Out Of The Dark – Snippet 14
A human hacker would have called it a “man-in-the-middle” attack. Base Commander Shairez’s carefully built remote was deposited on the roof of a coffee house in downtown Tehran. Despite the Iranian rÃ©gime’s paranoia and perpetual state of heightened military alert, slipping the remote through its airspace defenses was child’s play for the Shongairi. Concealing it once it was down wasn’t a lot more difficult, either, since it was little larger than a baseball. The heavily stealthed, unmanned platform which deposited it found a convenient location, hidden in the shadow of an air-conditioning compressor, then departed through the moonless night air as swiftly and unobtrusively as it had arrived.
The location had been selected in advance after a previous platform’s incursion had “driven around” at high altitude listening for a suitable portal through which to enter the local WiFi system. The 802.11 standard wireless connection of the coffeeshop which had been chosen offered broad frequency wireless connections to interact with potential victims. Even better, it was completely unprotected, without even the standard WAP’s 64- hexadecimal key. It wouldn’t have mattered very much if it had been protected — despite the remote’s small size, its processing power would have sufficed to break even a substantially more challenging key with a brute force approach — but it was convenient.
Now the remote inserted itself into the coffeeshop’s network and attempted to access the router. In this case, it was a common retail Linksys SOHO, and the coffeeshop’s owner had never bothered to replace the default password. The remote got in easily and looked around, checking carefully for intrusion detection systems. There was no sign of one, and it quickly established access and began modifying settings.
The first thing it did was to change the password and wipe out any logs which might have been recorded on the router. Then it modified the gateway — making the router send the traffic of any coffeeshop users through itself. Once it was able to view all the unencrypted traffic of all users of the coffeeshop’s connections, it began monitoring and recording. For two days, that was all it did — listen, record, and compress, then retransmit daily dumps of all communications in and out of the coffee shop to the stealthed Shongair ship which had deployed it.
His name was Rasul Teymourtash, and he was a taxi driver. In a nation where political activism had become a dangerous, high-stakes game, Rasul was about as apolitical as a man could get. He went to mosque on Friday, accepted the five principles of the Usul al-Din, performed the ten duties of the Furu al- Din, and concentrated on keeping himself and his family fed. One of his brothers had been arrested, savagely beaten, and sentenced to fifteen years in prison last year for alleged activity in the outlawed Green Movement. Another had simply disappeared some months before that, which might have been one of the reasons for Rasul’s tendency to emulate an ostrich where politics were concerned.
He was also, however, a patron of the coffee house Shairez had chosen as her entry point into the Internet. On this particular day, Rasul dropped by the coffee house and connected his laptop to its router… by way of the Shongair remote. He browsed, he checked his e-mail, and then he decided to download an MP3 music file.
The authorities would not have approved of his choice of music, since Lady Gaga was not high on the list of acceptable musicians. She was, admittedly, rather longer in the tooth than once she had been, and she’d undoubtedly mellowed somewhat over the years, but no one could have mellowed enough — not from her original starting point! — to satisfy Iran’s leaders. Rasul was well aware of that, of course, yet he also knew he was scarcely alone in pushing that particular set of limits.
What he was unaware of, however, was that the Shongair cyber techs aboard Shairez’s starship had made good use of all the data their remote had transmitted to them. Which was why, along with his music video, Rasul had installed and run a Trojan Horse.
The virus turned his laptop into a slaved “bot” — the first of many — which began searching for computers to attack in the United States. Another Trojan, in a second laptop, launched a similar search against computers in the Russian Federation. Another began spying on China, and others reached out to Europe, Israel, and India.
By the end of the day, over six hundred Iranian bots were obediently working the problem of the United States, alone, and as they reached out to still more computers, their numbers continued to grow. They made no move (yet) against their primary targets. Instead, they started with e-commerce sites, looking for vulnerabilities they could exploit in order to worm their way up to the systems in which they were truly interested. They concentrated on the people who used the machines rather than the machines themselves, searching for weak passwords — capitalizing on the fact that human beings may have many online needs but tend to use the limited number of passwords their merely organic memories can keep track of. They were particularly interested in members of the United States military, and with so many industrious little bots looking, they were bound to find something.
