Future Crimes
Page 18
The virtualization and storage of all of these data are highly complex and raise a wide array of security, public policy, and legal issues. First, where exactly is this magical cloud storing my data? Most users have no idea when they check their status on Facebook or upload a photograph to Pinterest where in the real world this information is actually being stored. That we do not even stop to pose the question is a testament to the great convenience, and opacity, of the system. Yet from a corporate governance and personal risk perspective, whether your data are stored on a computer server in America, Russia, China, or Iceland makes a difference.
The corporate and individual perimeters that used to protect our information internally are disappearing, and the beginning and end of our computer networks are becoming far less well defined. It’s making it much harder to see what data are coming and going from a company, and the task is nearly impossible on the personal front. The transition to the cloud is a game changer for security because it completely redefines where data are stored, moved, and accessed, creating sweeping new opportunities for criminal hackers. Moreover, the nonlocal storage of our data raises important questions about our deep dependence on cloud-based information systems. When these services go down or become unavailable via DDoS attack, or you lose your Internet connection, your data become unavailable, and you are out of business.
As Mat Honan discovered, entrusting highly prized personal information, such as photographs of one’s child and years of e-mail, to cloud service providers comes with particular risks. All the major cloud service providers have already been remotely targeted by criminal attacks, including Dropbox, Google, and Microsoft, and we can surely expect more in the future. Indeed, several years after Honan was attacked and published an entreaty to “kill the password” for its near-total inefficacy, thousands upon thousands of individuals and businesses continue to have their cloud-based accounts compromised and their data stolen, including a number of high-profile Hollywood actresses. In late 2014, hundreds of photographs—many of them of a deeply private nature and containing nudity—were stolen from celebrities such as Jennifer Lawrence and Kate Upton when hackers successfully subverted the user names, passwords, and security questions protecting their Apple iCloud accounts. Although it may be your cloud service provider that is targeted in the attack, you’re the victim, and the data taken are yours. Of course the rights reserved in the ToS mean that companies bear little or no liability for when data breaches occur. These attacks threaten intellectual property, customer data, and even sensitive government information.
In 2008, the top secret design specs for the president’s Marine One helicopter were found freely available online, hosted on a peer-to-peer (P2P) network in Iran. These P2P networks allow for easy decentralized file sharing and are most often associated with the distribution of pirated films and music on the digital underground. How did the top secret plans and capabilities of one of the most technologically advanced helicopters in the world end up in the hands of the Iranians? Simple. A military contractor in Bethesda, Maryland, working on the Marine One project decided he wanted to listen to free music on his work laptop. When he downloaded the popular P2P sharing software, he accidentally and unknowingly installed the program in the wrong directory on his computer. As a result, the plans and defensive security features of the military helicopter that shuttles the president from the White House to Air Force One leaked to P2P music-sharing networks around the world, including those in Iran. For the want of free music, a billion-dollar military project was compromised, and the blueprints for the president’s Sikorsky VH-3D helicopter ended up on a peer-to-peer network in Iran, hosted next to the pirated songs of both Michael Jackson and Shadmehr Aghili, the undisputed king of Persian pop. The former military contractor, interrogated by both the FBI and the Department of Defense, admitted his error, but by then the damage had been one. Our global interconnections and never-ending storage of more and more data mean leaks are inevitable. What data might you or your company be leaking to the cloud?
Big Data, Big Brother
Interestingly, governments are not only victims of data leaks but the cause of many as well. Information is the driving force of all intelligence operations, and governments of all sizes are targeting big data with a vengeance. It is not only the Chinese who are hacking the world; so too are the Americans, Brits, Russians, Australians, Canadians, Syrians, Israelis, Egyptians, Iranians, and even Ethiopians. In fact, there are more than a hundred countries with active, offensive computer-hacking programs, though perhaps none quite as extensive as that of the U.S. government and the National Security Agency. Every single day, the NSA is reported to intercept and stockpile more than 1.7 billion e-mails, phone calls, and SMS messages, compiling a database of nearly 20 trillion data transactions just since 9/11. The agency catalogs who calls whom, who e-mails and texts whom, and who wires money to whom.
Given the exponential growth in its big-data holdings, however, the electronic espionage agency is running out of storage space. In response, the government is in the process of building a new massive operations facility deep in the Utah desert that will allow the NSA to cache and process 100,000 times more data than what is currently held by the Library of Congress. But that is just the beginning …
The revelations of Edward Snowden have documented the extensive number of data streams pursued by the NSA, including the ever-growing mounds of social and locational details we all generate. Though the complete list of Snowden’s disclosures is too long to outline here, a review of the highlights released to date should make it clear that the private sector is not alone in its aggressive pursuit of big data. NSA’s PRISM program allowed the government to collect copious volumes of data from companies such as Microsoft, Google, Facebook, Skype, AOL, and Apple, including users’ e-mails, videos, photographs, status updates, and locations.
