Tag Archives: china

Cyber War – Game Over

22 Friday Jan 2010

Posted by in cyber war

2 Comments

Tags

, , ,

“Are you kidding me!  WTF Sarge!  I mean, do you have any idea what you’re asking me to do?  You might as well just ask me to kill my first born!”  I/O was inconsolable, fairly incoherent and in a state of complete disbelief as he absorbed his Console Sergeant’s command to wipe the drives of all honeypots and pwned bots under the command of the Cyber Force.  This was over 50,000 computers world wide.  But it wasn’t the difficulty in carrying out the task.  Computers are automated if nothing else.  Apparently I/O had developed an emotional attachment to his bots.

“We’re withdrawing from this theater of conflict soldier.  Report back when it’s complete.”  The Console Sergeant turned and walked out of the war room.

Nearly everyone in the room was empathetic to I/O, except Tyler.  “Let it go I/O.  We have bigger concerns.  Game over man.  We all need an exit strategy.”

“What are you talking about?”  I/O was coming to terms and seemed ready to talk logic.  “Exit strategy for what?”

Tyler addressed the entire room, SecIntel along with the Ethical Hack team.  “You heard the Console Sergeant.  We’re shutting down operations.  And we never existed.  Most of us are within a year of returning to the private sector.  What do we do for resumes?  We can’t talk about it.”  Tyler paused but everyone stared at him with blank faces.  Clearly they must have understood his point but no one had a response yet.  “So, we need an exit strategy.  We need to latch on to opportunities where the employer has at least some implicit knowledge of our experience.”

Jane was the first to suggest a plan.  “My older brother went to work for the NSA after he left the Rangers.  And after two years there he had his pick of employers.  NSA will know what we’re about.”

Tyler liked that idea.  “Sounds pretty smart.  We all need to think about this.  This war might be over but it’s not like cyber warfare itself is going away.  And we’re not going away – in terms of our skills.  We need new homes.  And those new homes are going to need a new army of bots, so you might want to be selective in how you carry out your command I/O.”

The End

Cyber War – We Have Met the Enemy, and it is Us

19 Tuesday Jan 2010

Posted by in cyber war

Leave a comment

Tags

, ,

Tyler planned to spend the day in bed – Jane’s bed – playing her video games.  And he began the day like that but as his attention drifted to Jane’s concern about a possible inside attack, he logged into the Cyber Force’s VPN to research some ideas.  He couldn’t authenticate initially and then he remembered the computing policy in effect that mapped everyone’s home ISP IP address to their user credentials.  He ran into this issue when he was working from I/O’s house and recalled the network admin assigned him a temporary account without the restriction.  He tried that user account and it still worked.  Unbelievable!

Once on the network, Tyler did a telnet to a machine with some of his personal utilities.  This way he could run the utilities from within the Cyber Force data center network rather than over the wide area.  He booted up a wifi sniffer that searched the local area network for wireless access points.  He scrolled down the list it generated until he found one that clearly did not conform to the data center’s SSID naming convention as it had the default name of Linksys.  This suggested to him that perhaps the admin login was also default, and it was.  No user ID and the password was admin.  Brilliant.

Tyler then reviewed the DHCP log  which contained the MAC addresses that had been assigned IP addresses.  MAC addresses are 12 digit hexadecimal numbers in the format of MM:MM:MM:SS:SS:SS where the first 6 digits refer to the hardware manufacturer of the network adapter.  Tyler knew the Air Force was in bed with Cisco and most of the MAC addresses looked to be them – but he double checked against a list of vendors and they were all Cisco.  The Cyber Force were all on Apple computers and he didn’t see any of those vendor types, but then he spotted two MAC addresses that looked different.  He checked and sure enough these were from a Chinese manufacturer.  He cross checked against yet another list he had of known Chinese hackers and they matched that list in terms of the hardware vendor portion as well.

So now Tyler understood how the hackers got onto their network and were able to bypass network intrusion detection.  They were very likely sitting in the parking lot jacked into the Air Force unsecured WiFi.  Brilliant.  Talk about shooting yourself in the foot! Tyler called his Console Sergeant and advised him to search the parking lot.

Cyber War – Insider Threat

18 Monday Jan 2010

Posted by in cyber war

2 Comments

Tags

, , ,

Jane was dressing with her back to Tyler, first her panties and then her bra.  She attached the snap in front of herself and then twisted it around to the back and lifted the straps over her shoulders.  As she put on her uniform blouse, she turned towards Tyler and buttoned it top down.  She stepped into her uniform skirt and said, “Tyler, I have to talk to you on a personal subject.”

“As opposed to?”  Tyler remained in bed because he had a full 24 hours off – even though it was her bed in her apartment.

“Oh, well, last night was personal too.  And very nice, thank you.  But this is actually work related, only I need it to remain personal – between us.”  Jane was hesitant in her speech and Tyler thought she might completely drop the subject, but she persisted after a moment.  “I think the black ice against us the other day might have come from inside.  Or at least it had some inside help.”

