Cyber Attacks in the World
Their are several cyber attacks that can affect our cyberspace. This blog explores 20+ Cyber Attacks in the World from 1999 to 2019. And also explains some basic mechanism to overcome these cyber attacks.
The importance of establishing rules of engagement to guide any nation in responding to a cyber attack by another nation-state can be demonstrated by a number of recent cyber attacks:
2003 Titan Rain Targets U.S.:
Highly skilled hackers allegedly working out of the Chinese province of Guangdong access systems and steal sensitive but unclassified records from numerous U.S. military bases, defense contractors, and aerospace companies.
2007 Cyber Attacks Hit Estonian Websites:
DDoS attacks cripple websites for the Estonian government, news media, and banks. The attacks presumably carried out by Russian-affiliated actors, following a dispute between the two countries over Estonia’s removal of a Soviet-era war memorial in Tallinn.
2008 Cyber Strike Precedes Invasion of Georgia:
Denial-of-service attacks of unconfirmed origin take down Georgian government servers and hamper the country’s ability to communicate with its citizens and other countries when Russian military forces invade.
2010 Stuxnet Undermines Iran’s Nuclear Program:
The Stuxnet worm is planted in Iranian computer networks, eventually finding its way to and disrupting industrial control equipment used in the country’s controversial uranium enrichment program. The United States and Israel are believed to be behind the attack.
2011 RSA Breach Jeopardizes U.S. Defense Contractors:
Hackers steal data about security tokens from RSA and use it to gain access to at least two U.S. defense contractors that use the security vendor’s products.
On the basis of numerous reports, the Pentagon believes that Unit 61398 of China’s People’s Liberation Army (PLA) has accessed data from over 40 DoD weapons programs and 30 other defense technologies. In addition, the intellectual property of numerous American corporations has also been exfiltrated.
The Pentagon also has been hacked by Russia with malicious viruses that have penetrated our nation’s defense systems. The Pentagon like-wise notes Iran’s attack and destruction of more than 30,000 computers at Saudi Arabia’s state-owned oil company Saudi Aramco. Iran has also been credited with attacks on J.P. Morgan Chase and Bank of America.
Documents leaked by Edward Snowden suggested that the cyber offensive operations of the United States resulted in 231 operations in 2011 against
It would be worth noting that Thomas Rid’s observation on most cyber operations that are viewed as cyber offensive actually amount to intelligence collection activities and are not designed to sabotage critical infrastructure settings. However, with advances in both cyber weapons and technology, this may be a situation that varies from nation to nation.
Another aspect of cyber weapons and cyber attacks that causes great concern was U.S. Secretary of State John Kerry’s comment that cyber attacks today are 21st-century nuclear weapons equivalent. Even more alarming is that those wishing to attack the United States can be inside our network in minutes, if not seconds.
As a result of these concerns, Presidential Policy Number 20 established principles, and processes for the use of cyber operations, including the offensive use of computer-attacks.
Presidential authorization is required for those cyber operations outside of a war zone, and even self-defense of our nation involving cyber operations outside of military networks requires presidential authorization.
Portions of Presidential Policy 20 remain classified and address issues such as the preemptive and covert use of cyber capabilities.
We must also realize that Article 51 of the United Nations Charter authorizes self-defense in response to an armed attack, but to date, this has not included cyber attacks or cyber weapons and cyber offensive operations, but these are all clearly events that will force clarification and consensus to formulate the policies, rules, and laws to govern cyber operations.
Nation-State Cyber Conflicts
One of the major difficulties in determining the course of cyber attacks is finding proof of the actual perpetrator and the location from where the attack was launched.
Since computer attacks involve massive numbers of botnets, which can be configured into a DDoS attack, it is not unusual for botnets to be directed to the attack target from nations throughout the world. The Bot Master’s servers controlling the botnets can be located in nations throughout the five continents.
Further, IP sites can be spoofed to make it appear an attack is coming from a site when in reality it is being routed through other attack servers. Another difficulty centers on determining the source of the attack: was it by a governmental or military operation? Was it a criminal operation? Was it a group of hacktivists?
Was it youthful hackers? Was it an intelligence espionage operation? Was it a number of groups working under the direction of a government purchasing the services of any of these groups or additional contractors selling their services to anyone who would purchase their skill sets?
The importance of the identification of the true attackers is only one part of the equation, as it is also imperative to identify the actual source sponsoring the attack.
Since we now are living in an era where cyber attacks can easily be elevated to cyber warfare, we must not only know whom to defend against but also not respond with a counter cyber attack to a source or nation-state that had no role or responsibility in the original attack.
An example is the case of the “Solar Sunrise” attack, in which the networks of the U.S. DoD were penetrated and which was initially thought to be an attack by Russia, when in fact it turned out to be an attack by two teenagers from California in 1998.
Upon investigation, Russia and the Moscow Science Academy were accused of involvement. However, what is the range of appropriate responses open to the United States?
Activities such as those occurring in 2000 are substantially different from the range of activities occurring in 2014, and the measures of redress today can be more severe than in previous years. Today, actions such as these could conceivably be defined as acts of war and open a range of counter-attacks.
[Note: You can free download the complete Office 365 and Office 2019 com setup Guide.]
