“If you don’t hack your systems, someone else will.” The latest data breach statistics (IBM / Verizon / OSFDB) prove the conventional wisdom is still valid. The AT&T “hacking” case of Andrew “Weev” Auernheimer made me revisit my 2007 views on hacking and responsible disclosure, especially in light of the changes in the field since my article was published.
Weev’s case forces one to try to reconcile contradictory views: on one hand, the greater good was served because AT&T fixed a hole that easily exposed much sensitive personal information of their iPad users. On the other hand, after inspection of his code on Git, there is no reason to think it’s not a case of parameter tampering and clearly illegal.
In the broader picture, society needs people who can and are willing to expose information security issues that clearly hurt individuals (or groups of people) either physically or in regards to their privacy. We need a way to give people who have the technical prowess the ability to legally search and report what they find thereby improving and strengthening society.
With the disclosure that Nation-States continuously hack computer infrastructures and the development of industry bug bounty programs offered by Facebook, Microsoft and Google it seems to me it’s time — and society is ready — to legalize hacking. Legalization does not mean we should give just anyone free reign to research another’s online infrastructure property. While I’m not looking to lay out an entire program in this short op-ed, I image such a program would be similar to Facebook’s bug bounty program: the researcher would most likely be required to register (or create a test account) and be looking for specific types of vulnerabilities in order to legitimately engage in the activity. Companies and government entities would be required to have procedures for receiving and fixing reported vulnerabilities disclosed to them through the “hacking” channel in a timely fashion.
“If you don’t hack your systems, someone else will.” That “someone else” already has, now we must. Legalize hacking now!
A logical alternative theory of who targeted Iran:
In 2008, China decided to assist the IAEA inspectors after it learned that Iran was in possession of blueprints to shape uranium metal into warheads, according to this article in The Telegraph. That same article discloses that Chinese designs for centerfuges were discovered in Iran, supplied via Pakistan’s AQ Khan.
On April 13, 2010, Beijing reiterated its opposition to Iran’s goal to develop nuclear weapons capabilities while stating that sanctions against Iran would be counter-productive. In other words, the PRC wanted to support its third largest supplier of oil (after Saudi Arabia and Angola) while at the same time seeking ways to get Iran to stop its uranium fuel enrichment program. What better way to accomplish that goal than by covertly creating a virus that will sabotage Natanz’ centerfuges in a way that simulates mechanical failure while overtly supporting the Iranian government by opposing sanctions pushed by the U.S. It’s both simple and elegant.
Bottom line: we’ll never know unless someone comes forward.
The New York Times ran a story on how China is under constant security attacks and how vulnerable their infrastructure may be:
Despite China’s robust technological abilities, its cyber defenses are almost certainly more porous than those of the United States, American experts say. To cite one glaring example, even Chinese government computers are frequently equipped with pirated software from Microsoft, they say. That means many users miss out on security upgrades, available to paying users, that fix security breaches exploited by hackers. (emphasis mine)
100% WRONG: Paul Cooke from Microsoft states on the Windows Security Blog:
There seems to be a myth that Microsoft limits security updates to genuine Windows users.
Let me be clear: all security updates go to all users.
Not only do all security updates go to all users’ systems, but non-genuine Windows systems are able to install service packs, update rollups, and important reliability and application compatibility updates. In addition, the users of non-genuine Windows systems can also upgrade a lot of the other software on their computer.
Given my experiences in South Korea/Asia, this porousness is more likely due to a lack of policy, a lack of enforcement of existing policy and a non-priority given to information security than to pirated Windows software. Non-uniform policies and application of security resources as well as little respect and lack of eduction by those under the infosec policies are also primary factors. Most infosec professionals in the US experience something akin to the following at one point or another:
Deep inside a Chinese military engineering institute in September 2008, a researcher took a break from his duties and decided — against official policy — to check his private e-mail messages. Among the new arrivals was an electronic holiday greeting card that purported to be from a state defense office.
The researcher clicked on the card to open it. Within minutes, secretly implanted computer code enabled an unnamed foreign intelligence agency to tap into the databases of the institute in the city of Luoyang in central China and spirit away top-secret information on Chinese submarines.
It’s just not a unique Chinese situation.
According to the NY Daily News:
The Chinese government tapped sixty mothers to form a “Mom jury” tasked with surfing the Web for porn sites that are deemed indecent for young Internet users
In a nod to the Cold War, Mother China is the new Mother Russia.
According to the Wall Street Journal.
Officials at the National Security Agency have been working with Google Inc. to investigate the cyber attacks that Google announced publicly last month, according to people familiar with the investigation.
A Google spokeswoman declined to comment. NSA didn’t immediately respond to requests for comment.
The January 25, 2010 issue of Newsweek had the following quote that supports the thesis that the Google/China attack is not an isolated attack but a refection of a mindset as I mentioned in my bloginfosec essay.
At the same time, China has been busily developing the world’s most elaborate apparatus devoted to cyber-spying and cyberattacks. Chinese hacking has ramped up over the past few years, directed not only at human-rights organizations, but, importantly, at foreign businesses and governments. Many, if not most, such attacks originate from China; former National Security Agency director William Studeman has called them the “biggest single problem” facing the U.S. national-security establishment. (link here)
I’ve seen hacking attempts from China since mid-2001 so this really isn’t anything new. What’s important to understand is that it’s State sponsored and considered acceptable in Chinese culture. If you’re conducting business in China you’re information security criteria should most likely be more strict than in the US.
[PS – Sign-up for my newsletter, punk!]