“Well, it doesn’t hurt to think that while you research it.  I’m not sure of the current percentages, but I believe most cyber crime occurs with inside help.  And if not, it can appear that way because of the first inside hop.  This would be pretty serious Jane.  We’re not talking about employee revenge about not getting a raise.  Everyone I know is completely dedicated to their work, and the cause.”  Tyler found this less likely the more he talked.  “Jesus Jane, that drone pilot is brain dead!  And the entire Ethical Hack Unit had their homes either bombed or targeted for bombs!”

“I don’t suspect the Ethical Hack team.  I think it’s someone on SecIntel.  And that’s why I can’t talk to anyone about this.” Jane had her uniform jacket on now and stepped into her heels.  “I have to go, but can we talk later?  I need someone to search some things for me in case I’m being monitored.”

“Wow, you’ve already put some thought into this.  Yeah, sure.  We can use secure chat.  I pulled a jailbreak on a pair of Magic Jacks to create a secure tunnel across our secure chat app in the war room.  So secure chat from your mobile to mine via the Mobile Jacks.  That way you can avoid any keylogger on your desktop.  I’ll give you one of them at the start of your 2nd shift when I get in.  But before you go, can you tell me why you think it’s an insider?”

“Well, suddenly we have five vulnerabilities?  Us?  There doesn’t seem to be anything before that.  No corresponding logs tracing the ingress vector.  It doesn’t add up.”  Jane grabbed her keys, turned and left.

Cyber War – Ethical Hacking

17 Sunday Jan 2010

Posted by in cyber war

Leave a comment

Tags

, , , ,

Tyler was in his essence as he walked his Unit and Console Sergeant through his hack.  “The SecIntel from this new dashboard is much richer than we expected.  It includes the results of the Chinese vulnerability scans.  So we know the vulnerable IPs that North Korea will exploit.  We simply exploit them first and set our trap.  The beauty here is these targets won’t ever have their data exfiltrated because the first step of our hack – the code I’ve already developed – is to redirect the hacks to our virtual environment where we can control everything.  I’m calling this Project Quarantine.  Sergeant, please sign me up for a medal.”

The Console Sergeant didn’t have much patience for over-confident software developers.  “This is good work soldier, but let’s be clear.  There will not be any medals because Cyber Command not a legitimate member of the Armed Forces.  Remember in high school or college, where you have sanctioned sports teams like basketball and football?  And then you have some new sport trying to gain awareness, and they call it a club?  Well that’s us, we’re a club.  Our funding comes entirely from Google – a freakin corporation!  We ethically hack their foreign government adversaries to keep them out of the courtroom.  Which leads me to my point.  Google isn’t paying us to quarantine.  They want these hackers dead!  So Project Quarantine is a nice start but you better think of it more as a killing field.  Now get to work on some black ice!”

Cyber War – SecIntel

16 Saturday Jan 2010

Posted by in cyber war

Leave a comment

Tags

, , , , ,

Four days earlier, Tyler found it difficult to distinguish late evening from early morning in the darkness.  Now that he was sleeping on a cot in a makeshift bunk in the data center, he was completely divorced from the notion of days and nights.  Most of his interactions with measured time were in the realm of UTC or Coordinated Universal Time, oftentimes referred to by laymen as the less accurate Greenwich Mean Time (GMT).  Tyler was -5 GMT, or  minus 5 UTC, so when he looked at a data event from a sensor located somewhere in the world and that event’s time was tagged with 7:00 UTC – Tyler understood that to be 2:00 GMT in his local time zone – or 2am EST.  Tyler was sleeping 4 hour stretches in 20 hour intervals; the same as the 5 other cyber warriors of his unit though everyone was staggered by 4 hours making it possible to share a single cot.  Tyler left the cot a few minutes before the next sleeper arrived, used the restroom, and rejoined the others in the war room.  The time was Sunday, 1:00 UTC, locally Saturday 20:00 UTC, or 8pm EST.

SecIntel was briefing his unit on some new dashboards.  Jane was speaking.  Her masculine voice seriously negated the effect of her curves under that uniform.  “On this dashboard, you typically monitor the volume of high severity sensor events from suspect North Korean ISPs.  I understand ya’ll like to cull the command and control channels for source IPs to target.  We’ll we’ve tuned out some of the noise by correlating it with traffic from our honeypots in Taiwan.  The Chinese cyber warriors are known to obfuscate their source IPs by routing their attacks through multiple hops in Taiwan.  This is why we’ve established honeypots there.  We’re not any closer to tracking their sources but we have recognized a 6 hour window between increased reconnaissance traffic through these honeypots and a corresponding increased level of high severity attacks from North Korea.  By analyzing the recon activity we can guestimate the exploits.  This takes us an hour.  That gives you approximately 5 hours to set traps ahead of the attacks.  Instead of merely using this dashboard to cull a pool of IPs to begin tracking, you can now use it to set traps based on the exploit’s anticipated signature without needing to know the source IP ahead of time.  What do ya’ll think about that?”

Tyler felt like a bank robber seeing the vault door left open.  “Man, ya’ll are good.”