Comjagat.com-The first IT magazine in Bangladesh
  • ভাষা:
  • English
  • বাংলা
হোম > Cyber Attacks
লেখক পরিচিতি
লেখকের নাম: ফরহাদ হোসেন
মোট লেখা:১৩
লেখা সম্পর্কিত
পাবলিশ:
২০১৮ - মে
তথ্যসূত্র:
কমপিউটার জগৎ
লেখার ধরণ:
সিকিউরিটি
তথ্যসূত্র:
সিকিউরিটি
ভাষা:
বাংলা
স্বত্ত্ব:
কমপিউটার জগৎ
Cyber Attacks
Cyber Attacks
Farhad Hussain,

The real world is not like the online world. In the real world, you only have to worry about the criminals who live in your city or country. But in the online world, you have to worry about criminals who could be on the other side of the planet. Online crime is always international because the Internet has no borders.Today computer viruses and other malicious software are no longer written by hobbyist hackers seeking fame and glory among their peers. Most of them are written by professional criminals who are making millions of dollars with their attacks. These criminals want access to your computer, your PayPal passwords, and your credit card numbers.

National police forces and legal systems are finding it extremely difficult to keep up with the rapid growth of online crime. They have limited resources and expertise to investigate online criminal activity. The victims, police, prosecutors, and judges rarely uncover the full scope of the crimes that often take place across international boundaries. Action against the criminals is too slow, the arrests are few and far between, and too often the penalties are very light, especially compared with those attached to real-world crimes.Because of the low prioritization for prosecuting cybercriminals and the delays in launching effective cybercrime penalties, we are thereby sending the wrong message to the criminals and that is why online crime is growing so fast. Right now would-be online criminals can see that the likelihood of their getting caught and punished is vanishingly small, yet the profits are great.

The reality for those in positions like cybercrime investigator is that they must balance both fiscal constraints and resource limitations. They simply cannot, organizationally, respond to every type of threat. If we are to keep up with the cybercriminals, the key is cooperation. The good news is that the computer security industry is quite unique in the way direct competitors help each other.The overall security level of end-user systems is now better than ever before. The last decade has brought us great improvements. Unfortunately, the last decade has also completely changed who were fighting.In the past all the malware was still being written by hobbyists, for fun. The hobbyists have been replaced by new attackers: not just organized criminals, but also Hacktivists and Governments. Criminals and especially governments can afford to invest in their attacks. As an end result, we are still not safe with our computers, even with all the great improvements.

In 2008, a mathematician called Satoshi Nakamoto submitted a technical paper for a cryptography conference. The paper described a peer-to-peer network where participating systems would do complicated mathematical calculations on something called a Blockchain. This system was designed to create a completely new currency: a crypto currency. In short a currency that is based on mathematics. The paper was titled “Bitcoin: A Peer-to-Peer Electronic Cash System.”Since Bitcoin is not linked to any existing currency, its value is purely based on the value people believe it is worth. And since it can be used to do instant transactions globally, it does have value. Sending Bitcoin around is very much like sending e-mail. If I have your address, I can send you money. I can send it to you instantly, anywhere, bypassing exchanges, banks, and the tax man. In fact, crypto currencies make banks unnecessary for moving money around—which is why banks hate the whole idea.The beauty of the algorithm behind Bitcoin is solving two main problems of crypto currencies by joining them: how do you confirm transactions and how do you inject new units of currency into the system without causing inflation. Since there is no central bank in the system, the transactions need to be confirmed somehow—otherwise one could fabricate fake money. In Bitcoin, the confirmations are done by other members of the peer-to-peer network. At least six members of the peer-to-peer network have to confirm the transactions before they go through. But why would anybody confirm transactions for others? Because they get rewarded for it: the algorithm issues new Bitcoin as reward to users who have been participating in confirmations. This is called mining.