Cyber War I—2007 Estonia Cyber Attacks
Many observers now point to the 2007 Estonia Russian Conflict as the first real cyberwar, due to the massive DDoS attack on Estonia, which lasted for an extended period of time.
The reason for many claiming this event as the first cyberwar centered on the actual engagement of the North Atlantic Treaty Organization (NATO) in establishing a Cyber Defense Center by 2008 in Tallinn, Estonia.
Another reason for calling this the first cyberwar centered on the fact this was the largest DDoS attack ever seen, with over a million computers targeting all aspects of Estonia’s financial, commercial, and communications nationwide.
In short, Estonian citizens were not able to use their credit cards, do their banking, or receive news and communicate with their officials through normal communication channels.
Further, most DDoS attacks last no more than a few days, but this attack lasted several weeks and forced Estonia to view this as an act of war, and as a member state of NATO, they requested the North Atlantic Council of the NATO Military Alliance to come to their aid.
NATO’s establishment of a Cyber Defense Center in Tallinn was the first time NATO took this action, and cybersecurity experts traced cyber activity back to machines that Estonia claimed were under the control of Russia. However, Russia denied any activity and stated their sites were spoofed.
China—PLA Colonel’s Transformational Report
China has made a significant transformational change in its military as a result of 3 very major points.
First, access to advanced U.S. weapons systems designs provides an immediate operational advantage to China. Second, it accelerates China’s ability to use our designs to develop their military systems on our dollar and saves them billions of dollars of investment.
Third, by understanding our weapons systems designs, China’s military will be in a position to penetrate our systems and put our personnel at risk.
At the same time, our nation’s defense contractor’s inadequate computer security defense systems reveal an appalling scenario of their inability to secure their systems and costing our nation an incredible amount of money, but more importantly placing the lives of our military personnel at risk.
TOR, the Silk Road, and the Dark Net
The release of information at both a sensitive and classified level by Bradley Manning to the WikiLeaks organization resulted in many individuals’ safety and lives being placed in danger.
Bradley Manning was convicted of his furnishing of classified information to WikiLeaks. However, WikiLeaks claimed status as a news agency and stated that their purpose of publishing this information was only to inform the public, and they have sought protection under the First Amendment to the U.S. Constitution.
Another example is John Young’s Cryptome, which, in the past 15 years, has published the names of 2619 CIA sources, 276 British Intelligence Agents, and 600 Japanese Intelligence Agents and has also published on his Cryptome website numerous databases of aerial photography including detailed maps of former Vice President Richard Cheney’s secret bunker in March of 2005.
The function of Cryptome, WikiLeaks, Black Net, and several others of similar nature is to publish and make available material they receive from others, which they maintain is to provide information to the general public to maintain democracy and freedom by publishing material they assess is important for the public to be aware of and totally informed.
TOR, or “the onion router,” is considered an almost unbreakable secure anonymity program that permits users to hide their IP address and to enjoy an incredible amount of secrecy. The Defense Advanced Research Projects Agency and the U.S. Naval Research Laboratory were responsible for the creation of TOR.
The irony of this was instead of solely allowing the government to function in secrecy, TOR eventually became the “machine that would ultimately hemorrhage the government's secrets,” as Bradley Manning used TOR to provide WikiLeaks with a vast amount of data files and e-mail transmissions.
In fact, Julian Assange relied on TOR as its core tool for protecting the anonymity of its sensitive sources who submitted material to WikiLeaks.
TOR personifies the intelligence paradox, since, on the one hand, both the intelligence community and the military used TOR to collect military strategy, secrets, and information and could do so without the awareness or knowledge of their adversaries.
Conversely, TOR can also be used by adversaries, pornographers, child exploiters, or foreign intelligence agencies against the U.S. government’s agencies.
The onion router or TOR has a “Hidden Service,” and if a website activates this feature, it can mask its location and permit users to find it in cyberspace without anyone being able to locate where the site is physically hosted.
To access a TOR Hidden Service, the user has to run TOR, and both the user’s physical location, as well as the site, will be masked or hidden. Andy Greenberg reports the following regarding TOR:
TOR is used by child pornographers and black hat hackers. Seconds after installing the program a user can untraceable access sites like Silk Road, an online bazaar for hard drugs and weapons, or one of several sites that claim to offer untraceable contract killings, but TOR is also used by the FBI to infiltrate those lawbreakers ranks without being detected.
TOR’s ability to use triple encryption is the feature that provides its incredible security and anonymity, and it is quite obvious that any group or individual who uses TOR can take advantage of its masking capabilities and can then use it as intelligence agencies will or as those wishing to expose secrets and intelligence operations.
The third group ranges from criminals, to child exploiters, and to nation-states seeking to weaken the U.S.
TOR not only allows users to surf the Web anonymously, but it is also the portal to the Deep Web and to numerous sites such as Silk Road, WHMX, and many more dark sites.
These sites have provided access to users who are interested in acquiring drugs such as heroin, LSD, ecstasy, cocaine, and crystal meth; counterfeit currency; fake identities; and United Kingdom passports.
In fact, their research by November 2013 suggested that TOR is downloaded 30 to 50 million times a year, with 800,000 daily TOR users, in which it is possible to access 6500 hidden websites.
TOR’s privacy for all its users enables both illegal activities as well as permits privacy for law enforcement, intelligence, and military communication.
