It’s Friday, 12 June 2015, and time for our weekly shoot-the-shit. Last week, we explored the NSA and Metadata. We concluded by forming the opinion that bulk metadata collection does not constitute a privacy threat and that restricting NSA activity jeopardizes the agency’s ability to map possible terror cells and to be proactive in the fight against GWOT.

This week, we want to shed some light on hacking, some of its drivers and where does it come from. Other than for background purposes, we will exclude  malicious acts by a lone individual at a college campus or someone’s warped sense of humor, or desire for intrigue.

As I was growing up, a “hacker” was someone that could take the heat. Someone that would hang in the face of adversity to achieve his or her goal or their team’s goal. It wasn’t until about 1980-1982 that the word hacker took on a scent of disdain. However, hacking “officially” began 10 years earlier, circa 1971, when John Draper discovers that a toy whistle produced an exact 2600 Hz tone that would open a telephone line to place a long distance call. In 1975 the Homebrew Computer Club of California, built the infamous “blue box” that allowed its designers to hack the telephone network. Those designers are today household names; Steve Wozniak and Steve Jobs who went on to found Apple Computer in Cupertino, California. Other incidents, most of which were hacks to the national telephone network. increased in number through 1987. The objective? To defeat the toll network so that unbillable phone calls could be made or malicious attempts at disrupting call routing. It was not until 1987-1988 that “Brian”, the first known MS-DOS computer virus was released.

Hacking took on a more serious face in 1989 when Five West German computer users were arrested on espionage charges after an administrator at UC Berkeley detected and tracked their intrusions into U.S. government and university computer systems. The hackers were charged with selling information and software to the KGB. All three were convicted and sentenced to prison terms but none of the hackers ever spent any time behind bars. In 1995, Russian hacker Vladimir Levin was arrested in the U.K. after using his laptop to break into Citibank’s computer network and transfer funds to various accounts around the world. The exact amount of money stolen by Levin remains unknown; estimates range between $3.7-$10 million.

The catalyst for nearly all of these hacks are financial gain or intelligence gathering. I use intelligence as a catch-all term for gaining technical detail or operational information. All of these attacks had one characteristic in common, they were all frontal assaults on enterprise main frame computers or networks.

Industry responded by strengthening router software closing numerous ports and installing dedicated computers to run firewalls. Firewall software is installed on routers and/or dedicated computers who’s functions are to deny access to network computers and other resources. Rarely did you see a direct attack on an individual’s desktop computer. That too would rapidly change and the overwhelming majority of hacking today is accomplished through the installation of malware on desktop computers, laptops and network connected smart devices. Individuals receive e-mail messages, quite often from someone they think they know, and are then provided with a link or directing them to a site that uploads malware on the victim’s machine. File attachments are also commonly used to plant malware on a user’s device. Once installed, hackers are able to collect keystrokes, login-IDs and passwords.

Hacking and hacking attempts have increased exponentially. Targets are government agencies, healthcare organizations, military services, critical infrastructure, financial institutions, mobile network providers and even retail business. The objectives remain the same, collecting technical detail and collecting intelligence. I ‘d like to run you through this simple example…

Hackers attack Gmail servers and over a period of several hours, or days, download several hundred thousand e-mail addresses – to make things even simpler, let’s say that no e-mail messages are compromise. Each and every e-mail address collected is a target for malware implantation. Making matters worse, many individuals use personal computers to access work related resources, so malware not only collects their login information but replicates itself inside the firewall. The malware can then spread through a network were it infects several users who may have access to sensitive data. This is a very simple scenario but it happens each and every day, and the real scope of hacks is grossly understated because the victim organizations would prefer to keep the event out of the news for a variety of reasons including avoiding financial liability.

What are the hacking accelerants?

• Outsourcing the manufacture of network resources like routers and gateways.
• Outsourcing the manufacture of smart devices and computer resources. Regardless of what anyone tells you, it is possible to introduce microcode that will open a port that is otherwise closed. Luckily there are ways to test for that but do manufacturer’s test each and every device that rolls of the production line? No!
• We outsource testing. Software manufacturer’s and system integrators are quick to point out that ONLY testing is done offshore. You don’t need a computer science degree to deduce that testing provides visibility to weaknesses and how to exploit them.
• We outsource software development and folks like IBM and Microsoft have large offshore development operations.
• Lastly, technology departments at universities are 60%-80% foreign students especially at the graduate level. These individuals do not undergo background checks so it’s virtually impossible to filter out potential problems, especially at the graduate levels. The late 1970’s and early 1980’s saw a veritable cornucopia of “industrial” espionage, in California’s Silicon Valley, many resulting from intern graduate students. However, foreign student tuition payments represent a huge percentage of a universities’ revenue stream.

So what can be done to mitigate the risks?

Most of it is harsh, but tough problems require tough actions. Here are some of our suggestions.

• Develop and implement a National Cyber Strategy – Congressional action is required.
• Prohibit business computational resources from being used for personal use.
• Outlaw the use of personal computational resources, to include smart devices, on business networks. Make it a firing offense!
• Prosecute, prosecute, prosecute
• Require background checks of foreign students in technical fields at the graduate levels (computer science, electrical engineering, software engineering, physics, bio-technologies, etc.)
• Recognize that state sponsored hacking exists and is an active part of a foreign government’s military and industrial complex.
• Consumer awareness. One possible solution can include an interactive training session that plays on initial power up of any new computer purchase.

As with all shoot-the-shit sessions, you can say whatever you like without supporting your statements with facts, in expressing yourself profanity is permissible – even if you’re a boatswain mate and last but not least you can change the subject all together.

Have a Great Weekend Readers!