Book Read Free

Black Code: Inside the Battle for Cyberspace

Page 4

by Ronald J. Deibert


  • • •

  Those constraints begin the moment we interact with the Internet, starting with the instructions that make it all work. There are millions of software programs whose instructions shape and define the realm of the possible in cyberspace, and millions more are generated every year. Software, and its codes and commands, route traffic, run programs for us, let us into the virtual worlds we inhabit. One of the unique (and disconcerting for many) features of cyberspace is that anyone can produce software that can be distributed across the Internet as a whole. Some of the most ingenious pieces of code have been written by individuals for no other reason than to get their invention “out there,” to boast and take advantage of a “free” distribution network.

  Not all such code is benign. Countless thousands of ever-evolving malignant programs circulate through cyberspace as viruses, trojan horses, and worms. The implications of such “malware” range from minor inconveniences to threats to privacy to debilitating attacks on national security, and some researchers believe that there is now more malware than legitimate software applications, most of it emerging too quickly for computer security professionals to track. Malware ghettos inhabit vast and loosely connected ecosystems of insecure and outdated software programs, some of them lying dormant for years before being discovered. The progenitors prowl silently through social networking platforms, hijacking innocent people’s Twitter or Facebook accounts to send phony requests to visit advertising sites or to do something more dastardly. Many of our computers may be infected by malware without our knowing it. What’s worse, we pass these infections unwittingly along to friends and colleagues when we exchange information, visit malicious websites and blogs, or download documents from the Internet.

  Much of the software that operates cyberspace is “closed” or proprietary, meaning that some person or company treats the code as its intellectual property. Open-source software, on the other hand, refers to code that is open to public inspection and sharing, depending on the licence. The tension between the two runs deep, and cuts across intellectual property and security issues. We may assume that closed code is relatively safe, but it is generally accepted by computer scientists that open-source code is more secure by virtue of having more “eyeballs” able to review it for potential flaws. An additional concern around closed code is the possibility that special instructions have been built in to it that might affect users without their knowledge – secret “backdoors” written into instructions by a defence or law enforcement agency, for example.

  After software, the router – a device that sends information along to its destination – may be the second most fundamental chokepoint in cyberspace. Most of us are familiar with the small, often frustrating, boxes with tiny antennas that give us the ability to connect to the Internet wirelessly, whether in a coffee shop, or our homes and offices. In accessing these routers, we generally choose the default security presets provided by manufacturers without giving much thought to how easy they are to infiltrate. In a matter of minutes, armed with a $50 Alfa AWUS050NH USB wifi adapter (which can be purchased from Amazon) and a Linux security-testing application called BackTrack, a person without any computer engineering skills whatsoever could easily follow a set of simple instructions (laid out on YouTube, for instance) that would allow him or her to easily crack a Wireless Encryption Protocol (wEP)-enabled wifi router’s password. Even simpler methods are available. Most wifi routers are shipped with default administrative passwords, accessible via a Web-based interface. Although users are cautioned to regularly change their passwords, most do not, allowing anyone to make intelligent guesses and access their routers remotely over the Internet. One website, called Router Passwords, archives known default passwords associated with router brands. How serious such vulnerabilities are was demonstrated in 2012 in Brazil, when attackers compromised 4.5 million home routers via default password hacks that changed people’s DNS server settings so that when they attempted to visit websites like Google they were redirected to phony sites that looked legitimate but were in fact controlled by the attackers and contained malicious software.

  Even without breaking into them, routers can leak information about us and our activities. In 2010, while mapping for its popular Street View service using its specially outfitted cars, Google collected information on wifi hotspots for use in a database it maintains to triangulate connections for mobile phones and other devices. It later emerged that Google had also collected (it claims unintentionally) payload information being secreted from unencrypted wifi routers along the way, including private information being communicated from homes and businesses. It turned out that its vehicles, outfitted with rooftop cameras and antennas, travelled up and down city streets like roving digital vacuum cleaners sucking up telephone numbers, URLS, passwords, emails, text messages, medical records, and video and audio files sent over open wifi networks.

  In 2012, Cisco provided updates to its popular Linksys EA3500 dual-band wireless router. Users were redirected away from their usual administrative interface to “Cisco Connect Cloud” instead. In doing so, however, they had to agree to new terms of service that restricted use deemed “obscene, pornographic, or offensive,” and that might “infringe another’s rights, including but not limited to any intellectual property rights.” (Cisco had also written in a clause that alluded to collecting all users’ surfing history, but removed it after considerable outrage.) These limitations on what users can do in cyberspace were put in place not by their Internet service providers or by the government, but by the private manufacturer of the hardware they used to connect to the Internet.

  Also in 2012, a cyber security researcher named Mark Wuergler found that Apple’s iPhones transmitted to anyone within radio range the unique identifiers – known as MAC (media access control) addresses – of the last three accessed wifi routers. He cross-checked that information against a publicly accessible database of MAC addresses to pinpoint their locations on a map. Wuergler then created an application called Stalker to make it easier to harvest and analyze unintentionally leaked information – passwords, images, emails, and any other data transmitted by mobile phones and wifi routers. The information collected by Stalker contained the names of specific businesses regularly frequented, or friends and colleagues who are regular chat buddies. That information could be used to deceive someone into revealing further data which, in turn, could be used to undertake electronically based attacks.

  The Citizen Lab uses a similar network analyzing tool, Wireshark, to sniff out hidden details of Internet traffic, though we do so only with the permission of those we monitor. Wireshark data has allowed us to see questionable connections being made to remote servers and evidence of malicious activity, as we found during our GhostNet probe. We have used the tool in workshops to demonstrate how much information can be gathered remotely without an Internet user’s knowledge. Using Wireshark and connecting to a wifi network in a hotel, for example, one can collect information on who is attending a private meeting in a room down the hall (based on computer name data sent over the Internet) and sometimes usernames and passwords (if they are sent unencrypted). It is possible to collect data on all of the sites being visited and data downloaded by users in the room, the content of private chats, and updates to Twitter and Facebook accounts (again, if the user’s communications are not encrypted).

  We also use a tool called Nmap to scan networks and map the computers connected to them, which ports are open on those computers, what operating systems are used, et cetera. With Wireshark and Nmap employed together, we can precisely map the computers and devices logged onto a network (including all known vulnerabilities on those computers and devices), and collect much of what is being communicated by the people using those computers. All of this information can be collected – without the users ever noticing – by someone connecting to the same network a few metres down the hall using a few freely available open-source tools. Examples like these show how the multiplying access points into cyberspace
can create unintentional vulnerabilities that may expose us to security and privacy risks.

  • • •

  We take cyberspace for granted. We assume that its basic modus operandi – uninterrupted connectivity to a shared communications environment – is always stable. That assumption is wrong. Cyberspace is a highly dynamic ecosystem whose underlying contours are in constant flux. One of the most important recent changes has come about with the gradual movement away from searching the World Wide Web to a “push” environment where information is delivered to us instead, mostly through applications and services. A major impetus behind this shift has been the popularity of mobile devices, especially the Apple iPhone. Web browsers are functionally constrained by the smaller screens and other limitations of mobile devices, which has led to the popularity of applications that deliver specially tailored information to users instead. So, whereas in the past we might have visited the New York Times website via our browser, today a growing number of us download the Times app instead, signing off on another terms of service licence agreement in the process, and sharing with yet another third party a potentially far greater amount of personal data connected to our mobile phone. Of course, what can be “pushed out” can also be “pulled back” by companies, or turned off at the request of governments. Apple’s iPhone, for instance, has a built-in remote “wipe” functionality that can permanently disable or erase the device and all of its apps.

  When we communicate through cyberspace, our data is entrusted to the companies that own and operate the hardware, the applications and services, and the broad infrastructure through which our communications are transmitted and stored. These companies are the intermediaries of our Internet experiences, and what they do with our data can matter for how we experience cyberspace, and what we are permitted to do through it. They are critical agents in determining the rules of the road by virtue of the standards they insist upon, the operating decisions they take, and the constraints they impose on users. This is especially important as the volume of data they control becomes ever greater, ever more potentially lucrative in the global information economy.

  The end-user licence agreements, terms of service, and other warranties we sign with these companies define what they can do with our data. Unfortunately, few users bother to read, let alone understand, them. It is hard not to be sympathetic. Unless one has an advanced legal degree, these documents are intimidating: tens of thousands of words in fine print, with exceptions and caveats that provide enormously wide latitude for what companies can do. Faced with this word-soup, most of us just click “I agree.” What we are agreeing to might surprise us. Skype users, for instance, might be alarmed to find out that when they click on “I agree” to the terms of service they are assigning to Skype the right to change these terms at any time, at Skype’s discretion, and without notice. Skype does not inform users about whether and under what conditions it will share user data with law enforcement or other government agencies. Users might not know that while they can stop using Skype, they cannot delete their accounts: Skype does not allow it.

  The Internet is sometimes described as a massively decentralized and distributed “network of networks,” a virtual place where information from everywhere is concentrated and accessible to all, an egalitarian thing of beauty. From one perspective, this description accurately characterizes its architecture. But within this network of networks there are critical chokepoints: a tangible, physical infrastructure that includes the hardware, software, cables, even the electromagnetic spectrum that exists in definable, real space. There are also regulatory and legal chokepoints: the ways in which cyberspace is structured by laws, rules, and standards that can facilitate forms of control. Mobile forms of connectivity, now the central method of communicating in cyberspace, are a case in point. The mobile industry is controlled by manufacturers of “closed” devices, handsets whose owners are prohibited from opening (“jailbreaking”) or fiddling with their insides at the risk of warranty violations. Closed or proprietary software (with the exception of Google’s open-source Android operating system) means that the millions of lines of instructions that run a mobile phone’s system are restricted to everyone but the company that sells the software. They operate through networks owned and serviced by a small number of ISPs and telecommunications companies (sometimes only one or two, depending on the region or country), and they function according to government-issued licences that set the conditions under which people can use the wireless spectrum. What from one perspective (that of the average user) looks like an ephemeral network of networks, from another (that of people in positions of authority) looks more like a tangible system of concrete controls through which power can be exercised and the nature of communications shaped for specific political or economic ends.

  • • •

  It is important to understand the political architecture of cyberspace because the companies that own and operate its infrastructure, applications, and devices are under increasing pressure from a variety of quarters to police the networks they manage: from the technical demands of managing increasingly complex types of communication flows like bandwidth-sucking video streams; from lucrative market opportunities to repackage and sell user data; from regulations passed down by governments to corporations to manage content and users. The latter are especially noteworthy because the Internet crosses political boundaries, and many companies have operations in multiple national jurisdictions, some of which do not respect the rule of law or basic human rights and whose policing of the Internet lacks transparency. To operate in some jurisdictions search engines, mobile carriers, and other Internet services are required to filter access to content deemed objectionable by host governments, turn services on and off in response to crises, push intimidating mass messages onto citizens living in certain regions, cities, or territories, and/or share information about users with state security services. More often than not the companies comply.

  The cyberspace experience can vary dramatically depending on what application or device we use, which Internet café or hotspot we log on from, which ISP we contract with, and, most fundamentally, which political jurisdiction we connect from. Without the aid of special anti-censorship software, an Internet user in China is unable to connect to Twitter or Facebook, while a user in Pakistan cannot view YouTube. Users in Thailand cannot access videos on YouTube deemed insulting to the royal family. A user of the ISP du Telecom in the United Arab Emirates cannot access information about gay and lesbian lifestyles. (Using filtering technology produced by the Canadian company Netsweeper, such content is censored by du.) Indonesian users of BlackBerry devices are not able to access thousands of websites deemed pornographic and blocked by Research in Motion (RIM). Individuals living in volatile Kashmir are not able to access Facebook. According to ONI (OpenNet Initiative – a collaborative partnership of the Citizen Lab; the Berkman Center for Internet & Society at Harvard University; and the SecDev Group in Ottawa), dozens of governments now insist that ISPs operating in their political jurisdictions implement Internet censorship and surveillance on their behalf.

  Internet filters and chokepoints can have bizarre collateral impacts on users’ Internet experiences around “upstream filtering,” cases where data transit agreements, or “peering,” made between ISPs in separate countries can have spillover effects on Internet users in each others’ countries. In 2012, ONI discovered that users in Oman were not able to access a large number of websites with Indian-related content (mostly Bollywood movies and Indian music). The source of the censorship, however, was not in Oman itself nor was it demanded by the government (for whom the sites in question were not controversial). Rather, it was the Indian ISP Bharti Airtel, with whom the Omani ISP, Omantel, has a peering arrangement.

  This kind of collateral impact of Internet controls has a long history. In 2005, ONI found that when the Canadian ISP Telus blocked subscriber access to a website set up by a labour union intending to publicize its views about a dispute with Telus, it
also unintentionally blocked access to over 750 unrelated websites. In 2008, the Pakistan Ministry of Information ordered Pakistan Telecom to block access to YouTube because of films uploaded to the site that purportedly insulted the Prophet Muhammad. In carrying out this order, Pakistan Telecom mistakenly communicated these routing instructions to the entire Internet, shutting down YouTube for most of the world for nearly two hours.

  • • •

  Most of the filtering described above takes place at the level of ISPs, the companies users contract with to get their basic connectivity. But there is a deeper layer of control, one that stretches down into the bowels of cyberspace: Internet Exchange Points (IXPS). While most users are familiar with ISPs, few have ever heard of IXPS. There are several hundred IXPS around the world: usually heavily guarded facilities with the level of security one encounters at an airport or defence installation. If you’ve ever wondered how it is that your email reaches your friend’s email account with a completely different company, IXPS are the answer. It is here that traffic is passed between the networks of different companies – through border gateway protocols (BGP) exchanged between ISPS – and IXPS are the key strategic locations for the interception, monitoring, and control of large swathes of Internet communications. (In the early 2000s, I toured an IXP in downtown Toronto and saw row upon row of high-tech equipment, endless servers stacked on several floors. Down one long hallway there were hundreds of what appeared to be randomly distributed red tags attached to the equipment. I asked the tour guide, “What are the red tags?” He replied nonchalantly, “Oh, those are the wiretaps,” and moved on.)

 

‹ Prev