Rules of Engagement and Cyber Weapons
Another critical aspect of formulating a strategy of cyberwar centers on the creation of formal rules of engagement. A framework to standardize all cyber-related structures and relationships within not only the respective military services but also other federal agencies must be in place.
After the framework is in place and cyber weapons have passed all military tests for inclusion in the DoD weapons inventory, the rules of engagement must be developed with the assistance of appropriate military legal officers, the U.S. State Department, and of course, the White House and Executive Branch of government.
Even upon the approval of rules of engagement for the use of cyber weapons, James Lewis of the Center for Strategic and International Studies has provided insight into the range of dilemmas that cyber weapons create, for example: Who authorizes use? What uses are authorized and at what level?
Is it a Combatant Commander, U.S. Cyber Command Commander in Chief, or down the rank structure? The President? What sort of action against the United States justifies engagement and use of a cyber weapon?
In addition, cyber warfare may not be able to embrace the established norms for armed conflict. The well-established principles of proportionality and not targeting civilian populations are clearly present in those conflicts with traditional physical arms and most military weapons.
However, the creation and application of cyber weapons make it extremely difficult for both design and apply cyber weapons consistent with these traditional rules of engagement.
Nevertheless, the Stuxnet worm that impacted the Iranian Nuclear program in 2010, which is believed to have damaged 1000 gas centrifuges at the Natanz Uranium Enrichment facility, was created to attack only specific targets and in effect minimized any civilian damage.
So this was an example of a sophisticated cyber weapon within the boundaries of rules of engagement.
The difficult challenge is how to demonstrate cyberwar capabilities. If one hacks into an adversary’s system, he or she will recognize your cyber weapon’s capabilities, but typically, this attack can be used only once, as the enemy will re-engineer the attack mechanism.
Also, the ability to penetrate an enemy’s system does not prove the capacity for breaking the system or inducing a system to fail and keep on failing. The difference between the penetration of a system and actually causing system failure may be interpreted differently by the adversary’s leaders.
It is possible that one may have a deterrence effect, while the latter may actually permit the adversary to improve their system or to provoke them into a counterattack mode.
On the other hand, demonstrating a cyber-attack capability can accomplish three objectives: (1) declare the possession of a cyber attack weapon;
(2) suggest the intent to use the cyber weapon in the event of the adversary’s continuing animosity, belligerence, and other special circumstances; and (3) indicate the profound consequences that the cyber attack weapon will induce on the enemy.
Perhaps the Stuxnet worm that was directed to Iran’s Natanz Uranium Enrichment Facility was an example of brandishing a cyber weapon to cause Iran to stop its program from developing a nuclear weapon capability. Clearly, the virus was targeted to focus on industrial control system architecture capabilities.
To this degree, the brandishing of Stuxnet as a cyber attack weapon clearly indicated possession of such capability. Second, the targeting of Iran’s nuclear enrichment facility also demonstrated intent to use such cyber weapons to encourage Iran’s leadership to reassess their nuclear weapons program.
Finally, the Stuxnet worm also demonstrated the profound consequences that a similar or different cyber weapon might induce.
New Drone Wars
The advantage of using drones not only for the collection of intelligence but also for using weapon systems armed to the drone removes pilots and ground forces from the risk of being captured or killed, and accordingly.
In a democracy such as ours, which places a high value on civil liberties and privacy, it is inevitable for tension to begin over intelligence practices and military strategies and operations.
After the 9/11 attacks and the review of our intelligence agencies, many expressions of failure were voiced by citizens as well as governmental leaders.
Most recently, Edward Snowden’s release of the NSA’s programs has also raised serious questions as to the nature, role, and propriety of intelligence operations and programs.
INTERNATIONAL CYBER SECURITY
We close this blog by taking a look at cybersecurity on a global scale. Know who’s already doing that? Every government on Earth and each has been at it for a very long time. Nation-states consider “cyber” to be a key area of operations. It’s where they communicate, spy, command, and control—and sometimes, where they attack.
Cyberspying against the United States became so problematic by 2011 that the military changed its policy on cyber attacks to “equivalency”— essentially, online attacks are now viewed just like physical ones. An unnamed military source told the Wall Street Journal that “If you shut down our power grid, maybe we will put a missile down one of your smokestacks.”
It was as a clear warning to Chinese and Russian hackers, the latter of whom had recently used cyberattacks to turn off the lights in Estonia, and then again in Georgia, as precursors to invasion.
Nations have a number of ways to rattle their cyber sabers. At the low end of aggression is intellectual-property theft and piracy. At the high end is the notion of crashing another nation’s infrastructure or hacking its military. And what about non-nation-states doing such things? Could a teenage hacker really start a world war?
Intellectual property, or IP, is how businesses turn ideas into money—maybe a new fabrication process or the ingredients that make up their secret sauce. Here are key things companies keep in their IP portfolios.
Business Processes A closely guarded list of materials used to make products.
The term covers everything from art and music to apps and code. Theft of IP isn’t super glamorous, so most cases, even multibillion-dollar ones, don’t make the news outside of the business pages.
The U.S. government recently estimated that cyber theft of intellectual property costs the economy $300 billion USD a year. If you find yourself wondering why cyber espionage is so prevalent, it’s simple: It is substantially cheaper and faster to steal stuff than it is to build it from scratch.
