Cyber-Security: Or the lack thereof

“It’s the great irony of our Information Age — the very technologies that empower us to create and to build also empower those who would disrupt and destroy.”  President Obama’s warning about the growing threat of cyber-crimes, and the need for cyber-security, shed an interesting light on a problem that has existed since the beginning of time.  Yes, cyber-security is engaged in a battle that has existed long before 1’s and 0’s were sent over a phone-line (In fact, the first real internet, APRANET was hacked by a toy whistle found in cereal boxes; when blown, the whistle mimic’d the dial-tone needed to log on, allowing a Mr. Draper to break in).  Think back to ancient Greece, when a band of shifty, and some say ingenious, foreigners decided to break the rules as set forth by governing war law, and build an idol of surrender, only to hide themselves in it and sack a walled city.  This Trojan Horse was a way for people to get around the set of norms that governed interactions…not the first use of treachery, but one of the most famous.

Today, other Trojan Horses are being sent world-wide as non-executing malware, when an unsuspecting individual clicks open an otherwise innocuous e-mail, attachment, or file, only to have their computer infected(sacked…) by the virus.  Over the last 7 days, McAfee’s Recently Discovered Viruses Page lists 40+ new trojans that have been caught, let alone the ones that McAfee’s anti-virus software hasn’t caught.  This cyber-threat, as the President said, “is one of the most serious economic and national security challenges we face as a nation.”  And to be honest…this is a threat that we are losing badly.

While the President outlined a five-prong plan on attacking this issue, including working with state and local governments, private corporations, and putting more effort into the federal Office of Cyber Security, one of the prongs itself is the reason why this is a losing battle.  Obama’s plan to create new technology, and to beef up our information technology across the nation is a noble goal, yes he’s speeding us into a world where natural rules and order are quickly, and easily, subverted by those who want to.  Referencing his first statement, that the creation and advancement of this technology is ironically fueling those who wish to wreck havoc, by entering this virtual world without an understanding of how easy it is for people to go around the conceptual notions of security, safety and protection is only going to lead to more problems.

Take for instance the article written by Jeffrey Bardzell, et. al, entitled “Virtual Worlds and Fraud:  Approaching Cybersecurity in Massively Multiplayer Online Games”, in which this rule construction, ie. game-rules, server-rules, and real-rules plays an integral role in understanding the ease of cyber-cheating.  The example the authors use is a case-study done, in which a user manipulated his graphic card(the hardware used to govern the GUI, rendering of objects, and visual displays) in order to cheat the game they were playing.  By manipulated the graphic card, he was able to see through walls.  Here’s the problem: virtual games, such as Second Life, WoW and Counter-Strike set up their rules, like for instance putting up a wall between point A and point B, preventing users from going from A to B.  But these rules do no good when inventive people can see how the rules are created(source-code) and create new rules to get around them.  The article harps on user-created rule-breakers, such as Bots, Phishing and Pharming agents, and Trojans…but the larger problem I believe is that there is no possible way to prevent hacking, cyber-terrorism, cyber-breakthroughs, whatever you want to call it, when the people who break the rules have access to the same technology, the same set of guidelines, as the people who make the rules.

Metanomics’ article detailing President Obama’s new cyber initative, which includes a Cyber Czar, a White House Liaison, and more “boots on the ground” sounds great, but it misses the problem entirely.  As does Metanomics’ critique, which focused mainly on the rules governing those who police, whether a privacy right would be impaired, and, I kid you not, a Posse Comitatus Argument.  This is all assuming the government can in fact have cyber-security, but in the world of 1’s and 0’s, I would bet it is impossible.  Sure, I would like to have privacy, and if the government snoops on my computer, my privacy right will be out the door…but google search IP proxies, or hide-bots, and see how many results you get. (19.5 million hits for IP Proxy, which will mask your IP address so that even if the Government wanted to track you, they would have to spend countless hours and money backtracking you through 19 or 20 hops).

As the authors of Virtual Worlds and Fraud used a case study, so shall I.  An IP address, or Internet Protocol address, is a number assigned by a device to show the connection between that device(typically a computer or a router) and the internet node it is connected to.  Most computers nowadays use IPv4, which is a 32-bit string of numerals in four-block sets(111.111.111.111).  This is similar to your street address of your house.  IP addresses are not necessarily unique(a router that has 6 computers on it will show the 6 computers as having the same address) but it’s fairly good starting off point.  If someone gets your IP address, the list of things they could do is almost innumerable, and most are illegal.  However, the ease of getting someone’s IP address, in virtual worlds or just on your computer is incredible easy(not to mention easy how-to’s listed on google, yahoo and even Youtube!).

