Book Read Free

Operation Desolation

Page 1

by Mark Russinovich




  Contents

  Begin Reading

  Preview: Trojan Horse

  About the Author

  Digital Security News

  Cyber Threats More Serious than Terrorism

  By Wilson X. Heller

  FBI Deputy Director Walter Chase argued Friday that cyber-security attacks will soon be a greater threat than terrorism. “Though terrorism remains the FBI’s top priority, it is now apparent that cyber threats will soon pose the primary menace to our national security,” Chase said in a speech before the American Cyber-Security Conference.

  As a result, he added that the FBI “is taking lessons it has learned from fighting traditional terrorism and applying them to cyber-crime.” The FBI agents specializing in cyber-attacks will have the most “sweeping skill set in the bureau.” He urged attendees to consider a career with the FBI.

  At the desk in his San Diego hotel room, Jeff Aiken stared at his computer screen. He had fifty-five minutes. CyberCon was being held just around the corner, not five minutes away. He’d started this current project from his home office in Georgetown, D.C., and brought it to an initial point of conclusion. On the cross-country flight, he’d expanded his work and now was busy completing another fix. For some weeks his client, RegSec, had been threatened by the hacktivist group Anonymous. “Justice will be swift!” had read one posting. “Prepare to be extinguished!!!” read another. Anonymous had even named their attack “Operation Desolation”. Given their track, RegSec’s management had every reason to be concerned.

  RegSec, a major investment group and bank, was in the news, having just been cleared by a federal court for its part in the financial meltdown. Through their vast offshore holdings RegSec had been short-selling derivatives under suspect circumstances in the months leading up to the financial collapse. The Court of Appeals had reversed the earlier adverse verdict, ruling that the offshore entities were sufficiently independent of corporate control as to not violate United States law. There was no doubt that RegSec had engaged in unethical and contemptible conduct, amassing billions at the expense of hapless homeowners lured into overpriced houses, but legally—technically—the company had broken no law.

  The flamboyant founder and principal owner of RegSec, Reginald Hinton, had celebrated the victory in typical style by flying a bevy of Las Vegas showgirls to his private Bahamas island for a party and making a series of off-the-cuff media statements.

  That was when Anonymous had announced its cyberattack. Anonymous was the name given to an Internet meme that originated online in 2003. The concept was for a multitude of committed hackers to act simultaneously to form a vast anarchic, digitized, global brain trust, which would crush targets. Though primarily concerned with antidigital piracy laws, Anonymous had evolved into a broader based, international organization, if the word even applied to such a disparate group.

  They’d been roundly criticized in the mainstream media, called “hackers on steroids” and even “domestic terrorists.” Unfazed and undaunted, they’d continued their assaults on select targets. Because of its aggressiveness and notoriety, Anonymous was the epitome of hacktivism, which was the general theme of this CyberCon. Jeff was going to make a presentation later in the afternoon at the conference, but a good friend from his days with the CIA was appearing in a panel discussion in—he glanced at his wristwatch again—forty-nine minutes, and if rumor was true, even Anonymous itself planned to take part in it.

  Comprised primarily of teenagers, though with a number of gifted adult hackers, Anonymous lacked any central control. Proposed targets were posted online and if a sufficient number of hackers in sympathy with the operation joined in, the subsequent attack could be digitally devastating. In recent years Anonymous had successfully penetrated the United Nations’s databases, those of the Bank of America, and even the U.S. Department of Defense (DOD).

  As part of its antisecurity effort the group had stolen a gigabyte of data from NATO, posting on a Twitter account “Hi NATO. Yes we haz more of your delicious data. You wonder where from? No hints, your turn. You call it war; we laugh at your battleships.” Juvenile, yes, but the group had successfully stolen highly confidential information.

  Anonymous also had launched a cyber-attack on media giant Sony as part of its self-described Operation PayBack. This was done reportedly as retaliation for Sony taking legal action against the man who’d engineered the successful jailbreak of Sony’s PlayStation 3. Waves of Anonymous attacks against Sony began with a distributed denial-of-service (DDoS) attack that temporarily took offline several Sony Web sites and continued with breaches of the Sony Online Entertainment and the Sony PlayStation Network sites. This resulted in the theft of account details for over 70 million Sony customers.

  In one of its most embarrassing attacks, Anonymous had secretly recorded a conference call between the FBI and Scotland Yard in which they discussed their investigation into Anonymous hackers. Anonymous then published the call on the Internet. It developed that they’d gained access by hacking the personal e-mail account of one of the intended participants and lifting the log-in information from him. Most recent, they’d accessed local and state police records, making them available online. In addition, Anonymous was commonly believed to work hand-in-glove with WikiLeaks.

  For all their vaunted successes, not every operation succeeded—most in fact did not, but when highly motivated, Anonymous had proven itself capable of widespread destruction against its targets. They subjected companies to relentless probes, searching for any weakness. Once they had their foot in the door anything was possible. This could include defacing the company’s Internet Web site, stealing customer financial information, disclosing confidential management information, even looting accounts.