THE COST OF CYBER THEFT
The thing about IP is that it frequently forms the core of a company’s identity. A stolen computer can be replaced, stolen money can be recouped. A cyber breach of this kind is more like identity theft on a grand scale, and the real and intangible costs can be staggering.
VISIBLE COSTS OF IP THEFT
Need to Notify Customers
Monitoring Customer Security Post-Breach
Regulatory Compliance Issues
PR to Combat Negative Publicity
Upgrade Cyber Security & Training
Lawyers’ Fees, Other Legal Costs
HIDDEN COSTS OF IP THEFT
High Insurance Premiums
Lower Credit Rating
Lost Productivity & Low Morale
Loss of Potential Future Business
Reputation and Value of Brand Suffer
R&D Time and Investment Wasted
SECURITY BASIC BORDER SECURITY
A relatively new concern in 2017 was searches of electronic devices by U.S. Customs and Border Protection. The law allows these searches, but they are still rare—in 2016, there were 390 million crossings and 24,000 searches.
Still, if you don’t want Uncle Sam plowing through your hard drive, power down devices fully before crossing borders (cold boot security is often stronger than when merely suspended or locked) and minimize the amount and sensitivity of data and equipment you transport across borders.
Be aware that citizens cannot be denied entry but can be detained briefly for questioning. Under no circumstances should you lie to CBP officials. If they request or demand a password, it is your right to refuse to comply, but equipment can still be detained for weeks or months. If this happens, you should consider legal assistance. —Ryan Lackey, Founder, Reset Security
ZERO-DAY Security researchers seek out vulnerabilities in code. When they find one, they have several courses of action. If they work for a government spy agency or a criminal gang, they may choose to create code that can exploit the vulnerability they have found—this weaponized code before it is disclosed to anyone else, is called a “zero-day.”
It comes from the amount of time, in days, once the vulnerability is known until the maker of the software can fix the problem. On day zero (which is actually the first day—as computers always count everything starting from zero), the weapon is active.
The ethics of selling zero-days is debatable. Companies that sell them to governments argue that, so long as the transaction is legal, the ethics are beside the point. Critics say that governments can use zero-days to attack and monitor dissidents. It’s a tough call.
In March of 2007, researchers at Idaho National Laboratory sent a test cyberattack to breakers that protected a 2.25-megawatt diesel-powered generator. Within a minute, the generator, weighing tons, literally jumped in the air, began to smoke, and was destroyed.
Official video of this attack—considered the first public demonstration of a successful cyber attack on critical infrastructure—was leaked to CNN.
The “Aurora Vulnerability,” as it was called, was shocking for its simplicity, and cybersecurity experts began pointing out that America’s supervisory control and data acquisition (SCADA) networks and industrial control system (ICS) networks are aged, fragile, overwhelmingly small, and privately owned—so this problem is not something that the U.S. government can simply order fixed.
Ultimately, if a local power department decides not to invest $3,000 USD in patch management, that’s a private business decision that the government can’t overrule, absent clear threat and a court order.
The media became fascinated by attacks on SCADA and ICS, seeing every shutdown as a potential hack. Several attacks on critical infrastructure have happened, and each has been denied vocally by some.
In 2009, widespread power outages in Brazil were reportedly caused by hackers; experts reported that it was soot, not hackers. Senior U.S. officials countered “nuh-uh,” and it’s never been settled.
Russian Aggressions No such uncertainty exists when it comes to Russian tactics: Russian government-mounted cyber attacks in the form of website takedowns, DNS attacks, and ultimately the complete blackout of Georgian internet traffic, which served as a precursor to the invasion in 2008.
This tactic has become a standard by Russia, which rather openly cyber-attacked the Ukrainian power grid in 2016, shutting down more than fifty power substations.
No matter the time of year, criminals, activists, and others are busy with cyber attacks and other operations.
What’s at Risk? The scary news is that the SCADA systems in control of the nation’s power are not any worse off than the systems that protect water, sewage, or other critical infrastructures, such as oil and gas.
The good news is that, over the past few years, the federal government, along with the North American Electric Reliability Corporation and other groups, has been focusing intensely on SCADA and ICS issues.
The problems are not yet solved, but we are in marginally more aware than we were a few years ago. That said, attacks have indeed been weaponized, and more things are connected to the internet than ever before (even though they shouldn’t be), so it all may be a wash.
GOOD TO KNOW
According to a 2016 report, this practice opens them to malicious hacks and espionage. In the report, researchers from security firm Trend Micro collected more than fifty-four million pages during a four-month span using low-cost hardware.
In some cases, the messages alerted recipients to unsafe conditions affecting mission-critical infrastructure as they were detected. According to the report, “These unencrypted pager messages are a valuable source of passive intelligence, the gathering of information that is unintentionally leaked by networked or connected organizations….
Taken together, threat actors can do heavy reconnaissance on targets by making sense of the acquired information through paging messages.
Though we are not well versed with the terms and information used in some of the sectors in our research, we were able to determine what the pages mean, including how attackers would make use of them in an elaborate targeted attack or how industry competitors would take advantage of such information.”
Your mobile device’s signal and data could be intercepted mid-transmission, and you might never know it.