Snowden also revealed that the NSA accessed and downloaded the interpersonal connections of social media users (whom they spoke to, how often, and where they were located), including the social data graphs of U.S. citizens. These network graphs were supplemented by millions of online user contact lists and address books that the agency had also collected. You see, when you choose to use Google Contacts or iCloud to store the personal details of your friends, family members, and business associates, they can be readily targeted and taken by others, including governments.
Not only did the NSA have cooperative relationships with American firms, but it also targeted them when convenient, including Google and Yahoo!, whose data centers the spy agency infiltrated without authorization. Using the same basic techniques employed by hackers and organized crime groups, the NSA infected more than fifty thousand computer networks around the world with malicious software in order to get access to targets of interest. The agency even posed as Facebook in numerous “man in the middle” attacks to pursue individuals across their social networks. The technique caused targets of interest to connect through a replica Facebook site controlled by the government, allowing the agency to install malware on the machines of its marks.
The NSA did not do all this work by itself, but rather cooperated with sister organizations such as Britain’s NSA equivalent, the Government Communications Headquarters. Together, the agencies participated in the program Optic Nerve, which intercepted millions of Yahoo! video chats by commandeering the video cameras on users’ laptops and snapping photographs every five minutes. Millions of images were stored, including a large number of sexually explicit pictures containing nudity. Shockingly, many of the video chats intercepted were of individuals not specifically targeted for any particular intelligence operation but because it was easier to grab all the chats than to decide on an individual basis which ones should be seized.
The NSA also replicated the already proven techniques of advertisers and marketers and their commercial data-gathering operations. For example, the spy agency created and installed tracking cookies on hard drives and mobile phones to record the locations and online ha
bits of those under surveillance. According to Snowden, the NSA was even tapping smartphone apps, such as Rovio’s Angry Birds. The spy agency recognized that Angry Birds was already doing such an excellent job of pilfering data that the NSA needn’t bother duplicating its efforts. Instead, the NSA merely intercepted the colossal sums of data already forwarded to Rovio by those who naively thought the app’s only true purpose was to sling birds at chortling green pigs for amusement.
Only a tiny percentage of the 1.7 billion Angry Birds users understood that their “free” app was sharing data ranging from their persistent location to their sexual orientation with Rovio. None—including the app company itself—however, realized that they were now also providing these data (unwittingly of course) to the NSA. Individual NSA analysts were even using the agency’s vast spying tools to target their boyfriends, girlfriends, spouses, and ex-lovers. Numerous violations were documented wherein NSA officers entered the e-mail addresses and phone numbers in order to read their e-mails, track their locations, and listen to their phone calls. The actions of these individual employees raise the proverbial but important question of who watches the watchers?
While the overwhelming majority of the NSA’s targets appear to be overseas, dozens of security services around the world use electronic espionage to surveil and repress their domestic populations. In China, Iran, Egypt, Syria, Bahrain, and elsewhere, data stored online are routinely monitored and intercepted for reasons of political intelligence and to ensure the status quo. Most countries do not build these surveillance systems, but rather buy them from companies based in other nations, such as Germany’s Gamma International, maker of the FinFisher electronic surveillance suite. FinFisher allows domestic intelligence services to monitor thousands of targets simultaneously across their mobile phones, social media networks, and online activities.
Once these systems of mass data surveillance have been established, they can be used for the common good, such as disrupting an imminent terrorist attack, or to the common detriment, such as repressing and harassing human rights activists and subverting the democratic process. While social media did much to empower dissidents in Egypt and Tunisia during the Arab Spring, a story that received tremendous press worldwide, there was a flip side to the social data coin. The millions of tweets and Facebook postings also provided very useful tools for governments to go after critics. Organizing a protest on Facebook gives the government clear access to what opposition activists are planning, and nearly all governments have the skill set to take advantage of such leaking data.
In the uprising against Bashar al-Assad that began in 2011, the Syrian government, with technical support and assistance from Iran, developed a wide variety of programs to monitor social media sites such as Facebook and Twitter to track communications among opposition figures. Leaders of the anti-Assad movement identified online have been targeted for attack, as have members of their families. In the waning days of the former Ukrainian president Viktor Yanukovich, his government forces demonstrated the power of technology to repress and intimidate opposition forces. As demonstrators gathered on the streets of Kiev, the Ukrainian government detected the locations of all mobile phones in proximity to street clashes between riot police officers and protesters. The mobile phones (and their owners) were identified in real time and received what may be the “most Orwellian text message a government has ever sent: ‘Dear subscriber, you are registered as a participant in a mass disturbance.’ ” The language was carefully chosen as Yanukovich had made such participation illegal days earlier and anyone found in violation was subject to immediate arrest.
The Darker Side of Big Data
The emerging legacy of big data may well be one of persistent surveillance, the abolition of privacy, and a rash of criminal threats never previously envisioned. Social media, smart phones, mobile apps, the cloud, and a host of other technologies mean that not only can Nordstrom, Acxiom, Facebook, and Google find you at will, but so too can the Zetas, Lashkar-e-Taiba, domestic abusers, and stalkers. What most people do not understand, however, is that any data collected will invariably leak. Our current computing systems are too insecure to safely store the volumes of information we are generating.
