estonia, and I wouldn't be surprised if we see a cyberwarfare Haiti in the next few years -- where a country is brought to its knees, perhaps a bank is looted James Bond style, or major infrastructure is damaged along the lines of the oft-worried dam or pipeline being opened. In fact this may already have happened on a smaller scale. It's especially tempting because it's inherently asymmetric -- the defending country has to expend greater and greater resources versus what may be effectively a small, ad hoc band of nationalistic hackers, whether or not they are working officially.
This isn't hypothetical -- we know the Chinese have openly studied it from a doctrinal standpoint. Personally, this Google attack gave me a sinking feeling like few others I've heard of. I think it's just the beginning.
posted by dhartung at 6:18 PM on January 15, 2010
Wired published a piece of speculative fiction called The Great Cyberwar that's actually a fairly technically literate scenario. It's a fun read mainly for exploring how a cyberwar could turn hot, some of the potentially scary scenarios, and in general the WTF? nature of it these days. Don't take it too seriously as a possible future, but it's good at tying together a lot of things that we're struggling with now, like asymmetrical warfare, government policy lagging technology, and the overall vulnerability of critical infrastructure.
posted by fatbird at 6:18 PM on January 15, 2010
posted by fatbird at 6:18 PM on January 15, 2010
The PDF exploit was not a buffer overflow, it was a use-after-free exploit of the media.newPlayer method. PDFs can be so nasty because they can contain embedded bits of Javascript which are to be executed by the viewer application, which is how this exploit gets off the ground and launches a very small chunk of shellcode, which searches for a larger bit of shellcode that is cleverly hidden in another part of the PDF file as a bogus zlib compressed colorspace object, which shows another reason why PDFs are ripe for exploits: the ability to embed arbitrary binary blobs inside them which get mapped into memory.
posted by Rhomboid at 6:56 PM on January 15, 2010 [1 favorite]
posted by Rhomboid at 6:56 PM on January 15, 2010 [1 favorite]
Response by poster: Thanks everyone. I've bookmarked (and have continued to read) some of the blogs mentioned, and I've ordered The Cuckoo's Egg. Also, I appreciate the more extended answers and explanations as well.
posted by HabeasCorpus at 8:32 PM on January 20, 2010
posted by HabeasCorpus at 8:32 PM on January 20, 2010
« Older What to do in San Francisco next week | Help me get off my ass and do these things that I... Newer »
This thread is closed to new comments.
posted by jaimev at 3:56 PM on January 15, 2010