Mobile Privacy Today During the past handful of years, the privacy community has begun to seriously question how good law enforcement really is at intercepting cellular signals and harvesting mobile phone data. The equipment for doing this sort of thing has been available to federal agencies and to some larger law enforcement agencies for several years by now.
Technical advances have brought the costs down, while increased reliance on smartphones by individuals has increased the bang for the buck these products can provide, so more agencies are using them.
IMSI stands for “international mobile subscriber identity”—that is, the unique identification number tagged to each mobile phone, which then allows a cellular network to distinguish each user from another. This device works as a man-in-the-middle platform for eavesdropping on phones on the GSM (global system for mobile) network.
Essentially, IMSI-catchers are portable base stations that can simulate a powerful cellular phone signal tower so that your phone, which always seeks out the most powerful signal within range, associates itself with it.
Once that happens, the IMSI-catcher will intercept your signal before passing it on to a real tower (so that your call still does go through), but it captures everything that both sides say all the while—and you probably won’t even notice.
Spying on the Airwaves Think IMSI-catchers are the thing you need to worry about if you want to avoid being eavesdropped on? Unfortunately, that’s far from the case.
The emergence of 4G LTE (long-term evolution) networking, also known as LTE, addressed some of these privacy issues, but, in 2015 researchers released information about kits that run about $1,200 USD and allow anyone who has a laptop and a universal radio software peripheral (USRP) and the proper software to intercept and locate 4G LTE traffic.
As these tools to interact with increasingly smarter phones become less expensive and more commonly available, and as we rely more on our mobile devices for everything, we can expect even more attacks on cellular phones and mobile networks using this vector.
A number of apps out there let you create a new, anonymous, and theoretically untraceable phone number that you can use from your mobile.
These are helpful even if you’re not engaging in international espionage. They’re great for talking to potential dates, selling things on Craigslist, or in a dangerous situation where someone like an abusive spouse or parent is monitoring your calls. Here are some popular options:
Burner One of the best and easiest-to-use apps, but it only works in the United States and Canada.
Hushed Works in forty countries over VoIP, so it will cut into your data plan if you use your cellular internet connection.
CoverMe This app has numbers that appear to originate from the United States, Canada, UK, China, and Mexico.
Typically, the IB Cyber Unit focuses on detection and investigation of radicalization and various threats as they pertain to New York City.
In a nutshell, the team focuses on the enormous pile of people saying stuff that sounds radical, separating out people who are just spouting off or exercising free speech from those truly thinking about radicalization, then investigating and separating the curious from those with true intent.
U.S. Congress approved measures to roll back privacy laws, allowing ISPs to access and sell data about their consumers’ browsing histories to advertisers and other third parties.
This means that there will be more general access to the specifics of every darn page that you visit (yep, even those ones) than ever before. Because of this, using your own domain name server and anonymizing traffic is very important.
In the last five years, many of the cyber-attack tools that were once used exclusively by nation-states have become easier to obtain, meaning that they can now also be used by criminal gangs and—at least in theory—terror groups as well.
But buying a great piano really cheap doesn’t mean you can suddenly play Chopin. The money and training that go into a cyber operation is the true barrier to entry.
During the 2016 election, hacking by Russia caused tremendous disruption in the United States. We now know that during the six- to nine-month gestation period after the Russians gained entry to the network of the Democratic National Committee, but before they began to release email publicly, their activities consisted mainly of lateral movement within the network.
During that time, the attackers engaged in rather routine but essential activities of a long-term network reconnaissance operation, including data classification and location. The hackers were answering the questions: What does the DNC have? Where do they keep it? How do they use it? How do they access it?
Basically, they were learning the answer to “What does ‘normal’ look like in this organization?” All this showed one important difference between a nation-state attack and those mounted by terror groups: tradecraft.
Art and Craft Tradecraft is the techniques, methods, and tools that together form the art of spying, and it’s not something that comes easily. It takes years of experience, lots of money, and great leadership and training.
Mostly, when we look at terror groups, we see them spending what money and leadership and training resources they have not on tradecraft but on material and logistics for attack: moving men, guns, and bombs across distances; getting them training; smuggling them across borders; and mounting attacks.
Hackers Are Everywhere The barriers terrorists being able to launch a cyber attack are getting lower. When we look at the troubles that groups like Anonymous and LulzSec have caused law enforcement and other government groups, the disruption was significant.
Their success was based on a commonly agreed-upon mission, a decentralized command, and control, and the availability of free, easy-to-use, and easy-to-learn hacking and attack tools.
This sounds like the basis of a classic terrorist attack, and it can be used by groups such as ISIS once the cyberweaponry they would need has been simplified to the point that it’s easily adopted by groups with minimal resources. It just takes a small group of radicalized, computer-literate believers to tip these scales.
Protecting your data when you travel is fairly easy. Stopping a global cyber war—not so much. Still, there are always ways to be prepared.
Protect your IP online and when traveling.
Encrypt all products and IP-related communications.
Use purpose-built devices for cross-border travel.
Maintain minimal mobile mail settings (no one needs more than thirty days of email on their phone at this point).
Minimize data sets provided to business partners.
Audit partners’ security as you would your own.
Prepare for an infrastructure attack.
Get off the electric grid with solar power.
Prepare to have an interruption in your water supply.
Use different strong passwords for every login (website, desktop programs, phone apps).
