This book calls for a limerick of
"me" own:
This is how the world
will end.
This is how the world
will end.
Not with the roar of a
lion
But with the click of
a mouse.
Mitnick's and Vamosi's book is for the layman.
You won't find here buffer overflows (NOP sled, or overwriting the stack return
pointer), network scans/DoS attacks, integer overflow exploitation, details
about recent techniques to bypass ASLR, shell-code injection, network sniffing,
no kernel hacking/rootkit exploits, i.e., it does not break ground as a book to
explain how hacking and software exploits work and how readers could develop
and implement their own. It's a breezy read with lots of information, but the
deep dives aren't there.
Reading this, it got me thinking once again on
IT security aspects. I've done this recently when I read my last security book. Every time I read something like
this, I always get in the mood "Oooh spooky, 'cyber security', how hip,
how now." Cyber security is what used to be called 'spying' and that goes
back to erm...Caesar Augustus as emperor lived in a modest two story home in central
Rome. Two floors around an open central area and thin columns sparsely placed
to form colonnaded mezzanine ground and top floor and no drapes or hangings -
he lived in a modest house with open mezzanines so that NO ONE COULD HIDE
BEHIND columns and listen to his conversations. Spying is as old as ancient
governments.
Technology helped the dissemination to become
global, helping thus "disseminators" on all sides to keep each other in power
even easier.
The actual sides in that war are not different
groups of "disseminators", but all "disseminators" of fake news on one side, and
all recipients of fake news on the other.
Hacking, being digital or "analogue"
one, is a weapon of recipients' defense, therefore all hackers, being digital
or "analogue" ones, are "Fifth Column" to all of the fake
news "disseminators". And, of course that "disseminators" is the term
borrowed from management theory. The Fake News War is about management of
facts, which to hide and which to reveal in averted form.
I mean, come on... people are being fired and/or
punished for accidentally forgetting one confidential paper on the office table
overnight and not under the lock. So, we
are not talking then about hacking as the warfare which started the cyberwar,
but about cyberspace as the warfare, however and whatever for it is used. Then
we may say that the cyberwar started not in 21st century, but in the late 70s,
when the first permanent ARPANET link was established between UCLA and the
Stanford Research Institute. Besides, we call them First and Second World War,
not the gas/tanks/trenches war and plane/rockets/atomic war respectively. I'm
arguing that hacking is not the most important weapon of choice to alleged
sides in war, but the fake news which has been disseminated for ages before the
cyberspace started to exist.
The next world war may well be fought in
Cyberspace but it won’t resemble the mischief or the malicious hacks we've been
witnessing (Stuxnet gave a glimpse of the potential - the Iranian nuclear
centrifuges were driven into meltdown). It will be an altogether more
devastating attack on vulnerable civilian and military infrastructure, as
likely as not launched from a third world country without a developed economy
vulnerable to counter attack (not that the targets will be able to identify the
source of the attack).
The greatest danger is not Russia but probably
ISIL or a small rogue state - North Korea is a possibility. Imagine the damage
if the Internet is taken down, if transport, water, power and utilities cease
to function. We're sleepwalking into a potential meltdown.
I still hear lots of people talk about the
TalkTalk situation (forgive me the pleonasm...). Let's be clear about it.
Broken into by a young hacker? How bloody fortunate you all are that it was not
the Chinese, Russians, Koreans, or Americans. But perhaps they already did, and
you haven't yet found out. Would they even know? Apparently they still don't know
whose data may or may not have been compromised. The real story here appears to
be a lack of adequate security. Data that is not encrypted. A lack of layers of
protection that prevent access to anything of importance. And a level of
overall control of access that is so poor that a 15-year old can get in.
Perhaps the word is porous. If anyone is at fault, it is not the successful hacker,
but the company that failed to apply the time and resources (including funds)
required to meet their responsibilities and obligations to those whose information
they hold in trust. Too many companies are run by non-technical posho/MBA
idiots who think the IT team are the home help, and not the people who keep the
engine room running.