To date, the major threat to big data has been their theft and leakage. But that was only the beginning. As we move forward, we will encounter dangers that may prove to be even more perilous—unauthorized alteration of the information upon which the world depends to run its daily activities. Although we have placed tremendous trust in the data we are feverishly hoarding away, the underlying accuracy of this information, as we will discover, can easily be subverted, with significant consequences for all. For just as bad actors can steal our data, so too can they change it. This gathering storm will leave us vulnerable and shake the foundations of our faith in a data-dependent world in ways not yet fully appreciated.
CHAPTER 8
In Screen We Trust
The world isn’t run by weapons anymore, or energy, or money. It’s run by ones and zeros—little bits of data. It’s all electrons. There’s a war out there, a world war. It’s not about who has the most bullets. It’s about who controls the information—what we see and hear, how we work, what we think. It’s all about information.
AS STATED BY COSMO (BEN KINGSLEY),
THE VILLAIN IN SNEAKERS
All systems check. The five thousand spinning centrifuges in operation at Iran’s nuclear enrichment facility at Natanz were humming away, and the Islamic Republic was making good progress on its “peaceful” nuclear energy program. If things continued on track, soon Iran would have enough enriched uranium 235 (U-235) to create its own nuclear power plant or its first atom bomb, depending on whom you asked. Although Iran had always insisted its nuclear activities were purely for civilian energy use, much of the world, including the United States, Europe, Israel, and the United Nations, were less convinced.
In 2005, the UN’s International Atomic Energy Agency (IAEA) found Iran in noncompliance with the Nuclear Non-proliferation Treaty it had signed, and the inspection agency reported its concerns to the UN Security Council. In response, the UN demanded Iran suspend its nuclear enrichment activities at Natanz, to which the nation’s president at the time, Mahmoud Ahmadinejad, responded with an emphatic no. Senior officials at the IAEA concluded Iran had sufficient information to design and produce a workable atom bomb and UN sanctions were imposed. But would the sanctions prevent Iran from getting the bomb? Given Iran’s preeminence on America’s “Axis of Evil” hit list, something more had to be done.
For political reasons, an overt military strike was ruled out, but the following year President George W. Bush authorized a covert attack on the nuclear facilities at Natanz and dubbed the top secret program Operation Olympic Games, according to the New York Times. The result was the “most significant covert manipulation of the electromagnetic spectrum since World War II, when cryptanalysts broke the Enigma cipher that allowed access to Nazi codes.”
The Iranians were no easy target and were smart enough to not connect the most prized information network in the Islamic Republic to the Internet. As a result, the operatives associated with Operation Olympic Games could not just tunnel their way in via a poorly protected road on the information superhighway. A network of human agents, engineers, and maintenance workers—spies and unwitting accomplices alike—would have to be assembled and choreographed with tremendous precision if the plan were to succeed. The weapon of choice for this covert operation? A USB thumb drive.
To sabotage the centrifuges at Natanz, a new class of cyber weapon was created, one that could leap from the virtual world of computers and enter the physical world of industrial control systems. Enter Stuxnet, a highly sophisticated computer worm widely believed to have been created by the United States and Israel to keep a notorious foe in check. The authors of Stuxnet copied the worm onto a simple USB flash drive, now locked and loaded, ready to seek out its quarry. How the drive came to be smuggled into Natanz and who inserte
d it into the computer network at the facility remain unknown, even today.
What is known, however, is how quickly the malware spread across the IT infrastructure of the plant. The mere insertion of the flash drive into a single computer’s USB port infected the machine’s Microsoft Windows operating system using a zero-day exploit not previously documented. The worm also used a forged digital security certificate, indicating it was reliable and trustworthy, allowing it to replicate across the IT infrastructure at Natanz with impunity. As the worm propagated from desktop to desktop and network to network, it posed a simple question of each machine it infected: Is this computer connected to an industrial control system manufactured by the German multinational company Siemens?
The Americans and the Israelis had done their homework and knew the centrifuges at Natanz were run by Siemens S7-417 industrial programmable logic controllers (PLC), which monitored the valves and pressure sensors of the centrifuges at the plant. If a computer was not connected to a Siemens PLC, the worm failed to replicate and merely died. If, however, Stuxnet detected that a desktop or network computer system was connected to a Siemens PLC, the cyber weapon assiduously began its work, making its way from the Windows computer onto the industrial control system that managed the Iranian centrifuges.
The perpetrators of the attack knew that refining U-235 was a very tricky business. The IR-1 centrifuges used at Natanz were designed to spin at 100,000 rotations per minute (RPM), an incredible feat in speed and technology. If the centrifuges spun too slowly, the U-235 required for nuclear energy (and bombs) does not separate effectively. If they spin too fast, the centrifuges begin to vibrate and shake uncontrollably until the pressure becomes so severe the motors burn out, requiring the centrifuge to be replaced. The authors of Stuxnet understood that no centrifuges meant no enrichment, thus no bomb and no threat.