Source – vanityfair.com
– “…He is not the U.S. government. He once told me he is his own mini-N.S.A. Referring to a friend of equal reputation, he said, “We write highly invasive software.” As a product of the Dark Net, he has the power to invade China, and has done so before – “Ultimately, what you’d like to do is find a way to hack into their C2 servers and…insert a command into their infrastructure that tells all the malware out there to delete itself. A botnet takedown”:
(Welcome to the Dark Net, a Wilderness Where Invisible World Wars Are Fought and Hackers Roam Free)
I. The Back Door
His name is not Opsec, but I will call him that to guard his privacy. In webspace he is known as a grand master of the dark art of hacking. He is one of a small elite—maybe a hundred, maybe fewer—all of whom are secretive and obsessed with security. They do not talk about their work with their families. They generally do not talk to the press. Nonetheless, through friends of friends, Opsec agreed to speak and to introduce me to his perspectives. In “meatspace,” as he and others like him call the real world, Opsec lives in a metropolitan area in a little wooden house by a railroad track. He is in his mid-30s, physically imposing, and not a geek. He hangs out in a local bar, where the regulars know vaguely that he works with computers.
He is a fast talker when he’s onto a subject. His mind seems to race most of the time. Currently he is designing an autonomous system for detecting network attacks and taking action in response. The system is based on machine learning and artificial intelligence. In a typical burst of words, he said, “But the automation itself might be hacked. Is the A.I. being gamed? Are you teaching the computer, or is it learning on its own? If it’s learning on its own, it can be gamed. If you are teaching it, then how clean is your data set? Are you pulling it off a network that has already been compromised? Because if I’m an attacker and I’m coming in against an A.I.-defended system, if I can get into the baseline and insert attacker traffic into the learning phase, then the computer begins to think that those things are normal and accepted. I’m teaching a robot that ‘It’s O.K.! I’m not really an attacker, even though I’m carrying an AK-47 and firing on the troops.’ And what happens when a machine becomes so smart it decides to betray you and switch sides?”
Opsec lives in a hall of mirrors. He understands that webspace and meatspace, though connected, remain largely distinct. Given sufficient motivation and time, Opsec can break into almost any secure network without setting off alarms. Breaking in used to thrill him, because once inside he could roam as he liked, but success comes too easily now: with such an attack, he has to find only a single way in. By contrast, defense presents the challenge of out-thinking every aggressor. This appeals to him, and he works now on the defending side. Usually this means protecting company networks from criminal attacks, or reacting to attacks after damage has been done. Opsec does not do the routine stuff. He is the man for the serious cases. He has seen some big ones. But even he was taken aback when, late last year, he stumbled upon a hack—a sliver of alien software on American shores—which suggested that preparations were being made for a cyber-attack of unprecedented scale.
I will call his client the Company. It is an Internet behemoth. It streams entertainment online and makes direct regular connections to more than 70 million personal computers worldwide. The Company does not charge for the connections but rather for the services it provides. It is very profitable. And it is under frequent attack from many parts of the world. Most of the attacks are drive-by shootings—spray-and-prays that succumb harmlessly to the defenses that Opsec has helped design. But some are carefully aimed and have threatened the Company’s existence.
He first intervened six years ago, after a data center had been hacked (as Opsec puts it) in a fucking major way. The intruders had gone after key systems, including the central payment processor and the C.E.O.’s computer, and had stolen credit-card and financial data as well as the Company’s proprietary source code—the secret formula upon which the business is built. Opsec worked for nearly six months to clean up the mess. By backtracking he discovered that the hackers were a group associated with the Chinese army. They operated out of a specific building near Shanghai, which he was able to locate, and specialized in targeting entertainment companies. Eventually he was able to identify some of the individuals involved, and even to obtain pictures of them. Nominally, that was the end of it. Opsec told me that because a government was involved, and legal recourse in China was unrealistic, no further action was taken.
What do you do when there is no law? Counter-hacking is a temptation, but can be dangerous. The Russian mob, for instance, has a poor sense of humor, and Colombian drug cartels are not much fun, either. Also, among independent hackers there is no small number of psychopaths. Over the years the Company has endured death threats, rape threats, and bomb scares. It gets personal. In a world without privacy, home addresses as well as the names of spouses and children are easily found. As the Democratic National Committee recently discovered, it is better not to get hacked in the first place.
