September 18, 2016

Welcome to the dark net - real life thriller

Some excerpts

Image result for the dark net

Opsec is a fast talker when he’s onto a subject. His mind seems to race most of the time. Currently he is designing an autonomous system for detecting network attacks and taking action in response. The system is based on machine learning and artificial intelligence. In a typical burst of words, he said, “But the automation itself might be hacked. Is the A.I. being gamed? Are you teaching the computer, or is it learning on its own? If it’s learning on its own, it can be gamed. If you are teaching it, then how clean is your data set? Are you pulling it off a network that has already been compromised? Because if I’m an attacker and I’m coming in against an A.I.-defended system, if I can get into the baseline and insert attacker traffic into the learning phase, then the computer begins to think that those things are normal and accepted. I’m teaching a robot that ‘It’s O.K.! I’m not really an attacker, even though I’m carrying an AK-47 and firing on the troops.’ And what happens when a machine becomes so smart it decides to betray you and switch sides?”


When Opsec got to the campus, the details filled in. The system administrator—a friend of his—had been going through event logs of the previous week. Event logs are lines on a screen showing summaries of each new task given to a computer network, with a time stamp and a green or red dot indicating success or failure. Seeing a red dot, the administrator had zoomed in for more information. The failed task turned out to be an attempt from within the Company to deploy a piece of software companywide. Deployment of software throughout the entire network did sometimes occur—for instance, to install updates—but it was rare, and sufficiently important that the sender did not often make a mistake. In this case, the sender had omitted a single letter in the domain name to which the job was addressed—hence the failure. The associated software package was unlike anything the system administrator had seen before. He alerted the operations manager.


Here was the situation Opsec faced. The package no longer mattered, but the hack most certainly did. Someone had emerged from the Internet, slithered into the Company’s heart, and then disappeared. The specific vulnerability the attacker had exploited was still unknown, and was likely to be used again: he had established a back door, a way in. Some back doors are permanent, but most are short-lived. Possibly this one was already for sale on the black markets that exist for such information in obscure recesses of the Internet. Until Opsec could find and lock it, the back door constituted a serious threat. Opsec reviewed the basics with the Company’s managers. He said, Look, we’re in the Internet business. We know we’re going to get hacked. We have to assume, always, that our network is already owned. It is important to go slowly and stay calm. We will soon know how and when to lock the door. We will have to decide later if we should do more.

To me he said, “Also, relax. In the long run, the chance of survival always drops to zero anyway.” He did not say this to his client. It was not an insight the Company would have valued at the time. Even in the short run, as it turned out, the news would be alarming enough.


They knew exactly where they were going. First, using “bounce points” within the network to further obscure their presence, they went after the central domain controller, where they acquired their own administrative account, effectively compromising 100 million user names and passwords and gaining the ability to push software packages throughout the network. Second, and more important, the Chinese headed into the network’s “build” system, a part of the network where software changes are compiled and then uploaded to a content-distribution network for the downloading of updates to customers. In that position they acquired the ability to bundle their own software packages and insert them into the regular flow, potentially reaching 70 million personal computers or more. But, for the moment, they did none of that. Instead they installed three empty callback Trojans on three separate network computers and left them standing there to await future instructions. Opsec and his team concluded that the purpose was to lay the groundwork for the rapid construction of a giant botnet.

The botnet it could have created would have been huge. If the Chinese had breached other large Internet companies via the same payment-center route—and it seemed likely they had—the combined effect would have been the creation of by far the largest botnet ever seen, an Internet robot consisting of perhaps 200 million computers, all controlled by one small Chinese hacking team. Opsec had stumbled onto a very big thing. And its lack of use was the key. The only possible purpose, Opsec concluded, was that of a sleeper cell, lying in wait as a pre-positioned asset to be used as a last resort, like a nuclear weapon, in the event of an all-out cyber-war. The world certainly seems to be moving in that direction.



No comments:

Post a Comment