Chris Blanc: Play and Projects: Blog

Hackers have accessed Brazilian government computer systems and helped 107 companies obtain permits that enabled them to fell over £546million ($833m) worth of timbre illegally.

In what has come as a shocking revelation, it appears that hi-tech hackers have played an instrumental role in the illegal deforestation of 1.7million cubic meters of the Amazon rain forest.

According to reports from environmental organization Greenpeace, the hackers were hired by at least 107 different companies to access and alter timber export records held by the Brazilian government. As a result, it’s estimated that an area of forest the size of 780 Olympic swimming pools has been cleared illegally.^{^}

Hacker used to mean someone who pushed technology to do unorthodox things, in the same way that explorer, adventurer, woodsman meant someone who went beyond. Now, it means anyone who uses a computer illegally. The war to define this word is over and the good guys lost.

What this means for all of us is that we have to be aware that computer knowledge, including knowledge of computer security, is commonplace. You can run a powerful UNIX on your desktop computer, as well as many security-related utilities and password smashers. You can even do much of it from a Windows machine, with relatively little knowledge.

In fact, once you’ve mastered the basics of networking, SQL and variable injections, and buffer overflows, you have quite a bit of power. Equipment, operating systems and software are very similar, thanks to the standardization of UNIX and Windows, and the Web causing us all to use similar interfaces and set up networks similarly.

Almost every business needs a web site to serve data, offer clients login privileges, and then check it back in to an internal library that should be kept offline. But as anyone thinking rationally knows, machines that can connect to one other can be used to dominate the other.

For businesses, this is a wake-up call to make computer security part of their daily focus. I would argue that we also need to pay more attention to interface and the cleanliness of our configurations. Busy interfaces distract employees and make them lazy, and sloppy setups from the server room to the locations of files and the logicality of data storage cause people to ignore or miss potential problems.

To computer professionals, I’d say that if you think you’re good, you should realize you’re good in the legal realm as well. I wouldn’t feel well if I had killed acres of rain forest, even if the check was fat. Would you? Especially if you knew it was another 10% of work to get paid legally.

What they found is that, contrary to popular belief that Apple makes more secure products, Apple lags behind in patching.

“Apple was below 20 [unpatched vulnerabilities at disclosure] consistently before 2005,” Frei said. “Since then, they are very often above. So if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple.” ^{^}

Apple’s vaunted security originates in two pillars: the UNIX kernel of its operating system, which others coded and tested for 30 years before Apple touched it, and the relatively scarcity of Macs. As that second pillar changes, so will the perception of Apple security, especially as we the consumers find that Apple has been relying on this perception to avoid fixing many of the bugs in not only its operating system but its software fundamentals.

In many ways, Apple has had the benefit of being smaller and having less public scrutiny allow it an advantage when competing with Microsoft. Now that these shields are stripped away, the criticism is mounting. This is the same dilemma that faced open source software developers who steadfastly refused to update some parts of their popular software. They were OK until they hit a tipping point, then suddenly, they faced a howling dervish of complaint.

Miller, best known as one of the researchers who first hacked Apple’s iPhone last year, didn’t take much time. Within 2 minutes, he directed the contest’s organizers to visit a Web site that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on. ^{^}

In a security contest, the Mac gets pwnt before the PC. However, this had to happen through a browser exploit. What this means is that the basics of both systems are fairly solid. It’s only since 1999 that most Americans have been using always-on connections, which caused the security crisis of botnets and trojan horses to become a serious game, and it’s only since 2004 or so that Microsoft has really faced that howling dervish. They’re starting to get it right.

As with many techno-memes, what people chatter about online is often wrong or gives a skewed view of the reality. People who attempt radical brand loyalty, especially to an underdog company, are damaging to the market because they deny basic facts and so allow them to go unfixed. Whether that company is Apple, Microsoft, or pizza-munching volunteer developers, remains irrelevant.

The password pressure of modern life means that 61% of us use the same password wherever we can, according to a survey commissioned by digital communications agency @www. In fact, with more than one in 10 people having 50 or more separate online accounts to log into, many are not only using the same password for everything, but also writing all their passwords down in one handy place, such as the noticeboard in their office, a document on their desktop, or a Post-it note stuck to their computer. ^{^}

The paradox of computer security is that we must consider the human element, which is that although security is a big concern, it’s something people expect to just work. We don’t expect our cars to blow up because we put a lot of effort into engineering them. Similarly, we expect security to “just work” with little investment by us.

However, it does require careful designing to make this happen. One part of careful design is accepting reality as it is. In the case of security, this is that users are forced to know at least a dozen passwords to do the minimum required for having an online presence. It’s no surprise that, after wasting a few hours finding lost passwords with the kind of barely functional features available on most websites, they start using the same password everywhere. I bet the number’s higher than 61%.

As we approach Web3.0 being christened, one idea that’s essential is some digital equivalent of Real ID. I think it should be based on an online identity, not a real-world one, so people can stay hidden if they prefer. It should be relatively centralized, and have an identity that other sites can then associate with internal records. But let’s stop ignoring the elephant, which is that when you require users to have dozens of passwords, they’ll use the same one in multiple places, and eventually this will lead to compromised systems.

“A compromised [multifunction printer] is dangerous for a number of reasons. First and foremost, no one in the enterprise pays attention to them. That lack of visibility makes for a very attractive attack platform,” said Brendan O’Connor, a researcher who was among the first to call attention to the printer security risk during a Black Hat talk in 2006. ^{^}

In Hollywood schlockbusters like Live Free or Die Hard, Hackers and Mission Impossible, hackers decide to bust into a major site, so they go attack the mainframe by smashing through routers, firewalls and impossible looking security screens with holographic cryptograms. In real life, hackers work like reporters researching a story. They nibble around the edges, then ask the right questions, then finally stage the big confrontation.