For example, every time we have seen a video sitting in our classroom in Second Life, our IP’s are broadcasted to the host computer.  Because the way Second Life works is that streaming media is not hosted on anything other than the host computer, and to see that video, our computers have to connect to it.  By reviewing the logs of connections, a host server can see unique IP addresses for each person.  Simple?  Yes.  Dangerous? Absolutely!  Able to stop within the rules of the virtual world or President Obama’s cyber initiative?  Absolutely not.

What if you’re not in Second Life or another virtual platform?  Easy…watch the two videos below, and I’ll show you how easy it is to get IP Addresses from GMail and AIM(don’t worry, I edited the videos so that the host IP is changed, also full-screen helps make it clear):

And because I don’t want to goto jail, nor do I have an urge to “hack” into anyone else’s computer, I got my own IP address, and using a free, on-line, whois program, I am able to geographically locate my node within about 500 feet of my front door.

I did this without writing one bit of code(which is actually less difficult then trying to embed videos into wordpress) and the amount of data that I received could potentially be damaging if put in the wrong hands. That’s the high bar Obama’s Cyber Czar is going to need to figure out, and, if a 24 year old law student who majored in political science who is no Odysseus can do the above, I shudder at the future of cyber-security.

Advertisements

~ by jasonzimmy on November 16, 2009.

8 Responses to “Cyber-Security: Or the lack thereof”

  1. Jason, I’m very interested in seeing your videos, but they are private.

  2. I especially appreciate your explanation of how tracking/identifying users actually works. I’m so naive about computer techonology that I wasn’t really getting how that would happen. So you think the reason cybersecurity isn’t feasible is that cyberattackers will find ways to disguise their IP addresses?

  3. Sam- Fixed, should be up.

    Cstockard- No, that’s not the only problem. One of the issues is that Cyberattackers can obscure their IP addresses so that Gov’t trackers won’t be able to monitor them. It’s like wearing a mask during a robbery that obscures your entire body, replacing it with someone elses. Cybersecurity isn’t feasible, as I mentioned, because the rules and technologies that we are creating to protect are easily subverted(and some times written by the same people).

  4. While I would say that achieving 100% cybersecurity is impossible, can’t that be said for anything else? Security for brick-and-mortar buildings has always been an issue, isn’t cybersecurity just the next frontier? While I understand that cybersecurity is an absolute and real risk, the solution doesn’t need to be complete and utter safety. Once the culture of hacking changes to make it comparable to the actual real-world crime that they are committing (i.e. stalking, bank robbery, etc.) the consequences will follow and it will be a crime, just like any other.

  5. Jason, are you really suggesting that all efforts to achieve cybersecurity are futile and therefore we should not even attempt to find solutions? I agree with your comment that while both the criminals and the government have access to the same tools and information, the criminals will always find new ways to circumvent the rules. Perhaps the solution lies in an immediate and extensive research and development, as well as the cooperation of Internet and media companies, in order to create a much more sophisticated network of rule enforcement. Otherwise, if left uncontrolled now, while still in its primary stages (yet already wreaking significant real world havoc), cyberterrorism could quickly come to dominate our daily lives. By the way, I love the videos – very scary stuff! I was hoping to see Alex as promised, but I guess things did not work out…

  6. While I recognize that new technologies can be used on both sides of the law, the government has to make an attempt to stay one step ahead of the cyberattackers. There is no “solution” in the sense that the government will never “win” the battle, but with the government and the internet companies focusing their efforts on reinforcing their security, hopefully we can keep the instances at a manageable level. The problem is that, like Jason very clearly demonstrated, it is just too easy right now to gain access to other’s information. We have to implement increased security efforts with and a national campaign raising cyber-awareness to have any shot at keeping these problems at bay.

  7. My issue is not that since there will be some flaws, we shouldn’t attempt. Rather, since the rules of nature, the rules of physics, the rules of here’s a solid metal wall, I can’t lift it, go through it, push it, etc…don’t exist in the world of 1’s and 0’s that we are fighting a losing battle.

    Alex- I’m not advocating no cybersecurity, I’m saying that 50 percent cybersecurity is not possible. The people who are working at McAfee, the people that are working for the OCC are being met stride for stride by 14 year olds in Denmark who know how to program.

    Eugenia- Not saying we shouldn’t try, just letting you guys know that it is futile.

    Casey- Shot? maybe? Reality of a national campaign to increase the awareness? Probably not, as evidenced by my dad, who uses a computer everday for his job, not knowing how to set up a firewall(or know what one is).

  8. Fascinating demo. Really gives one something to think about.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: