Counting from Zero
Page 14
Mick waited, standing at the specified corner. He passed the time people watching. Mick was always amazed at how much he could deduce with a little observation. Besides the ubiquitous Korean and other tourists, there were lots of Americans from all over the country, judging by their accents. Despite the cold, the crowds were pretty big.
A black van pulled to a stop in front of Mick. The front window went down and a voice called out to him by name. Mick walked towards the van; the side door opened. He leaned over to look, and he was pulled inside, the door closing behind him. Before his eyes could adjust to the gloom, he felt his hands being restrained and a hood pulled over his head.
“Don’t be alarmed, we are taking you to our office.”
A loud hissing noise filled his ears, and he realized they had turned on a white noise source to cover any road noises. He gave up struggling and instead tried to keep his senses sharp.
Serves me right for getting into bed with the government…
Chapter 15.
Mick O'Malley – “Distrust and caution are the parents of security”– Ben Franklin. (13 comments)
After an indeterminate amount of time, the van stopped and the noise ceased. Mick was lifted to his feet, and he moved his legs, trying to get out the pins and needles. He was frog-marched down a corridor then pushed down onto a chair, and the hood was removed. He blinked in the light, looking around. A man removed the plastic restraints from Mick’s wrists, and he rubbed them.
“My apologies for the ‘cloak and dagger’, Mr. O’Malley, or should I say, Mr. Robertson?” began a tall, thin man sitting across the table. When Mick made no reply, he continued. “We appreciate your cooperation in this matter. You have some information about the recent zero day attacks that we need. First of all, tell us how you became involved in this.”
“I came to D.C. to share what I know with Homeland Security, but I didn’t expect this treatment. However, I will answer your questions anyway. May I know your name?” Mick paused but received no reply. “Can I have a glass of water?” After another pause, a bottle of water appeared on the table. Mick took a sip, then began telling his story.
He explained how he had foiled the web server zero day in Hiroshima and had monitored the mail server zero day. He described the results of the LeydenTech investigation, and the threat from Pavel Michalovic and company. He explained his hypothesis of the Zed.Kicker botnet using spambots to hide P2P control messages.
“And tell me about your personal server compromises.”
“Well, my personal web server was compromised by the ‘Carbon’ attack, but my mail server was not hit as I suspect that the attack –”
“I don’t mean those. I mean your Zed dot Kicker compromise.”
“I’m afraid I don’t know what you are talking about.” On the long ride, Mick had thought hard what information he was willing to reveal and what he was not willing to reveal. He had decided to not discuss his personal server compromise, as he was unwilling to share these logs with the government. His server logs contained all kinds of information about the location, type, and software running on his servers. Also, there was still the matter of the unexplained private key theft.
“You know exactly what I’m talking about. I understand one of your personal servers was compromised and your private keys stolen. We already have all the logs from LeydenTech, but we need your logs as well.” There was a long pause.
“Sorry, I’ve told you everything I know. If you have all the LeydenTech info, then you know as much as I do. You really need to get on top of this botnet… I think it is the biggest and most powerful by a few orders of magnitude. The new codebase is extremely sophisticated and who knows what they might target next. Don’t you have your own server logs to examine?” he asked, knowing the answer already.
“As you are no doubt aware, all our information technology has been outsourced to UBK. They have shared their logs, but they aren’t as useful as they could be, as their servers were hit hard and most logs were erased.”
“Why don’t you just ask for their source code? You could then do your own analysis.” There was a pause before the answer.
“We have. They have refused, citing the confidentiality clauses in our contract.” Mick couldn’t suppress a smile.
“Oh that’s right, closed source… intellectual property… Bad luck about that. You really should only do business with companies that implement security best practices.”
“This is now a matter of national security. An inter-department task force has been set up. I have been authorized to offer you a role in this investigation. Here are the terms and conditions.” He paused and passed a thick sheaf of paper across the table. Mick didn’t look down.
“Sorry, I don’t do government work. I would like to go now, unless I am under arrest?”
“I don’t think you understand the seriousness of this situation… or of your own situation –” Mick let his anger show.
“I don’t understand? I don’t understand? Industry and government alike have been ignoring the threat to the Internet from botnets for years now! Even small botnets can cause big disruptions. This botnet… this one is not like any I’ve ever seen. It is made up of perhaps millions of zombie computers, all over the world: ordinary computers on people’s desks, in their living rooms, perhaps even in your office! Have you kept up to date with your software updates? From what I can tell, this botnet is just warming up; we have not yet seen its full power, but I am certain we soon will! And as for my ‘own situation’, I am just a private citizen doing my job. What right do you have to drag me here to Ft. Meade and treat me like a criminal? May I remind you that this is America, and I have rights.”
The man stood up and walked out of the room. For the first time, Mick saw another person seated in the back of the room. The man wore a military uniform.
“Who are you?” Mick asked, but had no time for a reaction or reply when the hood was put back over his head, and he was bundled away.