First, you gain entry to a site. Often this is by calling someone up and claiming you’re security and you need their password, or by snooping wi-fi networks for someone who might be using the same password on Yahoo! mail as on his corporate network. Then you get into the network, often through a printer or some simplistic trojan you mail to a secretary. Finally, you start by compromising machine around your actual target, so you can hide your traces and fake validation credentials. For the really big hack, the target should never know it was hacked if you’re good, because to it what happened was a normal transaction. Its infrastructure — the hacked network — can be all you need.

So much for the big screen. These common security annoyances are a bigger threat than the media fearmongering. Hacking is a task like any other, and it rewards research and diligence more than the ability to type cryptic commands quickly.

Litchfield took a look at just over 1 million randomly generated Internet Protocol [IP] addresses, checking them to see if he could access them on the IP ports reserved for Microsoft SQL Server or Oracle’s database.

He found 157 SQL servers and 53 Oracle servers. Litchfield then relied on known estimates of the number of systems on the Internet to arrive at his conclusion: “There are approximately 368,000 Microsoft SQl Servers… and about 124,000 Oracle database servers directly accessible on the Internet,” he wrote in his report, due to be made public next week. ^{^}

In Hollywood, hackers are people motivated by profit to ensnare others through ninja kung-fu style computer trickery that involves lots of fast and furious typing, as if it were military hardware in use through a virtual space that resembles the organic symbolic chaos of a dream more than the related structures of a machine. The machine may appear as chaos to us, but what defines a hacker is being able to decipher that chaos and so manipulate mechanisms behind the scene where others cannot see. It is as if life is a giant stage-piece, and the rest of us are crawling around on the painted skin, but a hacker can get inside and twist the wicker skeleton to create “magic” the rest of us can barely understand.

The movie vision as often differs from what you’ll find in your life. Real hacking will probably never sell books or movies, because it’s much more studious and also more boring than that view. Hacking is understanding the machine, and how it functions, entirely independent from what it looks like it is doing. Magicians are visual illusion hackers. Cooks are kitchen chemistry hackers. Psychologists are brain structure hackers. Martial artists are kinetic simian motion hackers. Artists are emotional symbolism hackers.

When the media says hackers, they mean black hat hackers with financial motivation, which usually means other roving digital criminals or no questions asked code warriors for hire.

Moore said what made the hacking job so easy was that 70% of all the companies he scanned were insecure, and 45% to 50% of VoIP providers were insecure. The biggest insecurity? Default passwords.

“I’d say 85% of them were misconfigured routers. They had the default passwords on them,” said Moore. “You would not believe the number of routers that had ‘admin’ or ‘Cisco0′ as passwords on them.^{^}

After having seen computer crime up close, and investigated instances of it that came out of the blue as far as the users were concerned, I have a different view of this situation than most. I don’t believe black hat hackers are illegal. Like spammers, they are people who choose to live outside of normal life, and they are looking for easy opportunities in almost all cases.

The exceptions are the rare hacks where a specific target is the reason for hire, and the hacker isn’t a free agent as much as a black economy contractor, sort of a digital Blackwater.

Spammers make their money by mailing ten million people with penis enlargement scams so that ten guys in Los Angeles write back with stubby sweaty fingers and get their oblong placebos. Hackers make money by prowlin for information people want, which is either monetary information or information that can be monetized like corporate and government secrets.

This means that as long as targets are plentiful, you can harden your business enough to make it a second-tier target, and escape the worst of the mess. This is one fundamental rule of security I have always tried to impart. There is a pyramid of opportunism, with the guys at top having the fewest hacks because they’ve made it the hardest, and the guys at bottom getting hacked frequently because they do what everyone else does, which is mediocre.

Seventy-five per cent of companies listed human error as the leading cause of security failures such as breakdowns and systems outages. Forty-eight per cent also cited operations and technology lapses as key causes of security failures. Problems resulting from third parties such as contractors and business partners, meanwhile, received 28 per cent of the votes as a root cause of security failures.

Misbehaving employees also figure prominently in IT fears: Ninety-one percent of respondents say the risk of employee misconduct related to information systems worries them. ^{^}

While there are security experts who will tell you to always update your patches and run a firewall, I think security advice is like dieting: you can’t escape the basics. These are:

I know this list isn’t what you get from other sources. They will tell you technological ways to make your company 100% safe, but those ways rely on software and hardware to have no active exploits, which is never the case. Expect parts of your security to fail. If you have a generally healthy policy, and people who are aware of the importance of security, you’ll be better off than trying to build a bulletproof fortress.

Everybody knows hackers are the biggest threat to computer networks, except that it ain’t necessarily so.

Yes, hackers are still out there, and not just teenagers: malicious insiders, political activists, mobsters and even government agents all routinely test public and private computer networks and occasionally disrupt services. But experts say that some of the most serious, even potentially devastating, problems with networks arise from sources with no malevolent component.

Whether it’s the Los Angeles customs fiasco or the unpredictable network cascade that brought the global Skype telephone service down for two days in August, problems arising from flawed systems, increasingly complex networks and even technology headaches from corporate mergers can make computer systems less reliable. Meanwhile, society as a whole is growing ever more dependent on computers and computer networks, as automated controls become the norm for air traffic, pipelines, dams, the electrical grid and more. ^{^}

Our computer systems mirror our minds in that they have a lot of power, but are disorganized and undisciplined, and as a result they fail frequently at the worst times. It’s easy to rant against Microsoft and assume Linux is better, or claim that you prefer Apple hardware to HP, but these are really degrees of the same great fat incompetent. There are a few people out there who will do things correctly, but they are rarely recognized because few people recognize how dysfunctional our technology is until it blows up and strands people for 17 hours in an airport.