  The RegSec CEO had tossed kerosene on the fire by publicly condemning Anonymous and demanding the Department of Justice take criminal action against the group for its efforts at intimidation against his company. He’d gone on to brag that the company’s Web site was impervious to hackers and to DDoS attacks. This had only served to increase the threats against the company and to make a concerted attack more likely.

  For nearly three weeks following the court decision, Anonymous had drummed up support on the Internet by posting YouTube videos in support of its plan and spreading word through Twitter. Then they’d launched a DDoS attack, bringing on board hundreds of sympathetic volunteers in the effort.

  The plan had succeeded for two hours, bringing the Web site crashing down, and that was when Jeff received a frantic call from the IT director at RegSec, hiring him to stiffen its Web site defenses in preparation for the next phase of the ongoing effort by Anonymous. That phase would involve stealing of information, then the public disclosure of it. Failing that, Anonymous would be content with simply defacing the Web site. Either would create a loss of confidence with the public and cost the company tens of millions in lost revenue, as well as drive down the stock price.

  Jeff found the antics of the company CEO intolerable. He’d been sorry to see the court case dropped when he’d read about it. Exploiting corporate law loopholes for gain was not only immoral, it should be illegal. Still, in his line of work, this was a situation in which he occasionally found himself. While he had no regard for the corporation or its ostentatious founder—indeed, nothing but contempt—he was concerned for its millions of innocent customers. He couldn’t control the irresponsible behavior of the company’s founder, but now that he was on the job Jeff took keeping the site and its customers secure as a personal mission. He didn’t like failure and it was now him versus Anonymous.

  By this time, he had completed most of his analysis and in the process cleaned up several problems. Prior to boarding the plane to San Diego, he’d brought o
ther problem areas to the attention of the company’s IT director. His personal fixes had included patching the operating system and encrypting the bank’s database of customer account passwords, steps that should have been unnecessary if the bank had followed standard cyber-security hygiene. Now he was assured that the bank was logging all Internet traffic to a separate database from their front-end servers. In the event Anonymous managed to infect those servers and delete the local logs, Jeff hoped to be able to see where the attack came from and deal with it at that end.

  He uploaded his final change—for now. When he had more time, he’d backtrack and be certain he’d secured the system to the best of his ability. And he’d check to confirm that the IT department had acted on his recommendations. Jeff glanced at his watch again. He just had time for a quick shower before heading to CyberCon.

  He’d arrived late the previous night and only slept a few short hours as the RegSec project was so urgent. He couldn’t help but wonder why the company hadn’t hired him once Anonymous had threatened it rather than wait until after the DDoS attack. Well, too often that was the way these cases started.

  He’d worked all morning, and was sorry to have missed the opening of CyberCon and in particular the morning talk and demonstration of an Android zero day vulnerability exploit. He’d been curious to see if it was one that he and his partner Daryl, also his girlfriend, had already discovered while working on a government contract for that purpose.

  CyberCon was the creation of Clive Lifton, a diffident, slightly scholarly man of middle years. He owned a small but highly regarded security training and consulting company of about thirty employees. Clive ran the conference as an indirect way to advertise his company and its services to the security community. This year CyberCon was cosponsored by Combined Technologies International (CTI), a major DOD contractor. Upward of fifty of its employees were in attendance.

  Clive was an old colleague and friend with whom he and Daryl frequently traded information concerning attack techniques and security gossip. He’d tried to hire them some months earlier but they’d preferred to continue working for themselves. Jeff was looking forward to seeing him again.

  Showered and dressed in casual slip-ons, tan Chinos, and blue travel blazer, Jeff headed out of the hotel into the sun. He spotted the wide delivery alley he’d used earlier as a shortcut and ducked into it. There were two vans and one delivery truck busy off-loading. For a moment he caught the slightly unpleasant odor of rotting vegetables. He walked briskly the short distance to the next street, looked left, then right, before jaywalking to the hotel entrance where CyberCon was held. He’d booked too late to get a room there.

  As Jeff stepped through the doors he heard a voice call his name. He looked over and there was Dillon Ritter, a well-known programmer with CTI. “Running late, aren’t you?” he said as the pair shook hands. Ritter was of average height and recently had grown overweight. He wore frameless glasses and had already lost most of his hair. Jeff had heard of his recent divorce.

  “Busy. I want to catch the panel. Aren’t you on it?”

  “Relax. I’ve got ten minutes. Come on. I’ll show you where.”

  “Is it true Anonymous is taking part?” Jeff asked as they went to the registration desk to pick up his credentials. Several attendees, two or three from CTI, spotted Jeff and nodded their head in recognition.

  “Yes, it is.” Ritter’s tone voiced his disapproval. He was well known for his hard line against hacktivism. He’d published several articles on the subject.

  There were about six hundred attending this year’s CyberCon, which made it a midsized conference, one of the more intimate. There was a ring of booths around the perimeter, some with scantily clad women known as booth babes. There were two rows of booths on the floor itself as well. These were run by various computer and Internet companies, some household names while others were known only to those working in the cyber-security industry. As always, there were fresh names Jeff would want to check out.