The General got up and walked to a nearby conference room to discuss the interview he had witnessed with a team.
“Since he won’t cooperate, go through his intercepts,” demanded the General. “I want to see transcripts of all his calls, mails, and messages. Also –” The other man interrupted him.
“Sir, he uses ZRTP encryption for all his calls, and strong encryption on all his messaging. We know who he communicates with, but we haven’t been able to break any yet…” He looked at the General who appeared to be thinking hard.
“What about his computers – his servers?”
“He was only carrying a mobile, which had no data on it.”
“He wasn’t carrying a computer? That is strange,” the General commented.
“We think he keeps most of his data on offshore servers. We’ve located some, but they are well protected and in countries where we have little intelligence cooperation.”
“Damn! Well, he doesn’t have everything offshore, does he? I want some leverage on this guy! I want 24-hour surveillance on him. I am authorizing non-traditional means to get around this guy’s paranoia. Dismissed!”
As the room cleared, the General fought back his anger. He glanced down at an intelligence report that he had just received. Based on this information, he had a choice to make: to do nothing and let things take its course, or to intervene. He had been considering intervening, but now…
Who the hell does this Mick O’Malley think he is?
Mick rolled to a stop on the sidewalk, after being dumped from the van. With his hands freed, he pulled the hood off his head but was not able to read the license plate of the van as it sped away.
Not that it would be any help. Who would I go to, the police?
Mick got up and dusted off his clothes. He pulled out his mobile and fired up the GPS. He was on a side street in D.C., not too far from his hotel.
The whole situation seemed quite surreal. He had made major progress with the botnet, and now he was being threatened by his own g
overnment… Fortunately, all his critical data was stored on his Internet servers, which were safe… for now. He thought about the questions he had been asked. The government seemed preoccupied with its own security, provided by UBK these days. He recalled how many government sites had been taken down in the web server zero day.
Could the attacks be aimed at the government, with others just being collateral damage?
It was an intriguing premise. UBK could make for a convenient target: centralized, probably using similar software and hardware everywhere to keep costs down. If true, this would just be the cyber analog of the classic organized crime protection racket. But this didn’t quite make sense to Mick: extortion would be much more effective against private companies, especially shady ones on the edge of the law, than against a government or a government contractor. It just didn’t ring true with what he knew of cybercrime businesses.
Down the street, he stopped to examine his mobile. It had been taken from him when he got in the van and returned just before being dropped off. He checked the location log and found that it was blank for the entire time of the meeting. The mobile was on, but it had no location or other wireless contact during the period. Most likely it was put inside a Faraday cage. And most likely it now had a bug installed in it. He gave a wistful smile as he removed a small chip from it – the SIM card – then threw the mobile into a dumpster. He would have to buy a new one tomorrow, and download and compile the operating system.
He stopped at another hotel a few blocks from his hotel. He gave the bellhop a claim ticket and five dollars. The bellhop returned a moment later with the computer bag Mick had left earlier that morning. He smiled to himself as he walked out.
Safe from prying eyes…
Back in his hotel room, he paced back and forth, his body still coursing with adrenaline. Mick wanted to tell someone, but was reluctant to involve anyone else. He checked his mail, and found a contract termination notice from Vince – it seemed his LeydenTech work was over. He wondered what other surprises were waiting for him.
Maybe I should have played along instead of refusing outright? Too late now…
He decided to stick to his plans, and headed to the Smithsonian to try to clear his mind. Mick had visited the Air & Space Museum many times in the past but never the Steven F. Udvar-Hazy Center. It was literally a whole new museum, located near Dulles airport. For Mick, the highlight was seeing Enola Gay, the actual B-29 that dropped the atomic bomb on Hiroshima. He read the plaque that merely outlined the history of the plane. Mick recalled the controversy that erupted when the bomber was first shown in the museum, with a description of the atomic bomb detonation and resulting casualties. The current lack of context seemed a shame to Mick. Despite its propellers, Mick thought it looked modern, sleek, and even menacing. He had seen pictures of it in the museum in Hiroshima, including grainy color movies. He felt he had somehow connected the dots, having been to Hiroshima, stood under the hypocenter, and now was looking at the actual bomber which was overhead that fateful day.
Gradually, Mick started to feel almost normal again.
He spent a few hours in his hotel in Washington catching up with his social network. Lars was fairly quiet these days, no doubt busy studying the latest attack. Gunter was traveling again in Europe, and enjoying the variety of the food. Kateryna was planning some sightseeing in Europe before next month’s security conference in London and was looking for suggestions. Mick shared his favorite spots, from the standing stones in Cornwall to the moors in the Lake District.
Finally, Mick was able to concentrate again. There was much work to be done on the botnet, but he no longer felt the weight of being the only one who knew the relationships between the zero day attacks. He had done his duty, even if he had antagonized the government. Tomorrow morning he would ride the train back to Boston, and enjoy one more day with Sam before heading home to Manhattan.
Chapter 16.