VIDEO: Hacking 101: A History of Data Breaches
After the original breach by the Chinese, Opsec had urged the company’s management to establish a vigorous information-security program, which it did by building three NASA-like control rooms scattered in data centers around the world. Collectively, they are staffed around the clock. The sole purpose is to catch intruders, and to catch them as quickly as possible. The average industry delay in detecting a malicious hack is 188 days. For the Company, Opsec was hoping to reduce the delay to minutes or even seconds. But late last year, when the operations manager called him at home and urgently requested his presence at the Company’s high-tech campus, about 20 miles away, he knew that those defenses had failed. Almost as disturbing, the alarm had been raised not by the security team but by an ordinary technician, a system administrator doing the drudgery of a routine review.
When Opsec got to the campus, the details filled in. The system administrator—a friend of his—had been going through event logs of the previous week. Event logs are lines on a screen showing summaries of each new task given to a computer network, with a time stamp and a green or red dot indicating success or failure. Seeing a red dot, the administrator had zoomed in for more information. The failed task turned out to be an attempt from within the Company to deploy a piece of software companywide. Deployment of software throughout the entire network did sometimes occur—for instance, to install updates—but it was rare, and sufficiently important that the sender did not often make a mistake. In this case, the sender had omitted a single letter in the domain name to which the job was addressed—hence the failure. The associated software package was unlike anything the system administrator had seen before. He alerted the operations manager.
Opsec knew immediately that the package was suspicious. In lieu of a coherent naming scheme—for instance, a numbered update—there were random characters, followed by “.exe,” for an executable program. He ran the content through a piece of reverse-engineering software, called a disassembler, and quickly confirmed that his client had been hit with a malicious hack. Within an hour he understood that the purpose had been to permeate the Company’s networks, steal and encrypt all of its data, and demand payment for the data’s return. The numbers for an overseas bank account were included in the program. Opsec would not tell me where that bank account was, or how much had been demanded. He said only that it was an aggressive piece of ransomware, and that often in such cases the data is never returned. Ransom attacks have become an epidemic on the Internet. Most are widely dispersed. They lock down a victim’s computers and ask for relatively small amounts, payable in hard-to-trace Bitcoins, in exchange for returning the victim’s life to normal. The biggest attacks—against corporations—have netted millions of dollars. Little is known about them because the victims are tight-mouthed. The massive hack of Sony Pictures in 2014 was a ransom attack, though by whom is still in question. Presumably Sony did not pay, because its internal e-mails and other information were released onto the Internet. Last February, hackers seized medical records from the Hollywood Presbyterian Medical Center, in Los Angeles. The hospital paid to get the records back. Now, through sheer luck—a missing letter—the attempt to extort Opsec’s client had failed. But big concerns remained: the Company’s network was clearly compromised.
Here was the situation Opsec faced. The package no longer mattered, but the hack most certainly did. Someone had emerged from the Internet, slithered into the Company’s heart, and then disappeared. The specific vulnerability the attacker had exploited was still unknown, and was likely to be used again: he had established a back door, a way in. Some back doors are permanent, but most are short-lived. Possibly this one was already for sale on the black markets that exist for such information in obscure recesses of the Internet. Until Opsec could find and lock it, the back door constituted a serious threat. Opsec reviewed the basics with the Company’s managers. He said, Look, we’re in the Internet business. We know we’re going to get hacked. We have to assume, always, that our network is already owned. It is important to go slowly and stay calm. We will soon know how and when to lock the door. We will have to decide later if we should do more.
To me he said, “Also, relax. In the long run, the chance of survival always drops to zero anyway.” He did not say this to his client. It was not an insight the Company would have valued at the time. Even in the short run, as it turned out, the news would be alarming enough.
II. Anarchist at Heart
Definitions. A vulnerability is a weakness in a network’s defenses. An exploit is a piece of software that takes advantage of a vulnerability. A zero-day exploit is a piece of software that takes advantage of a vulnerability that is known to a small group of aggressors and generally not to the defenders. “Back door” is another name for much the same. There are variations. Infinite invention is at play. Welcome to the Dark Net, a wilderness where wars are fought and hackers roam. More definitions. The Dark Net exists within the deep web, which lies beneath the surface net, which is familiar to everyone. The surface net can be roughly defined as “anything you can find through Google” or that is otherwise publicly indexed for all to see. The deep web is deep because it cannot be accessed through ordinary search engines. Its size is uncertain, but it is believed to be larger than the surface net above it. And it is mostly legitimate. It includes everything from I.R.S. and Social Security data to the internal communications of Sony and the content management system at The New York Times. It includes Hillary Clinton’s e-mails and text messages, along with everyone else’s. Almost all of it is utterly mundane.
