Posts tagged hacking

Mutually-Assured Destruction in Cyberspace

Public accounts of intrusions conducted or supported by state actors highlight the importance that military organizations are placing on cyber warfare. Those without access to privileged information have been debating when “real-world” warfare will find its way to the Internet, without realizing that such activities have been ongoing for at least several years.

Intrusions initiated by nation states against companies and governments of other countries are motivated by political and economic reasons, much like the traditional form of warfare. My hypothesis is that a country looking to safeguard its own cyber interests has to engage in a systemic campaign to compromise IT assets of its adversaries. The logical goal of such offensive operations is the state of mutually-assured destruction that deters each party in the conflict from taking advantage of the IT assets it compromised.

Here’s why I believe this might be the case:

  1. There is presently no practical way to defend IT infrastructure of any nation state against intrusions, be they commercial or government assets. If there was, we wouldn’t be experiencing so many breaches.
  2. As the result, a country needs to assume that an adversarial nation state will be able to successfully compromise a significant number of the country’s critical IT assets. Many of these intrusions will be undetected.
  3. Therefore, the country will need to find a way to deter the adversary from taking aggressive action against a significant number of the IT assets it illicitly controls.
  4. One way to accomplish this is for the country to compromise a meaningful amount of the adversary’s critical IT infrastructure, creating the situation of a mutually-assured destruction.

The idea of mutually-assured destruction in cyberspace isn’t novel. It was brought up at an RSA Conference panel in February 2012. According to the Threatpost’s article discussing that panel:

"Deterrence will play an important role in avoiding conflict, as it did in the Cold War with Russia. The Chinese military appreciates that both it and the U.S. have cyber offensive capabilities and defensive vulnerabilities - ‘big stones, and plate glass windows,’ said Lewis. ‘We’re back to mutually assured destruction.’"

A June 2012 article in the New York Times discusses several cyber warfare initiatives that appear to have been conducted by the U.S. and highlights some of the challenges of achieving cyber warfare dominance and reaching the state of mutually-assured destruction.

Nations with the interest, expertise and budget to conduct offensive cyber activities are probably busy hacking each other to avoid being outpaced in this process by their adversaries. They are doing this to achieve the state of mutually-assured destruction as a way of deterring each other from launching a full-scale cyber war. Just a theory.

Lenny Zeltser

Be doubly vigilant after a physical break-in. Don’t just look for what’s missing, but what might have been left behind.
Paul Ducklin, discussing the practice of some cyber-criminals to install a keylogger after breaking into victims’ offices and stores.

The Dark Side of Remote Desktop

Organizations large and small often make use of Remote Desktop or Terminal Services to remotely connect to Windows computers over the Internet and internally. These tools use Microsoft’s RDP protocol to allow the user to operate the remote system almost as if sitting in front of it. Such capabilities are helpful for not only legitimate users, but also for attackers.

The Internet community saw a reminder of the dark side of RDP due to the emergence of the “Morto” worm. According to F-Secure, a system infected with the worm scans the local network for systems listening on TCP port 3389 and, when it does, attempts to login to them via RDP by guessing the Administrator password. The worm uses a list of common 30 passwords, which include favorites such as “password” and “12345678”.

The emergence of this worm correlates with the increased volumes of TCP port 3389 traffic, reported by SANS Internet Storm Center a few days prior to the F-Secure report:

The propagation approach employed by “Morto” is often used by penetration testers and human attackers alike: access the remote host by brute-forcing the password. One free tool that can automate this process is TSGrinder. You can see TSGrinder in action in the video I attached to this post. Note that TSGrinder is relatively slow, and requires that an older version of Remote Desktop client be installed on the attacking system.

A more modern (and faster) tool for remotely brute-forcing RDP credentials is Ncrack. Ncrack is a command-line tool that also supports a variety of other protocols, including SSH, VNC and FTP. In addition to being available in the source code form, Ncrack can be downloaded in a compiled form for Windows and OS X. (Update: For more on using Ncrack for RDP cracking, see Chris Gates’s post on the Carnal0wnage blog.)

Brute-forcing passwords on the internal network using tools such as TSGrinder and Ncrack is often quite effective. The approach also works over the Internet in many cases, because organizations often expose TCP port 3389 for remote access to workstations and servers over the Internet.

We can use the emergence of the “Morto” worm as a reminder to examine the use of Remote Desktop for remote access to systems over the Internet. Consider requiring an authenticated VPN connection before anyone has the ability to connect to this service. If you have to expose the service to the Internet without a VPN, don’t use the default port TCP 3389—instead pick a random high-numbered port. And, it goes without saying, use strong passwords and non-Administrator accounts. Lastly, consider configuring user accounts for auto-lockout after a number of unsuccessful logon attempts, while recognizing the potential for a denial of service attacks when the attacker could trigger such a condition remotely.