When Bitcoin was young, mining was easy and you could easily make dozens of Bitcoin on a home computer. However, as Bitcoin value grew, mining became harder since there were more people interested in doing it. When Bitcoin became valuable, people were more and more interested in Satoshi Nakamoto. He gave a few e-mail interviews, but eventually stopped correspondence altogether. Then he disappeared. When people went looking for him, they realized Satoshi Nakamoto did not exist. Even today, nobody knows who invented Bitcoin. Indeed, however, Bitcoin fans have been spotted wearing T-shirts saying “Satoshi Nakamoto Died for Our Sins.”
Today, there are massively large networks of computers mining Bitcoin and other competing crypto currencies. The basic idea behind mining is easy enough: if you have powerful computers, you can make money. Unfortunately, those computers do not have to be your own computers. Some of the largest botnets run by online criminals today are monetized by mining. So, you would have an infected home computer running at 100 percent utilization around the clock as it is mining coins worth tens of thousands of dollars a day for a cybercrime gang. Presently such mining botnets have become very popular for online criminals.Even more importantly, such an attack does not require a user for the computers in order to make money. Most traditional botnet monetization mechanisms required a user’s presence. For example, credit card key loggers needed a user at the keyboard to type in his payment details or ransom Trojans needed a user to pay a ransom in order to regain access to his computer or his data. Mining botnets just need processing power and a network connection.Some of the upcoming crypto currencies do not need high-end GPUs to do the mining: a regular CPU will do. When you combine that with the fact that home automation and embedded devices are becoming more and more common, we can make an interesting forecast: there will be botnets that will be making money by mining on botnets created out of embedded devices. Think botnets of infected printers or set-top boxes or microwave ovens or toasters.Whether it makes sense or not, toasters with embedded computers and Internet connectivity will be reality one day. Before crypto currencies existed, it would have been hard to come up with a sensible reason for why anybody would want to write malware to infect toasters. However, mining botnets of thousands of infected toasters could actually make enough money to justify such an operation. Sooner or later, this will happen.

Spying is about collecting information. When information was still written on pieces of paper, a spy had to physically go and steal it. These days information is data on computers and networks, so modern spying is often carried out with the help of malware. The cyber spies use Trojans and backdoors to infect their targets’ computers, giving them access to the data even from the other side of the world.Who spends money on spying? Companies and countries do. Online espionage and spying have become important tools for intelligence purposes. Protecting against such attacks has proven to be very difficult.

The most effective method to protect data against cyber spying is to process confidential information on dedicated computers that are not connected to the Internet. Critical infrastructure should be isolated from public networks.And isolation does not mean a firewall: it means being disconnected. And being disconnected is painful, complicated, and expensive. But it is also safer.

A very big part of criminal or governmental cyber attacks use exploits to infect the target computer.Without vulnerability, there is no exploit. And ultimately, vulnerabilities are just bugs: programming errors. And we have bugs because programs are written by human beings and human beings make errors. Software bugs have been a problem as long as we have had programmable computers, and they are not going to disappear.

Before the Internet became widespread, bugs were not very critical. You would be working on a word processor and would open a corrupted document file and your word processor would crash. While annoying, such a crash was not too big of a deal. You might lose any unsaved work in open documents, but that is it. But as soon as the Internet entered the picture, things changed. Suddenly bugs that used to be just a nuisance could suddenly be used to take over your computer.

We have different classes of vulnerabilities and their severity ranges from a nuisance to critical.First, we have local and remote vulnerabilities. Local vulnerabilities can only be exploited by a local user who already has access to the system. But remote vulnerabilities are much more severe as they can be exploited from anywhere over a network connection.

Vulnerability types can then be divided by their actions on the target system: denial-of-service, privilege escalation, or code execution. Denial-of-service vulnerabilities allow the attacker to slow down or shut down the system. Privilege escalations can be used to gain additional rights on a system, and code execution allows running commands.

The most serious vulnerabilities are remote code execution vulnerabilities. And these are what the attackers need.But even the most valuable vulnerabilities are worthless if the vulnerability gets patched. So the most valuable exploits are targeting vulnerabilities that are not known to the vendor behind the exploited product. This means that the vendor cannot fix the bug and issue a security patch to close the hole. If a security patch is available and the vulnerability starts to get exploited by the attackers five days after the patch came out, users had five days to react. If there is no patch available, they users had no time at all to secure themselves: literally zero days. This is where the term zero-day vulnerability comes from: users are vulnerable, even if they had applied all possible patches.

The knowledge of the vulnerabilities needed to create these exploits is gathered from several sources. Experienced professionals search for vulnerabilities systematically by using techniques like fuzzing or by reviewing the source code of open-source applications, looking for bugs. Specialist tools have been created to locate vulnerable code from compiled binaries. Less experienced attackers can find known vulnerabilities by reading securitythemed mailing lists or by reverse engineering security patches as they are made available by the affected vendors. Exploits are valuable even if a patch is available, as there are targets that do not patch as quickly as they should.

Originally, only hobbyist malware writers were using exploits to do offensive attacks. Things changed as organized criminal gangs started making serious money with key loggers, banking Trojans, and ransom Trojans. As money entered the picture, the need for fresh exploits created an underground marketplace. Things changed even more as governments entered the picture. As the infamous Stuxnet malware was discovered in July 2010, security companies were amazed to notice this unique piece of malware was using a total of four different zero-day exploits—which remains a record in its own field. Stuxnet was eventually linked to an operation launched by the governments of the United States and Israel to target various objects in the Middle East and to especially slow down the nuclear program of the Islamic Republic of Iran.