The first opening was an Air Force E-6, a technical sergeant stationed at Nellis Air Force Base in Nevada. Technical Sergeant James was an Airsoft enthusiast who had decided to order a GR25 SPR — a BB-firing electric version of the M25 sniper rifle.
He placed his order online, through a Website using a 1024 bit SSL/TLS key, a secure socket layer impossible for current human technology to defeat. In fact, even Shongair technology would have found it a challenge, but the bots had never been looking at breaking its encryption in the first place. They’d been looking for human mistakes, vulnerabilities, and they’d found one in the form of a default script left in place when the system was set up. Once through that open door, they were able to access the site’s data, looking specifically for military users like Technical Sergeant James. And in that data, they found James’ e-mail address and the password he’d used in placing his order… which, unfortunately, was also the password he used when accessing the Air Force’s logistical tracking system. Which, in turn, offered access to even more data and even more sensitive systems.
It took time, of course. Sergeant James was only one of many gaps the steadily growing army of automated intruders managed to turn up. But computers are patient. They don’t care how long an assignment takes, and they don’t get bored. They simply keep grinding steadily away at the problem… and they also don’t care who they are grinding away for.
And so, just under a week after Rasul had downloaded Lady Gaga, Ground Base Commander Shairez found the access points she needed.
ROFL. Today XKCD today talks about this exact approach: http://www.xkcd.com/792/ Interesting coincidence.
Oh, and with a man in the middle attack they have no need for a SSL break. Interesting though that they would find it difficult to crack a 1024 bit SSL. Sounds like their computer technology is no more than a couple of decades ahead of ours, since 768 is down, and the theory is that 1024 should be brute-forced within the next 10 years. And obviously they don’t have a better method for factoring.
Yep, he’s right doesn’t matter how good the incription if the stupid organic systems have passwords written down or remembered by the computer then you have a security breech waiting to happen.
A place I was at had passwords for the system written down on a sticker pasted to the top of the screen.
Actually, if anyone who can physically access the computer is supposed to be able to use it that’s not *so* bad (although it’s still not good of course). At least nobody can remotely access a written note. Somebody who wasn’t supposed to be able to use the system would have to actually physically access it at least.
It seems to me that a highly advanced, *alien* cyber-attack would be much more likely to succeed using a brute-force technique than it would with social engineering attacks. Social engineering attacks human nature rather than the computer. I would think that a bunch of aliens would be a lot more comfortable with the computer side of things than the human nature side of things.
And in an amazing coincidence, today’s XKCD (http://xkcd.com/792/) is about (the dangers of) password reuse.
Nice, but from my recollection of Teheran I think the coffee shop would be better as a tea shop (chaikhane). Of course culture may have moved on since 1979, ‘downtown teheran’ would be south and central Teheran, round the University or further south where taxi drivers would be likely to live and not the posh north where coffee would be drunk by westernised locals.
Old western proverb “Ain’t no horse that can’t be rode; ain’t no rider that can’t be throwed”. In military terms any armor can be pierced with the right weapon, and any weapon can be blocked with the right armor. In cyber terms there is no such thing as an uncrackable system, but also there is no hacker who can get into everything.
I remember in an emergency having to access my PA’s computer while she was on route to work. No drama but she wondered how I knew her password, easy as she doted on her daughter and often talked about her.
Let’s not forget that the attack – the bots at least – are being carried out primarily with human made software. The only Shongairi tech being used in the hack is the remote on the Tehran coffeehouse.
Although I have to wonder if the NSA is picking up on the spread of these bots. Internet monitoring is one of the things they do after all.
The hardware is human, but I had the impression that the trojan was designed up there.
It appears that the attackers are being very conservative in their trojan implantation, namely they are seemingly not using their virus to spread copies of itself. They are just using the customers of one coffeehouse.
And this is a chapter ending, or something interesting about to happen, because it is a bit short.
The chapter has ended but we’ll see the “something interesting” in the next chapter.
Basically this sounds like a standard elevation of privilege attack. This is possible (although difficult) to do if you have the OS in question and it’s apps so that you can put things under a debugger and analyze them. Without that it is extremely difficult to find a hole in the system – for example in remote scenarios. And I think it is virtually impossible to do this without the distributed network system detecting a problem and suspending the account.