  It was ten men to every woman, as was typical at these events. Dress ran from business casual to the genuinely nerdy and was an uncannily accurate means for predicting what the wearer did. Those in the occasional suit were either with one of the traditional computer companies or were from the FBI or another law enforcement agency.

  “All the talk’s about the Anonymous RegSec D-DoS,” Ritter observed. “That was something, especially after the CEO said it couldn’t happen.”

  “Not the smartest of moves. So how’s Anonymous going to be here?”

  “They’re putting a monitor on one of the stools. Someone representing Anonymous is supposed to participate, using Skype.”

  “This should be interesting.”

  Ritter shrugged. “I guess. I don’t know why they’re giving these criminals exposure. It only makes them appear legitimate.”

  Jeff had thought the same thing. “You have a point.”

  “When’s your talk?”

  “This afternoon at three thirty.”

  “Here we are,” Ritter said, and directed Jeff into a large meeting room. It was filled to overflow what with the rumored appearance of Anonymous. Love it or hate it, no one was neutral about the group, or about hacktivism for that matter.

  “I’m glad I ran into you,” Ritter said, pausing at the entry to the room. “Want to grab a drink and then dinner after your session?”

  “Sure, it would be good to catch up,” Jeff responded. A major reason to attend conferences such as these was to network with other members of the cyber-security community. Even if Ritter wasn’t one of Jeff’s favorites, their relationship went back many years and Jeff had been too busy leading up to the conference to set up dinner plans.

  All the seats were taken so Jeff stood at the back of the room with other latecomers. He recognized the short woman to his left and nodded to her but couldn’t recall her name or where he’d last seen her. Ritter was up front now, taking his place as Clive fixed a miniature mic to his lapel. He’d be moderating this discussion himself.

  There were five people taking part on the panel, seated on stools. A large monitor was sitting conspicuously in the center stool and a huge screen to the right of the stage displayed a live image of the panel. Ritter was on the end while Jeff’s friend, Janata Chacko, sat next to him. Chuck, as he was known in the West, was just shorter than average, stout, and with wild black hair. He had become a sloppy dresser since he’d left the CIA but had cleaned himself up for today as the discussion was being streamed live over the Internet.

  Beside him, wearing her trademark purple plastic-framed glasses with neck lanyard, sat Agnes Capps. Approaching fifty, she’d carved a name for herself by publishing articles and books related to computer and Internet security and to government policy. Outspoken and popular with the media, she had no respect within the cyber-security community as most people believed she was faking it—she simply didn’t understand certain key issues. She was a clever writer and combative interviewer, though, which she’ parlayed into a successful career.

  On the other side of Anonymous was a man in his early thirties, new to Jeff, wearing a dark suit with a neatly trimmed reddish beard. FBI, he thought at once. FBI agents were tolerated at these conferences as most attendees recognized the need for a law enforcement presence on the Internet. These cyber feds generally knew their stuff when it came to computers though they lacked the eccentricity of the committed professional hacker.

  Clive opened with a few brief remarks, then introduced each of the panel participants before gesturing to the flat screen. “And from somewhere on the Internet we have a spokesperson for Anonymous. I understand he’s already with us.”

  With that an image materialized from the screen, slowly resolving into a Guy Fawkes smiling mask, floating on an ebony background, which served as the public face of Anonymous.

  “We are here,” the voice said. The speaker used a program to cause his voice to sound slightly disembodied. The audience tittered.

  For
all the novelty of the Anonymous presence, the discussion followed a predictable pattern. The man in the suit, who was in fact an FBI agent named Norm Allender, made the point repeatedly that hacktivism was an enormous and growing threat. “Because of it the day may come when the kind of open, unrestricted Internet you enjoy today will no longer exist,” he said more than once in more than one way. “What I want, what I believe we all want, is a secure, universally accessible Internet.”

  Capps was pitching her latest book, Hacktivism, Twitter, and Facebook: The Age of Cyberprotest and Flash Revolutions, this time taking the position that governments constituted the greatest threat to the Internet. Whenever she repeated a detail, she’d lean forward and point a finger at the FBI agent, who took it all in with good cheer. “Hacktivism is a mere drop in the bucket compared to you. You need to be stopped,” she said, much to the amusement of the audience.

  Chuck dismissed the notion that hacktivism was evil or inherently destructive. “It is a legitimate form of social protest,” he argued, to a round of applause. “They bring accountability to systems that want to evade it. Their positions, whether you agree with them or not, come from a deep sense of morality. These attacks are a form of civil protest intended to identify legitimate issues. If it wasn’t for hacktivism I can see the day Big Brother takes over.” Several booed Big Brother. “When that happens, the real Internet will only exist as an underground movement.”

  “It has already begun. You should join the cause,” Anonymous intoned. “Your heart is in the right place.”

  “This is absurd,” Ritter interjected. “This freak in his plastic mask has no business here. What’s he afraid of? Why not come out from behind his screen? Hacktivism is simply evil. If Anonymous has its way, nothing we do in our computers or over the Internet will be private. Chuck and Agnes here worry about Big Brother when it’s actually teenagers like this one on the monitor here who are the threat to us all!”

 

‹ Prev