From the Security and Other Lies Blog:
What is a digital certificate? What does it mean when my browser gives me an error message about a certificate? Should I just click OK? wateraptor
A digital certificate is a document that a computer can use to prove the identity of another computer or user. For example, a digital certificate can be used to secure a web banking session. When I type in https://bigbank.com into my browser, my browser gets a certificate from the web server. If the certificate says that Big Bank, Inc. operates a web server called bigbank.com, then my web browser will display a padlock or otherwise indicate that this is an authenticated and secure web session.
Now, this might not seem all that secure. Fortunately, a certificate is not like a diploma displayed on a wall (or those tremendously important elevator certificates) – these documents can be easily stolen or duplicated by a bad guy. Instead, certificates are only issued and signed by a few companies - so called Certificate Authorities. Your browser can tell if a certificate is valid or not based on whether the digital signature on the certificate itself is valid. Secondly, no one else can use the certificate beside the owner, because in order to use it, you need to know the secret private key associated with it. Therefore, even if a bad guy copies your bank's certificate, he can't successfully use it, because your web browser will require him to prove that he knows the bank's private key, which he does not.
Now let’s talk about those certificate errors that generate pop ups that almost all of us (myself definitely not included!) just click OK to. This can happen for a number of reasons. If the certificate is issued by a Certificate Authority that the web browser doesn't recognize, it will generate an error. This is not too common, but does happen.
Another case could be that the address you typed into the browser doesn't match the address in the certificate. For example, if I type in bigbank.com into my browser, but the certificate obtained by my browser says the server it is talking to is Spammers R Us, Inc. running the spam.spam.spam.wonderfulspam.com web server, then my web browser will pop up one of those warning messages to say that something is wrong. Now, usually, the error is more subtle than this. For example, the Big Bank, Inc. certificate might say bigbankinc.com instead of bigbank.com, or the certificate might have expired last week.
When I get one of these errors, I *never* click OK. Instead, I copy the information and send a nastygram to the CIO or CTO of the company, explaining to them that they are in violation of their fiduciary requirement for security and hence liable to attacks, lawsuits, and all kinds of bad press. But, that is just me. YMMV. Hope this helps, wateraptor.
-> Your question not answered this week? Argue for your vote on the Shameless Plugging area of our discussion forum.
Chapter 17.
Mick O'Malley – can’t stand governments, all governments. (4 comments)
Mick’s train ride back to Boston was uneventful. His walk from the train station to Jocelyn’s apartment was a different story.
As he walked down Charles Street, there were quite a few other pedestrians out and about in the afternoon sunshine. On an impulse he stopped in a corner shop to buy some flowers for his sister. As he exited the store with a bouquet of yellow tulips, he noticed a man standing on the other side of the street; the man looked vaguely familiar. Mick realized he had seen him waiting outside the train station a few minutes earlier. Mick continued walking down the street, his mind racing.
That man is following me!
Mick became more aware of his surroundings, noting every person around. As he stopped at a crosswalk, he could no longer see the man, but he noticed a woman walking ahead who he had previously seen hailing a cab.
Is she following me?
He decided to find out.
When the light changed, he didn’t walk, pretending to look at his mobile. An empty taxi cab approach the intersection and started to turn in front of him. He stepped out into the street, stopping the cab suddenly. Mick opened the door and jumped inside the cab.
“Drive!” he shouted. Looking out the back window, he s
aw the woman talk to someone in a car who began following the taxi.
“Where to buddy?” the driver asked. Mick gave his sister’s address, and was dropped outside a few short minutes later. He walked in the door and up the stairs, still slightly in a daze. His life had just changed dramatically in the past twenty-four hours.
I’m under surveillance now.
He stopped on the stairs to compose himself. He had no intention of telling his sister about his encounter with the government – he didn’t want her to worry. Besides, he still had a naïve hope that things would settle down and his life could go back to normal.
Sam was finishing her homework with help from his sister when he entered the apartment. Sam bounded over a few minutes later, and he was able to put the recent events completely out of his thoughts.
That evening, the two of them continued reading The Two Towers. They discussed it afterwards as Sam lay sleepily in her bed.
“I can’t believe the Black Gate is closed,” she said sleepily. “They traveled so long and hard to get there, deep into Mordor, and now they can’t get in!”
“I know it looks bad, but I have faith in the hobbits,” he replied.
“But they must feel so disappointed! I guess fighting evil is difficult. I wonder how they do it...”
“I know,” he replied, not thinking about the book. Sam drifted off to sleep a few minutes later.
Later, just before he fell asleep, Mick wondered how things had come to this. He now was almost afraid to communicate with his friends – he didn’t want to drag anyone else into his mess. Being tailed, presumably by the government, would complicate things for him. He was annoyed at himself for the afternoon’s theatrics. With a bit of thought he probably could have confirmed the tail without them knowing. Now they knew that he was aware of being followed. He realized, however, that one of the goals of the surveillance was probably to unnerve him.