Use a password vault program.
Password-protect and disable remote management on your modem, router, and any other Internet-connected devices using unique passwords.
Password-protect home Wi-Fi and encrypt with WPA-2 PSK at a minimum—never WEP.
Never share your login information with anyone.
Don’t click on suspicious links or download unexpected files.
If anything you’re offered online seems too good to be true, it is.
Never give private information out over email or text. Always call the bank, utility, or service that’s ostensibly asking for your information.
If you lose your wallet, report missing cards immediately. Carry the minimum set of cards, and never your Social Security card.
Set all social media privacy settings as high (private) as possible.
Monitor kids’ social media usage, and talk to them about online sharing and safety.
Use a minimum of 8-digit screen lock codes (not fingerprint or face recognition) on all mobile devices.
Encrypt your phone.
Always use two-factor authentication (2FA) when possible.
Don’t get your children Social Security cards if possible.
Check your credit report regularly; do so for all family members including kids.
File a police report after fraud of any amount.
Only use CHIP-and-signature cards (or CHIP+PIN where available).
Only use the internet in incognito mode.
Never use public Wi-Fi without a VPN or SSH tunnel.
Restrict and lock down your home network, starting with DNS.
Install GPS tracking apps on kids’ phones.
Limit location services and Wi-Fi use on your phone.
Ensure the minimum metadata is saved with all photos.
Only use credit cards that offer fraud and identity protection.
Maintain minimal mobile mail settings.
TINFOIL HAT BRIGADE
Eschew electronic communication wherever possible.
File your taxes the old-fashioned way: on paper.
Don’t use banking apps on your phone.
Don’t shop online except through guest accounts and one-time credit cards.
Don’t shop at stores with older, swipe-only (non-Chip) POS terminals.
Post online only under anonymous usernames; change them frequently.
Lockdown all social media accounts to private; ensure your children have done the same.
Cover all computer webcams and microphones with electrical tape; remove cameras and microphones from mobile devices if you can.
Use spyware to track all of your children’s online activity.
Use a private LAN for kids’ computers, IoT devices, and TVs, and aggressively blacklist sites at the router.
Use encrypted DNS.
Regularly reflash your phone to factory settings.
Prepare for an infrastructure attack with off-the-grid self-sufficiency measures.
Political upheaval and cyber activism will combine in a storm of new defections by government employees and contractors releasing more code and program and strategy depictions.
Foundationally insecure municipal, county, and state systems, as well as critical infrastructure, will be betrayed by attempts to provide app-based access-convenience to an IT fabric incapable of supporting it.
The disruption of transportation industries on Earth and in space, along with new autonomous and energy technologies, will create opportunities while providing more data than ever conceived about how we live, travel, and interact.
It still seems cheaper to build fast, get to market, and fix the bugs later. Several generations of medical technology— especially implantables—out there now were built that way, and vendors have shown they won’t fix problems unless forced to.
Until manufacturers truly adopt the idea that it’s cheaper and better to fix security during development, the speed of innovation will result in unsound and dangerous products.
Bad security exposed not just credit cards, but the deepest secrets of the most powerful people and countries on Earth. All that stands between us and better cybersecurity is customers refusing to accept insecure code or apps. Vote with your money. Support secure applications.
Get used to hacks and security breaches because they aren’t going away. The silver lining to these corporate freakouts? Security will improve and software will get better for everyone. Hackers will adapt and new breaches will happen on all-new technologies (especially watch IoT).
They can be taught to interface with their wearable technology, interacting with humans in a variety of environments. It might not be long before your dog can really engage you in the conversation!
For example, Global cyberwar is a big problem today, but like all seemingly impossible situations, we’ll solve it. We’re living in the best and most exciting times, even if the natural byproduct of our innovations is a series of new problems.
BLOWING A WHISTLE
A “whistleblower” and a “leaker” are actually two separate types of individuals.
A leaker, meanwhile, can be considered someone who, whether out of carelessness or a desire to seek fame, avoids or ignores the standard channels followed by a whistleblower and instead disseminates the information in a less-conscientious fashion, without making much effort to do so discretely or with regard to the repercussions.
JULIAN ASSANGE AND WIKILEAKS
Australian-born journalist and publisher Julian Assange is the co-creator and director of WikiLeaks, which publishes leaked sensitive documents.
WikiLeaks has existed since 2006 but came into prominence as a result of the documents leaked by Chelsea Manning. By 2015, WikiLeaks had published more than ten million of what Assange describes as “the world’s most persecuted documents.”
As with other key players, Assange has been called a hero, traitor, an opportunist. In 2010, Assange visited Sweden, where he became the subject of sexual assault allegations.
He was allowed to leave, but later Sweden asked for him to be extradited. He has spent the last several years living in the Ecuadorian embassy in London. In 2017, WikiLeaks published a trove of CIA hacking documents said to be the largest ever.
One key difference between a Daniel Ellsberg, an Edward Snowden, and a Julian Assange is that Snowden and the like are individual actors, whereas Assange’s WikiLeaks is a clearinghouse—a brokerage of information if you will. And thus, their methods, their motives, and their reception by media and security experts vary.