There are clear issues of due diligence and
corporate responsibility which can only be solved by fines for board members
and disqualifications addressed at company members. Until then we'll have to put up with the
corporate equivalent of directors who leave customer secrets in a filing
cabinet in the street under a sign saying "It's not locked." if only TalkTalk spent 10% of what they spent on advertising on security.
All the cushy over paid jobs are in marketing,
law etc. Engineers need more respect / pay. They do all relevant work.
Marketing people are mostly about trying to get you to choose one brand over
the other. But so much is spent on it - they lose out on quality and service in
their product. Talktalk is a classic example. "Sponsoring" popular TV
programmes (more money of our money going to over paid talentless people:
“Portugal’s Got Talent, and crap like that).
There is a bit of a secondary problem which
gets no attention at all: running a badly secured computer may end up making
you an unwitting collaborator in crime - the Denial Of Service attacks
(basically flooding a service so it no longer works) is only possible using
thousands of hacked systems, and hacked systems are often used as proxies for
the real criminal to hide behind. Strangely, the most prevalent OS still needs
the sticking plaster of anti-virus software to be anywhere near suitable for
use on the Internet. Back in the day, when I was doing this as a night job, I
remember having found a page on one website that always took a long time to
render. If I hit it with a few requests the whole of the website was
inaccessible. I could kill the site from a browser. Turned out, talking to one
of the developers I knew, that there was some badly written SQL used to render
that page that caused the database server(s) to grind to a halt. WTF?? And
don't let me start talking about the way operating systems can be got at. There
have been totally new concepts of PC software put forward by those far better
than me, which would cut down a lot of the vulnerabilities we now see, but no
one cares and they would involve a radical re-think of how we use the web. It
would involve total ownership of the Operating System by the user, it would be
impossible to alter or add to and would be a physical non writeable entity. No
agreement to terms or any of that rubbish, it would be yours only. Beyond that
there would be a 4 stage later before you get out to where we use the web today.
Attacks would be more and more difficult as you go down through the layers and
compromise of the Op. System would be impossible. I have heard techies walking
through this set-up and agreeing that only the host of the router would be able
to trawl or snoop in a blanket way, and any suspected compromise could be
cleaned immediately. It would be better than we have today, but would curtail
lots of money making habits companies are used to currently, and involve the
users actively maintaining their Op. System a bit like looking after a fish
tank. We just don't seem to care much about the security, so any improvement is
unlikely, plus there are an awful lot of people doing very nicely out of the
way it is currently thank you. It is my firm opinion that people are not too
bothered about the Secret Services looking and watching, under some
supervision, for security reasons, but the ongoing access of all
activity to be disseminated to others on an "official" basis is the
widespread concern on most.
As the snooping could be done at all routers or
by piggy backing onto hubs, the Secret Services should be able to get whatever they
want, there should not be a problem.
I imagine key depression is what they are
wanting to monitor through the Op. System upgrade, they then pick up everything
before encryption, and get decent profiling of keying speed and the personal
idiosyncrasies of the user's hand actions, but the whole thing could be a lot
simpler and robust with most people getting largely what they want, except the
criminals (in the main).
The whole thing is in a real mess, and when the
Secret Services can't even keep the Atomic Bomb, The Watergate Project, or even
the current Mass Surveillance infrastructure secret, it does make people feel
like some new thinking is required.
The typical hacker relies on lack of defenses,
inadequate security budgets and ineptitude of middle managers (let's direct resources
at this non-problem, and leave all the SQL un-encrypted). I worked on lots of
"on-the-side" projects where these hackers were constantly trying to
break in and award themselves "the sword of dobber". Simply encryption
and authentication took care of every hacker except the military grade/Israeli.
Most of these guys knew how to run Linux as root and frequent forums that give
them most of what they know, aside from that they succeed where the gatekeepers
leave the back door open.
On a side note, because I really hate Mr. Robot,
let me once more add fuel to the fire. As a piece of drama Mr. Robot is pretty rubbish. Its world view is naïve, adolescent, and confused. The Christian Slater
character is an immature and delusional idiot - the eternal narcissistic
adolescent clown. Please do not re-boot.