We at RU refer to Adam Firestone as our weapons expert, a wide-ranging title that encompasses Adam’s knowledge of modern day weapons and weapons from centuries past. Adam’s expertise also includes the very hot topic of cyber-attacks.
Cyber-attacks and hacks have become so commonplace that hardly a day goes by without the media trumpeting another electronic assault, breach or revelation of confidential and personal information. Yet writing about cyber is difficult for many authors. This is unfortunate as cyberspace, and the ability to exploit its riches, can provide a character with an almost supernatural awareness of intentions, goals, plans or motivations. Such awareness is a versatile tool that can be used to buttress an otherwise unsupportable storyline or link disparate plot elements. This piece focuses on the means by which cyber-attackers gain access to targeted systems and describes a few simple but effective countermeasures.
Cyber’s most confusing aspect arises from the conflation of the means by which an attacker gains entry to a victim’s computer or network with the activities that the attacker is able to conduct once inside. Take the recently discovered Duqu 2.0 malware, for example. Duqu 2.0, discovered by the antivirus firm Kaspersky Lab in 2015, is an advanced version of the Duqu malware used in espionage operations against industrial control systems in 2011. Duqu 2.0 infected computers in the Austrian and Swiss hotels that were hosting international negotiations concerning the Iranian nuclear program and associated economic sanctions. Duqu 2.0 is reported to have used three “zero day” exploits to accomplish its espionage mission.
(Note: A “zero day vulnerability” refers to a security flaw in software that is unknown to the software’s manufacturer. This security hole is then exploited by hackers in what is called a “zero day attack.” Zero day attacks can be used to infect systems with malware or spyware, or to allow attackers access to sensitive information. The term “zero day” refers to the unknown nature of the flaw to those outside of the hackers; specifically, the developers. Once the vulnerability becomes known, a race begins between the manufacturer, who must patch the flaw in order to protect the users, and the hackers who want to exploit the flaw before it is remedied.)
Once a computer was infected with Duqu 2.0, attackers were able to accomplish a wide array of objectives including collecting information housed on the system, manipulating files and directories, performing reconnaissance on networks, file systems, user directories and domains, conducting remote desktop administration, stealing passwords, exfiltrating the stolen information and more.
If that sounds terrifying, it should. There’s almost no limit to what an enterprising hacker can do with a compromised system. And this is often the only focus of discussions about malware and cybersecurity. But first, however, attackers have to get into the systems they exploit. This begs the question: How do cyber-attackers penetrate targeted systems in the first place?
The answers, up to 95% of the time, are deceptively (and distressingly) simple. The two most significant methods by which attackers gain entry (referred to as “infection vectors”) are “phishing” and system maintenance failures.
In a phishing attack, the attacker sends an email to the victim under false pretenses. In the email, the attacker claims to be a legitimate enterprise in an attempt to convince the victim to surrender private information, which can be used for identity theft or a more direct theft of information or money. The phishing email may include a link that takes the victim to a legitimate-looking website where he or she is asked to update personal information, such as a password, credit card, social security or bank account numbers. The victim, confident that the legitimate organization (which is being impersonated by the attacker) already has this information, enters the data. The website, however, is a false front and will capture and steal any information the user enters on the page. The victim is now compromised.
In a variation of this, the website to which the victim is directed contains malicious code which exploits the victim’s browser software so that it can execute on the victim’s machine, gaining control and potentially allowing the attacker access to all the victim’s data, system capabilities and potentially the victim’s network as well.
In another phishing scenario, the email contains an apparently innocent attachment such as an Adobe Portable Document Format (PDF) file or a Joint Photographic Experts Group (JPG) formatted image. When the victim opens the attachment, hidden malicious code is executed and the victim is now “owned.”
Phishing emails are blindly sent to thousands, if not millions of recipients. By spamming large groups of people, the “phisher” counts on the email being read by some percentage of people who will either enter the requested information, surf to the malicious website or open the infected attachment.
A less random variant of the phishing attack is known as “spear phishing.” A spear phishing attack features an email that appears to be from an individual or business known to the victim. Spear phishing attackers exploit the victims’ sense of familiarity. The attacker usually knows a victim’s name, email address and at least some biographical information. The salutation on the email message is likely to be personalized: “Hi Bob” instead of “Dear Sir.” The email may establish its legitimacy by making reference to a mutual friend or to a recent online purchase. Because the email appears to come from someone known to the victim, the victim is generally less wary and vigilant about protecting personal information. A technique known as “spoofing” is often used in these more sophisticated phishing attacks. In this case, an attacker creates an email address that, at a glance, appears to be from a trusted source. For example, a victim known to bank with Citibank may receive an email from email@example.com (instead of firstname.lastname@example.org). Victims are particularly sensitive to emails purporting to come from their employer or another company with which they’re familiar. As a result, they often provide data or click before thinking.