Other governments learned of Stuxnet and saw the three main takeaways of it: attacks like these are effective, they are cheap, and they are deniable. All of these qualities are highly sought after in espionage and military attacks. In effect, this started a cyber arms race that today is a reality in most of the technically advanced nations. These nations were not just interested in running cyber defense programs to protect themselves against cyber attacks. They wanted to gain access to offensive capability and to be capable of launching offensive attacks themselves.

To have a credible offensive cyber program, a country will need a steady supply of new exploits. Exploits do not last forever. They get found out and patched. New versions of the vulnerable software might require new exploits, and these exploits have to be weaponized and reliable. To have a credible offensive cyber program, a country needs a steady supply of fresh exploits.

As finding the vulnerabilities and creating the weaponized exploits is hard, most governments would need to outsource this job to experts. Where can they find such expertise from? Security companies and antivirus experts are not providing attack code: they specialize in defense, not attacks. Intelligence agencies and militaries have always turned to defense contractors when they need technology they cannot produce by themselves. This applies to exploits as well.

Simply by browsing the websites of the largest defense contractors in the world, you can easily find out that most of them advertise offensive capability to their customers. Northrop Grumman even runs radio ads claiming that they “provide governmental customers with both offensive and defensive solutions.”

However, even the defense contractors might have a hard time building the specialized expertise to locate unknown vulnerabilities and to create attacks against them. Many of them seem to end up buying their exploits from one of the several boutique companies specializing in finding zero-day vulnerabilities. Such companies have popped up in various countries. These companies go out of their way to find bugs that can be exploited and turned into security holes. Once found, the exploits are weaponized. In this way, they can be abused effectively and reliably. These attackers also try to make sure that the company behind the targeted product will never learn about the vulnerability—because if they did, they would fix the bug. Consequently, the customers and the public at large would not be vulnerable any more. This would make the exploit code worthless to the vendor.

Companies specializing in selling exploits operate around the world. Some of the known companies reside in the United States, the United Kingdom, Germany, Italy, and France. Others operate from Asia. Many of them like to portray themselves as being part of the computer security industry. However, we must not mistake them for security companies, as these companies do not want to improve computer security. Quite the opposite, these companies go to great lengths to make sure the vulnerabilities they find do not get closed, making all of us more vulnerable.

In some cases, exploits can be used for good. For example, sanctioned penetration tests done with tools like Metasploit can improve the security of an organization. But that is not what we are discussing here. We are talking about creating zero-day vulnerabilities just to be used for secret offensive attacks.
The total size of the exploit export industry is hard to estimate. However, looking at public recruitment ads of the known actors as well as various defense contractors, it is easy to see there is much more recruitment happening right now for offensive positions than for defensive roles. As an example, some U.S.-based defense contractors have more than a hundred open positions for people with Top Secret/SCI clearance to create exploits. Some of these positions specifically mention the need to create offensive exploits targeting iPhone, iPad, and Android devices.

When the Internet became commonplace in the mid-1990s, the decision makers ignored it. They did not see it as important or in any way relevant to them. As a direct result, global freedom flourished in the unrestricted online world. Suddenly people all over the world had in their reach something truly and really global. And suddenly, people were not just consuming content; they were creating content for others to see.

But eventually politicians and leaders realized just how important the Internet is. And they realized how useful the Internet was for other purposes—especially for the purposes of doing surveillance on citizens.
The two arguably most important inventions of our generation, the Internet and mobile phones, changed the world. However, they both turned out to be perfect tools for the surveillance state. And in a surveillance state, everybody is assumed guilty.

Internet surveillance really became front-page material when Edward Snowden started leaking information on PRISM, XKeyscore, and other NSA programs in the summer of 2013.
Advancements in computing power and data storage have made wholesale surveillance possible. But they have also made leaking possible. That is how Edward Snowden could steal three laptops, which contained so much information that, if printed out, it would be a long row of trucks full of paper.

Leaking has become so easy that it will keep organizations worrying about getting caught over any wrongdoing. We might hope that this would force organizations to avoid unethical practices.
While governments are watching over us, they know we are watching over them.We have seen massive shifts in cyber attacks over the last two decades: from simple viruses written by teenagers to multimillion-dollar cyber attacks launched by nation-states.

All this is happening right now, during our generation. We were the first generation that got online. We should do what we can to secure the net and keep it free so that it will be there for future generations to enjoy.
পত্রিকায় লেখাটির পাতাগুলো
লেখাটির সহায়ক ভিডিও
২০১৮ - মে সংখ্যার হাইলাইটস
চলতি সংখ্যার হাইলাইটস