Hand-picked related items:

Lenny Zeltser

Psychological Similarities Between Shoplifting and Malicious Hacking

I’d like to better understand what drives people to engage in malicious hacking activities on the Internet. It’s a complex topic, of course, which incorporates the dimensions of money, fame politics and other facets of human life and psyche. One way to gain insight into the psychology of hacking might be to learn about another illegal fringe activity: shoplifting.

Commonality of Shoplifting

Shoplifting is more common than most people realize. According to When Consumer Behavior Goes Bad: An Investigation of Adolescent Shoplifting by Cox, Cox and Moschis, “as many as 60 percent of consumers have shoplifted at some time in their lives.” In fact,

"Although a few shoplifters are professional thieves, the vast majority appear to be amateurs in that their activity is sporadic, they typically have no known history of criminal activity, and they steal for their own consumption rather than for resale."

The situation seems to resemble the malicious hacking scene. Though I don’t have the data to prove it, my sense is that a fair number of people have dabbled in some form of hacking activities that would be construed as unethical or malicious.

Shoplifting as a Cinematic Crime

Some people who engage in shoplifting view it as a “cinematic crime,” as discussed in The Steal: A Cultural History of Shoplifting by Shteir. There seems to be a certain amount of mystique and coolness about shoplifting for some people. Some might even view it as a victimless crime. Some use it as a way to judge others: “I don’t trust anybody who hasn’t shoplifted,” said one former shoplifter according to Shteir.

Some shoplifters report feeling excited from the adrenalin rush when they were preparing for or in the process of stealing merchandise, talking about the crime as a love affair. Shteir explains:

"Shoplifters enjoy stealing. The objects mean something to them, but taking them feels dirty. Shoplifting is a spasm or a seizure. The lesson they learn from the crime—yes, I can!—they might apply to other areas of life. Shoplifting gives them courage to take chances."

The book also brings up examples of shoplifters like the feeling of superiority over the store clerk after a successful run. Even when they know they are doing something wrong—or perhaps because of it—they enjoy belonging to a seemingly exclusive club of shoplifters.

All these aspects: The feeling of excitement, superiority and belonging seem relevant to the emotions associated with malicious hacking activities as well.

Shoplifting Inclinations and Psychological Disorders

Studies suggest that some people who engage in compulsive shoplifting behavior might be diagnosed with psychological disorders. I don’t know enough about such conditions to say much about them, beyond quoting from Shoplifting: A Review of the Literature by Krasnovsky and Lane:

"Whether seen as simply a crime or a multifaceted disorder, shoplifting is an increasingly frequent problem in our society. For many offenders, it seems that shoplifting is just one among a group of antisocial acttivities engaged in, due to anger, excitement, or profit."

Similarly, different people engage in malicious hacking activities on the Internet for various reasons. What drives such individuals, what is their frame of mind and what, if anything, can be done to modify their behavior warrants a closer look. Perhaps understanding the psychology of shoplifting can shed some light on this complex topic. What do you think?

If you found this post interesting, you might also enjoy Similarities Between Riots and Modern Internet Hacktivism.

Lenny Zeltser

Similarities Between Riots and Modern Internet Hacktivism

To what extent can understanding the dynamics of a mob in a riot shed light on the nature of modern Internet hacktivism? While riots differ in many ways from online activities of decentralized groups such as LulzSec and Anonymous, some similarities warrant consideration.

When learning about riots and mobs, I came across two excellent references. One was an essay titled The Psychology of the Wilmington Riot, which summarized key points from Arnold P. Goldstein’s book The Psychology of Group Aggression. Another insightful resource was David D. Haddock and Daniel D. Polsby’s paper Understanding Riots.

De-individuation of The Mob’s Participants

The mob, as defined in J.P. Chaplin’s book Dictionary of Psychology, is a “crowd acting under strong emotional conditions that often lead to violence or illegal acts.” Participating in illegal acts as part of a mob offers a degree of impunity, because the authorities are unlikely to have the capacity to identify and arrest a significant portion of the crowd.

The feeling of impunity is encompassed by de-individuation, which Goldstein defines as “the process of losing one’s sense of individuality or separateness from others and becoming submerged in a group.” Such groupthink leads to uninhibited behavior and also allows the mob to behave as a unified organism, even when it does not have formal leaders that coordinate the crowd’s actions.

The Importance of Instigating Events

In the book The Origins of Genocide and Collective Violence Ervin Staub points out that the majority of riots can be traced to apparent precipitating events that acted as the trigger for the crowd. For instance, shocking events allow crowds to assemble without a single entity recruiting them.