Snowden’s Motivation As an individual operator, Snowden’s claims as to why he did what he did are quite divisive. One side sees a freedom fighter: a man truly dedicated to the idea that his government had run amok, conducting mass surveillance of literally every adult in the United States and Europe through extensive monitoring of a wide range of technologies.
Your personal beliefs about Snowden probably depend a lot on what you do for a living, whether you’ve served in the military and your general political stance. And the “truth” probably lies in the middle.
From what we have seen, there appear to have been some terrible abuses in the U.S. the system of checks and balances, especially when it comes to the Foreign Intelligence Surveillance Act of 1978 and its court.
Many of the programs were described to the world by journalists who admittedly knew nothing of intelligence, surveillance, or even encryption before Snowden quite literally dropped the materials into their hands.
Assange and the Profit Motive Where Snowden might claim to be inspired by Ellsberg, Assange sought to influence and provoke leaks by people like Chelsea Manning.
In that sense, Assange’s WikiLeaks behaves in a manner that is similar to an intelligence service: Assange and his associates act as officers, who seek agents in various positions of authority in governmental office to provide them with intelligence.
The agents may turn over the intelligence for a range of reasons that they believe justify their actions, which may be anything from misplaced patriotism to revenge to idealism (WikiLeaks is not known to pay for leaks).
INTELLIGENCE AND DATA COLLECTION
For all the glamour that spy movie give it, intelligence is simply data that has been collected and then analyzed for a purpose. If you hide your lingerie in the top drawer of your dresser, and your child says that he’s seen your sexy lingerie, you can conclude that your child has been in the top drawer of your dresser.
There’s certain intelligence in both WikiLeaks and in the stolen Snowden documents from which a foreign intelligence service can deduce or otherwise conclude our sources and methods. By giving adversaries insight into these, Snowden allowed them to close pathways of information collection.
Technical Issues Data theft technology, which is referred to by the industry as data loss prevention (DLP), is fairly complex, but it’s still very rudimentary in terms of intelligence. DLP is best at strings of defined lengths—credit card, social security, and account numbers are easiest to detect. But even within those, we have tremendous variation.
Now do it with words. How to compare all these variants in real time, as someone’s trying to send an email and you’re trying to scan it and determine whether the email contains something sensitive before the email goes out the door?
Well, the trick is to buffer everything, truncate and stem all the words and phrases, remove all the extraneous characters, then hash everything, then compare hashes. It’s faster. This can be done in an amazingly small amount of time. But it’s still nowhere near foolproof; what if the file is encrypted?
The Enemy Within What if, as we’ve just discussed, the data thief is your system administrator?
The fact is, catching data thieves is very hard unless you’ve classified it all very well in advance, limited access to it, removed the removable media options and limited the ways to get data off your network. For most companies, that’s not commercially feasible.
Bottom line? Data classification is very difficult. Businesses should pay close attention to how they classify and provide access to important data, and how people can get access to it. And data theft is incredibly hard to stop.
There are a few prime directives you have to follow in business: Buy low and sell high, always make payroll, and don’t make a mess where you expect to eat. In other words, if you’re selling merchandise on Facebook or eBay, use a dedicated computer for those transactions, and use it for nothing else.
No matter how small your business, safeguarding it is critical. You might ask, “Who would ever target me?” The answer is “criminals.” They can attack you with great ease and with efficiency, as our forward-looking leaders used to say of nuclear power, that is too cheap to meter.
There is actually a search engine on the internet that does nothing but map the machines that are sitting there connected to the internet—it’s called Shodan, and it is just one way that your internet-connected refrigerator is in fact known to hackers and vulnerable to attack. Protect yourself.
While most online small-business owners take at least some precautions against cyber attacks, many are still dangerously exposed. Here are some estimates of what risks they’re taking.
But business firewalls do some things that home firewalls don’t do—or at least do them better: opening ports for virtual private networks, examining packets, and providing services that are above the needs of home users.
Let Business Be Business Keeping your work separate from other affairs is about maintaining an atmosphere of professionalism and safety. Do not let your kids or nonbusiness users or traffic on your business network at all.
If you get to the point of a phone call, consider a burner app (available on mobile phones) or a burner phone. Be slow to hand over your number, and agree to meet in public first.
Again: Your gut should be in the driver’s seat. Make sure someone knows where you are going and with whom you plan to meet—leave a bread-crumb trail in case something bad happens. Consider meeting at a sanctioned online transaction zone set up by local police departments for in-person transactions.
In fact, you should probably just keep your business traffic out of all other networks, and keep all other traffic out of a business-based network.
The best way to do this is through a virtual private network (VPN), which is essentially an encrypted tunnel through which your business traffic is shunted back inside your business firewall and then out onto the internet at large.
Classify your data into two categories: public and private. Make sure to keep those records separate!
Treat employees well. This is always a good idea, but particularly relevant if potentially disgruntled workers have access to classified information.
Encrypt your private data whenever you email it and wherever you store it. And be incredibly careful about who has the keys.
Destroy all data you don’t need, regularly.
Use DLP software to detect data leaving your business.
Go beyond the basics and classify documents and emails to understand when sensitive information may be leaving your network, and then speak with or take punitive action against employees who break your policies.
Effective defensive operations begin with an understanding of the value of the information system and the databases within the total information system. What is the value placed on the system both by the attacker and the potential target?
This implies that the operational use of the system has definite value in a number of ways, from financial measures to a range of criticality factors.