Flawed System Administration
The MITRE Corporation maintains something called the Common Vulnerabilities and Exposures (CVE) database. The CVE database is a dictionary of publicly known software security vulnerabilities and exposures. The US National Institute of Standards and Technology (NIST) maintains a similar database, known as the National Vulnerabilities Database (NVD). According to NIST, NVD is “the U.S. government repository of standards based vulnerability management data. This data enables automation of vulnerability management, security measurement, and compliance.” There’s significant overlap between the two.
In essence, these two databases contain a list of everything that’s wrong with your computer. More precisely, they list all the known security flaws in the operating systems and software that make computers and networks useful. In theory, software manufacturers pay close attention to CVE and NVD and rapidly update their products – and send out software patches to their users – whenever a vulnerability is discovered. In practice, it very often works out that way. In fact, if you’ve ever wondered what’s going on when, once a week, Windows displays the helpful message that your computer is being updated (even though all you want to do is shut down), Microsoft is in fact pushing updates, often fixing security flaws, to your machine.
Issues with this arise when users are thrown into the mix. While software and hardware manufacturers may be assiduous in ensuring that patches are created and distributed in a timely fashion, there’s no guarantee that users will actually install the updates. How often do you click “Later” or “Not Now” when your computer displays a message from Adobe or another software maker asking you if you want to update your product? As a result, a large number of systems remain vulnerable to relatively old (and patched!) malware threats. Additionally, many users insist on running outdated software that is no longer supported. For example, Microsoft stopped supporting Windows XP on April 8, 2014. That means that Microsoft will no longer develop or send out (other than by special contract) patches to address vulnerabilities in Windows XP. More importantly, it means that a Windows XP user’s risk of falling victim to a cyber-attack increases daily.
The result of ineffective systems administration is that hackers can use the CVE and NVD as a guidebooks on how to attack unpatched systems. The shield becomes the adversary’s sword.
Effective systems administration, whether for a single, personally owned computer or a huge number of servers and workstations at a set of distributed corporate locations, means (among other things!) ensuring that only trusted software is running, that each computer is fully patched with the latest updates and that obsolete software is retired and replaced. Fortunately for both hackers and writers (but not users!), this is very often not the case.
Defending the Realm
Statistics indicate that as much as 95% of successful cyber-attacks gain entry with either a phishing attack or and flawed systems administration that allows old, patched vulnerabilities to persist. So what’s an enterprising protagonist to do?
Fortunately, there are remedies available for both issues.
With respect to phishing, following the READ principles will help your character avoid falling victim to a phishing attack. READ is a set of analyses with which an email recipient can evaluate an individual message before reacting or responding:
- Relevant: Is the email relevant to what the recipient’s profession or hobbies?
- Expected: Is this email expected? From this sender?
- Attributable: Can the email be confirmed as coming from the sender?
- Digitally Signed: Is the email digitally signed?
(Digital signatures use a cryptographic algorithm to append an encrypted hash, or digital fingerprint, of the email, which can then be verified using a digital certificate that the sender has previously distributed. Properly implemented, digital signatures are very difficult to forge and provide proof of the sender’s identity and the validity of the email.)
With respect to system administration, your character needs to exercise due diligence. Specifically:
- Ensure that the latest operating system and software patches are in place
- Use strong passwords at least fifteen characters long that feature a combination of uppercase, lowercase, digits and special characters
- Have, and run, an antivirus program from a reputable company such as Kaspersky Lab, Symantec or Intel/McAfee and keep the subscriptions for virus definitions up to date.
Will these steps absolutely defend your protagonist’s system against all attacks? No – but they will make it a vastly more difficult target, and dramatically lower the risk of a successful cyber-attack.
 /pōhnd/ An internet slang term meaning to own, conquer or dominate.
Whether you are a cyber-expert or a novice, don’t hesitate to ask if you need advice regarding cyber-plots.
Author LAUREN WILLIG joins us on Monday, July 13.
Bio: Adam Firestone brings more than 25 years of experience with weapon systems including small arms, artillery, armor, area denial systems and precision guided munitions to Romance University. Additionally, Adam is an accomplished small arms instructor, editor, literary consultant and co-author of a recently published work on the production of rifles in the United States for Allied forces during the First World War.
Adam has been providing general and technical editing services to authors and publishing houses specializing in firearms books since the early 2000s. Additionally, Adam provides literary consulting services to fiction authors including action scene choreography, technical vetting and technical editing. In this line of experience, Adam has had the fortune to work with well known authors including Shannon McKenna and Elizabeth Jennings.
Check out Adam’s blog here: http://adamfirestoneconsultant.blogspot.com/
- None Found