Such instigating incidents act as signals to the mob, telling its participants “what other people will probably do,” according to Haddock and Polsby. As the result,

"Each member of the crowd will know more about the intentions of fellow crowd members than people usually know about the intentions of strangers."

Moreover, for the crowd to become riotous,

"There has to be a critical mass of people in the crowd who are making accurate judgments, not about their own desires and intentions, but about the riotous desires and intentions of other members of the crowd."

The mob’s challenge is to act in unison without overt leadership. This involves identifying a common signal that makes each rioter confident that if he starts rioting, he will not be acting alone. Instigating events help in assembling the crowd and also in providing the context for interpreting other signals that guide the mob’s actions.

The Role of an “Entrepreneur” in Starting a Chain Reaction

How does the assembled mob, while still in the state of anticipation and potential uncertainty, know when to begin rioting? Haddock and Polsby point out the importance of having one member of the crowd take the first riotous action. The initial perpetrator, “serves as a catalyst—a sort of entrepreneur to get things going.” This person places himself at risk; if the mob doesn’t follow his actions, the authorities are likely to capture and punish him. Haddock and Polsby stipulate that:

"The entrepreneur will throw the first stone when he calculates that the risk that he will be apprehended for doing so has diminished to an acceptable level."

The “entrepreneur” pays attention to other signals to determine when to take action with the expectation that the mob will follow suit.

Stopping a Riot

The riot’s participants benefit from safety in numbers. Haddock and Polsby point out that rioting continues until the “authorities muster enough force to make the rioters believe that they once again face a realistic prospect of arrest.” According to Goldstein, the authorities can accomplish this through “distractions, re-individuation, dispersion, isolation” of the mob’s participants.

Authorities can eventually overwhelm rioters in numbers and force. However, assembling the sufficiently large team usually takes days. The budgetary facts of life “guarantee that modern urban police forces will always be staffed well below peak load demand levels,” note Haddock and Polsby. They suggest that a more effective approach might be to focus on the “entrepreneur’s” trigger activities that, if suppressed quickly, might prevent the chain reaction of a riot from starting at all.

Relevance to Internet Hacktivism

As we look to better understand activities and motivations of decentralized hacking groups, such as LulzSec and Anonymous, we might notice some similarities between the dynamics of their online hacking activities and those of riots:

  • These groups benefit from the relative anonymity provided by the Internet and also by the number of attacks conducted under a common banner.
  • The shared brand (e.g. “Anonymous”) that may be taken by any participant without the approval of a central authority reinforces the groupthink frame of mind.
  • The number of hacktivism participants and the frequency of incidents seems to exceed the ability of law enforcement to curtail these activities.
  • Many of the hacking incidents and, to some extent, the groups’ origins can be traced to some instigating events.
  • Some members of the groups act as informal leaders, acting as focal points for the participants and also taking the role of “entrepreneurs” by taking on a greater risk to kick-start hacking activities.

To understand riots, consider the criticality of de-individuation of the mob’s participants, the importance of instigating events and the role of the “entrepreneur” in starting the chain reaction of a riot. There are parallels to the dynamics of modern Internet hacktivism. Further exploring how rioting mobs operate and what can be done to disperse a riot may have relevance to curtailing Internet hacktivism activities on a large scale, rather than solely dealing with incidents and their perpetrators on individual basis.

If you found this post interesting, you might also enjoy Psychological Similarities Between Shoplifting and Malicious Hacking.

Lenny Zeltser

Photo credit: looking4poetry

10 Step Guide to Hacking Logs

Hacking logs can be a stress-relieving experience for many, strengthening both the body and spirit. Here is my 10-step guide to log hacking:

  1. Put on safety gear, such as goggles and boots to protect your eyes and feet.
  2. Examine the log you’re planning to hack to confirm it has no embedded metal, such as nails.
  3. Place the log upright on the flat surface of the chopping base.
  4. Plant your feet firmly on the ground in an athletic stance, with one foot slightly in front of the other.
  5. Use both hands to hold your axe.
  6. Touch with the axe the spot of the log where you plan to strike the wood.
  7. Steadily raise the axe over your head, gradually sliding one of your hands slightly towards the head of the axe.
  8. With a swift motion, bring down the axe, striking the spot you aimed to hit.
  9. The head of the axe may become embedded in the wood, partially splitting the log. In that case, tap the axe with the log against the choping base to slowly split the wood.
  10. Stack the hacked pieces of wood to the side to avoid cluttering the area near the chopping base.

For additional log hacking advice, see:

Just kidding. What do I know about log hacking?

Lenny Zeltser