The sensitivity of the data and how the users of the system gain access to the system are important to understand and protect. So the process of protecting computer-based information systems implies that a rather sophisticated threat modeling process will be required in which the network is mapped and the physical and logical layout of the network is fully documented.
Once the network is fully mapped, the range of possible attacks can be simulated so that infection vectors might be identified.
The possible computer attacks can be assessed on a threat level based on severity and both the impact and cost of the targeted system. Based on this threat modeling and assessment, it is feasible to select appropriate defensive operational solutions.
The range of defensive security solutions available for targeted offensive cyberattacks varies depending on the cyber attack motifs and objectives.
Defensive solutions have to be available not only for a range of attacks but also for those times before an infection by a cyber attack and during the attack. After a cyber attack, remediation and recovery measures have to be in place.
It is incumbent on all defensive operations to have an Incident Response Plan that permits the detection of a cyber attack threat. This, of course, implies detecting anomalies or unusual patterns of behavior that do not conform to or significantly deviate from the established baseline of computer activity.
Detecting network anomalies implies log analysis so that, ultimately, it is possible to isolate the source of the anomaly. Computer forensics can assist in determining the timeline of an attack and should answer what occurred and when it happened by the following:
When the infection vector reached the target
When the malware was installed
When the malware first reached out to the attacker
When the malware first attempted to spread
When the malware first executed its directive
When the malware destroyed itself, if this was the type of malware designed to do so
Threat mitigation is an important part of cyber defensive operations as it focuses on minimizing the impact of the threat on the targeted information system. When an alert for a possible threat has been raised, the first step for an incident responder is to isolate those computer systems from the network.
Containment has to occur quite rapidly to avoid a network-wide infection. Network and host anomaly detection systems will provide the alert for the Incident Response Team to contain those computers vulnerable to the cyber attack.
Once the containment has been accomplished, the compromised systems are then subject to verification and integration processes.
After the containment systems have verified that a cyber attack did indeed occur, the threat has to be detected and must be classified so that the malware may be removed and the compromised systems can be remediated and restored. This process of classification will also assist in the establishment of preventive measures.
Defensive operations also have to prepare for attacks by insiders, as not all attacks are from the outside. The recent removal of volumes of classified national security data by Edward Snowden from the National Security Agency (NSA) is an excellent example of a threat from insiders.
The insider threat is one of the most difficult threats to detect and prevent since an insider threat is from someone who already has access to the organization’s network. Further, there is an assumption of the individual as being a trusted colleague and employee. The following are points that serve as a starting basis in mitigating an insider threat:
A full background investigation of employee
Have a policy for enforcement against inside threat employees
Employee restricted to least privileged access
Detailed auditing of user sessions
Anomaly detection tuned to detect an insider threat
Elimination of shared credentials
Network access control to limit devices
Effective employee supervision
Data leakage policies
Cyber Battle Space
Cyber battle space is the information space of focus during wartime, and it consists of everything in both the physical environment as well as the cyberspace environment.
Each side seeks to maximize its own knowledge of battle space while preventing its adversary from access to the information space. Battlespace will be defined by both offensive and defensive operations conducted by the militaries of the future.
As technologies experience scientific enrichment, nations will apply these discoveries for both offensive and defensive purposes. Some nations will be guided by collateral damage potential and may well place limitations on the development of cyber weapons, while other nations will ignore the potential hazards of collateral damage to civilian populations.
As Ed Skoudis has so accurately reported, there are literally thousands of computer and network attack tools available, as well as tens of thousands of different exploit techniques.
Even more alarming is there are hundreds of methods available that permit the attackers to conceal their presence on the machine by modifying the operating system and using rootkit tools.
Also noteworthy is the fact that once an adversary has gained access to your computer system, the process of manipulation will begin so that they will remain undiscovered by hiding their tracks.
In Advanced Persistent Threat (APT) attacks, we know that adversaries will create tunnels and encrypt the data they are interested in exfiltrating from the target’s databases.
The methodology used by cyber-warriors to attack or gain access to a computer system varies from network mapping to port-scanning, but in its simplest terms, the adversary will focus on using reconnaissance in which they will study the selected target. This will include the use of Whois database searching for domain names and Internet protocol (IP) address assignments.
In addition, if the target has a website, a search of the website and useful information will be further researched for intelligence gathering purposes.
Social media sites will also be analyzed, looking for additional contact information on friends, family, and associates. Sites such as Facebook and LinkedIn are examples of sites with a great deal of information on targeted individuals.
There exist numerous ways for an attacker to gain access to computer systems by employing operating system attacks, which will include buffer overflow exploits, password attacks, Web application attacks, and structured query language injection attacks.
Cyber attacks can also provide access through the use of network attacks in which sniffing tools will be used, as well as IP address spoofing, session hijacking, and Netcat tools.
Once access is gained by cyber attackers, they will use rootkits and kernel-mode rootkits to maintain their access. Their next step will be to hide their presence on the target’s computer system by altering event logs or creating hidden files and hiding evidence on network covert channels and tunneling operations.
Of course, there are also a number of classified cyber weapons that have been created by various militaries. The United States focuses on evaluating our cyber weapons for collateral damage assessment and evaluation before approval for inclusion in our nation’s inventory of weapon systems.