Basically it seems that the aliens are script kiddies. They have advanced tools but all of them are running on automatic. I wonder if the resulting Trojan code is interesting. Also, it is never explained how said Trojan was developed in the first place – although with direct access to a representative system (a copy of Windows 8 considering the time frame) it is certainly doable.
This is a very pedestrian avenue of attack, one that is most likely being used right this minute to try to hack various institutions. Probably by Iran, China, Russia, and half a dozen other intelligence agencies working against each-other. Being perpetrated by a tiny bot network – 600 is minuscule, considering that an average bot network numbers in the hundreds of thousands.
I can’t believe that anything significant can be achieved by such a low tech approach. And there are well known and widely implemented methods for solving this problem. For example through the use of physical rotating keys (a la the Digipass authenticator being used by World of Warcraft) or basic smart cards (which is what most modern commercial companies use).
IE this is an attack that would fail if tried against a game company. And we are supposed to believe that it would succeed against the Pentagon? At very best the aliens would now be able to read some flunky’s Exchange e-mail account, complete with all the penis enlargement spam. So far I am not impressed. :-P
All the really important stuff at the “Puzzle Palace” is kept on “stand alone” workstations with data/file transfer by “hard” media. Makes it more difficult to hack and the real problem becomes control of the “hard” media and HUMINT security.
Drak B: None of this computer infiltration was in the original short story; the aliens just attacked. Will the computer element have a bearing on how the story goes? Will the ending be substantially the same?
Summertime, the ending will be basically the same.
Just a note on the up-to-date status of Government computers.
About 5 years ago a Federal government worker I was consulting with a queston (nice, pleasant lady. very helpful) had to reboot her computer. As I watched it I realized she had a 286 running Dos 5.x!
And we’ve al heard about the age of many Air Traffic Control computers in the USA (late 60’s), right?
Government cuts corners in the wierdest places somtimes, probably the “nobody gets to cut a ribbon over a repaired pothole” effect. :)
@11 Elim, about 12 years ago, for a period of about 3 years, I was reviewing GAO audits of government computer systems as they transitioned through Y2K. Your point that the alien attack would not succeed against a game company is well taken, but my impression of government computer security (aside from military computers, which were classified and therefore not something I was reviewing) is that our Federal government has devised very clever ways to spend millions of dollars on systems that either fail to accomplish the job or accomplish the job but leave gaping security holes all over the place. Okay, so the Shongairi won’t gain access to the latest secrets from the World of Warcraft, but they might gain access to everyone’s social security number, credit card information, and tax records. Think what they could do with that!
Hmm… the Shongairi are after military secrets. While they’re Iranian connection might get them routine maintenance reports of units in garrison (maybe), most of the really sensitive military stuff would be (or SHOULD be at any rate) on an entirely separate network that’s physically isolated from the commercial Internet. Unless this Trojan can work via sneakernet (ie, through hand held memory storage units that have to be moved physically between classified and unclassified systems) which is doubtful, getting any real military secrets is extremely unlikely.
Of course, there’s also the human factor, so some idiot MIGHT hook a classified system directly to the commercial network.
No way. I work w/ SIPRNET and we can’t even use any download devices, such as thumb drives. The system is seperate from the unclassified networks, which by the way are not all interfaced or integrated between or even within the services, much less the government departments. You can’t access the secure network from the unsecure network (at least in the Army), much less from a commercial network. But like I said, there are command and control networks at higher levels of security than the secure net and the really classified stuff is isolated from the networks for the very reason that you can’t hack a computer through a network that doesn’t have a network. I think that getting into the secure networks would require access through a workstation or you would have to infiltrate the network through inserting a file as a “piggy back” through the transmission hardware (wireless or wired), but most secure networks are on EMP hardened land lines. And the security systems should notice the change in received data versus transmitted data. I’m pretty sure the other NATO countries are pretty much the same, probably China, Russia and India have equivalent systems. As it is though, breaking into Jane’s Defense network would give them a lot of organational, doctrinal, order of battle and technical data all by itself.
I have installed computer systems ranging from PC based “workstations” all the way up to mini supercomputers in classified military installations for the US Army, Navy and Air Force. This attack would not have worked on ANY of the systems that I worked on and that was quite a few years ago. Ten years from now? Twenty? No way.