The Dark Net occupies the basement. Its users employ anonymizing software and encryption to hide themselves as they move around. Such tools offer a measure of privacy. Whistle-blowers and political dissidents have good reason to resort to them. Criminals do, too. White fades quickly through gray and then to black in the Dark Net. Furtive sites there offer all manner of contraband for sale—narcotics, automatic weapons, contract killings, child pornography. The most famous of these sites was Silk Road—the brainchild of Ross Ulbricht, a libertarian entrepreneur who was arrested by the F.B.I. in San Francisco in 2013 and sentenced last year to life in prison without parole. New and even larger marketplaces have opened, including the current leader, AlphaBay, which is owned by a man who has been quoted as saying he resides in an “off-shore country where I am safe,” gives interviews to the press, and openly defies attempts by the authorities to shut him down. There are twists: illegal narcotics sold over the Dark Net tend to be purer, and therefore safer, than those sold on the street—this because of the importance to the sellers of online customer ratings. By comparison, it is hard to see the bright side of missile launchers or child pornography.
However noxious the illicit Web sites may be, they are merely the e-commerce versions of conventional black markets that exist in meatspace. The real action on the Dark Net is in the trade of information. Stolen credit cards and identities, industrial secrets, military secrets, and especially the fuel of the hacking trade: the zero days and back doors that give access to closed networks. A short-lived back door to the iPhone operating system may sell for a million dollars. In 2015 a black-market site called TheRealDeal, the first one to specialize exclusively in cyber-weaponry, opened for business. Several others have followed. There is something strangely circular about all this—the Dark Net chasing its tail through the Dark Net—but the stakes have turned out to be high.
HE CAN BREAK INTO ALMOST ANY SECURE NETWORK WITHOUT SETTING OFF ALARMS.
And the trade is new. So new that when Opsec looks back on recent history he can sound like an old man remembering the onset of World War II. He was born to a middle-class family in the orbit of Washington, D.C., and by the time he was in kindergarten it was obvious that he was a bright if stubborn child. This was toward the end of the 1980s, in the pre-dawn before the Internet as we know it. His mother owned an early personal computer—a big box with a keyboard, a black screen, and white letters. It had a dial-up modem for point-to-point connections to other computers. When Opsec was six, he discovered that he could play games on it. The first was a Japanese action game called Thexder, in which he could transform a robot into an airplane and bomb things on the ground. This was so gratifying that on weekends he would wake up his mother at five A.M. and get her to go through the necessary keyboard commands to access it. She grew so weary of this that she wrote out the commands for him to use. He then figured out how to write a simple program to automate the log-in.
That was the start of the path he remains on today. By the age of seven he had become a regular on electronic bulletin boards where gamers exchanged information and posted downloadable games. The bulletin boards were precursors of the Dark Net: you could not search for them on a computer; you had to have a specific phone number and reach it point-to-point with a dial-up modem. After you found the first one, you were in and could find others. The users had pseudonyms and remained largely anonymous. Age and location did not matter. Social awkwardness did not matter. Some of the information the bulletin boards contained included pirated property and advice on how to break the law.
Opsec was just a kid, and at first he was only after the games. His problem was that they were often locked and required payment. With hints from the bulletin boards, he began to reverse-engineer the games, identify the lines of code associated with security, and modify the programs to bypass the payment requirements. He then posted his solutions on bulletin boards so that others could do the same. Though he did not know it at the time, he was creating zero-day exploits.
By the sixth grade, Opsec had started hacking into universities and phone companies. His parents saw him sitting hour after hour at the keyboard, but were so unaware of his activities that they bought him a laptop for schoolwork because his handwriting was bad. The effect was to pour fuel on the fire. His grades plummeted from A’s to D’s. I asked him what the attraction of hacking was. He said, “The whole idea of being able to exert your will on systems that were designed to exert the will of others—the designers. It was a powerful and addictive feeling.”
When he was 12, Opsec began to attend the local chapter meetings of a notorious hackers’ group, named 2600 for the 2600-hertz tone that gave access to the analog phone systems of the time. The meetings were held in the food court of the Pentagon City shopping mall. He had a friend, a like-minded Persian kid who attended the meetings with him and was extraordinarily capable but a bit malicious: he later published papers on how to destroy hard disks remotely and how to cause computers to catch on fire by shutting down their fans. Although also an anarchist at heart, Opsec was more interested in expanding his skills than in wreaking havoc.
But the two friends had technical goals in common. They became regulars at the food-court gatherings and eventually met a man there who worked for an unnamed government agency but was willing to explain certain concepts clearly. Such exchanges are characteristic of the larger hacker gatherings that have followed, with natural adversaries such as F.B.I. agents and Eastern European cyber-criminals temporarily setting aside their differences to share information.
III. Chinese Networks…
Read Full article…