The Cyber Pandemic

14 Dec 2020 - Christina Eichelkraut , Elio Grieco

This article is part two of the three-part series Computers: The Pitfalls, Perils and Promise published by TEC. The articles examine the societal challenges that stem from technology’s ever-pervasive role in our lives and how to confront those challenges in a way that allows technology and humanity to reach its full potential. There are solutions available but they can only be effective if we as a society radically change the way we think about computers, technology and ourselves.

Updated: Jan 4, 2021

Photo by Jongsun Lee on Unsplash

The day the sky fell

On December 13th, 2020, news broke that a sophisticated adversary co-opted the SolarWinds update server to distribute a modified version of their Orion monitoring software.

Overnight, this turned Orion from a powerful tool to defend government and corporate computer systems and networks into the very threat it was supposed to stop. Orion became a stepping stone to bypass firewalls and drop right into the middle of sensitive networks, enabling adversaries to infiltrate the systems it was supposed to protect.

Several aspects of this cyber attack set it apart from run-of-the-mill, pedestrian breaches.

First, the targets include entire federal agencies and large companies that directly control the nation’s infrastructure and commerce.

Second, what cyber forensic analysis has been done all indicates this attack was engineered by sophisticated adversaries who erase evidence of their movements, compromise adjacent systems and adroitly cover their tracks. This enables the attacker to potentially maintain control of newly captured systems as the originally compromised devices are cleaned up and restored to normal service.

Third, the sheer scope of the attack is staggering. Around 18,000 organizations downloaded the modified Orion software. While it initially appears as though further infiltration occurred in only a small portion of those targets, it’s currently difficult to assess the total scope of this attack given the sophistication of the attackers and the patience they have displayed carrying out the attack thus far. People tend to ignore the importance of cybersecurity until there is a major event. This event, however, could potentially offer decision makers impetus to take the warnings of the software engineering and cybersecurity communities more seriously. Too often, government or corporate security professionals are dismissed as wailing Cassandras, ever fretting about impending doom and urging changes that are evaluated as too costly or drastic. Today, unfortunately, we see why that is not the case.

The perfect storm of cyberthreats has converged

What makes attacks like SolarWinds so jarring is the fact companies spend millions to secure systems and protect users’ data. Meanwhile, a never-ending stream of software is incessantly peddled to everyday computer users promising to protect them from a rapidly expanding list of threats.

Unfortunately, all this effort barely keeps the perpetual torrent of cyberthreats at bay, if at all. And that’s where we started. Today, due partly to the environment created by the COVID-19 pandemic, several cyber threat trends are converging into what can only be called a cyber pandemic.

Our current approach to cybersecurity puts any company using computers at risk of total economic collapse. A future in which it is impossible for businesses to generate revenue or maintain profitability in the face of cybercrime is no longer improbable. While this may sound alarmist, the facts can not be ignored.

The problem isn’t the computer you purchase or even shoddy cybersecurity programs. Nearly every vulnerability computer users face is due to the absence of uniform quality control standards for software. The only viable and effective way to keep from crossing an event horizon after which computers are simply too unsafe to use is to build software correctly in the first place.

Background

The invention of the internet was as revolutionary as the invention of the printing press. Created by the Defense Advanced Research Projects Agency (back when it was just ARPA) as a prototype for military communications, the internet was a fully-distributed system designed to survive in hostile environments. The lack of a single point of failure allowed the internet to function under even the worst of circumstances, from battlefields to a cyberspace rife with intelligent, well-equipped and well-funded adversaries.

It is incredible that this groundbreaking technology, built on a core foundation of being fault tolerant and secure, is today susceptible even to the least skilled hackers known as script kiddies. This less secure, weaker internet is largely the result of corporate profiteering. While the military was an internally cooperative entity designed to face external threats, corporations are inherently antagonistic. They compete not only against one another for profits but against their own internal teams and, at times, even their own end users. As the internet becomes increasingly privatized, from internet service and cloud providers to social media, it becomes more centralized, fragile and adversarial. Today’s internet is unrecognizable from the ARPANET of the 1970s that held so much potential.

Complexity, as the saying goes, is the enemy of security. As the number and complexity of connected systems and services necessary to perform basic online tasks like editing text documents or checking email has increased, the topology of the internet has become more centralized and brittle. The evolution from open, federated protocols to centralized apps and cloud services has squarely placed the entire internet at risk.

Changing Cyber Landscape

Much has been written about how the COVID-19 pandemic has drastically shifted core business models and society. The ways the pandemic adds stress to weak, old cybersecurity architectures and creates new opportunities for attackers has only been lightly touched upon.

The pandemic has made work-from-home the new default setting for thousands of businesses. Unfortunately, not every business was prepared for the abrupt transition. Employees in an office environment were at least partly protected from inadvertently undermining their organization’s security through user error or shadow IT. Now at home, they no longer have enterprise-grade security to protect their systems from malicious actors or themselves. There is no IT staff to automatically update their devices and regularly update software with the latest security patches.

Businesses, of course, are not oblivious to the specter of cyberattacks. They understand the internet is full of ever-evolving predators skulking, creeping and phishing in hopes of everything from lulz to millions of dollars in ransom. The problem lies in how mainstream businesses approach cybersecurity, which is akin to a medieval castle. Important systems are “safely” ensconced behind walls. But no matter how well protected, centralized models are still inherently more vulnerable because single points of failure are increasingly likely. This is why “the cloud” is, if anything, a step backward for security.

Companies attempted to address this through remote system updates but have this difficult due to limited VPN capacity. Home workers use consumer-grade routers, systems designed in such a way as to make protecting remote workers problematic. For example, in some cases software updates meant to protect employees’ machines instead overwhelmed the VPNs needed to push the updates out. At best, the updates took longer. At worst, they were not complete, leaving systems vulnerable. The VPN is exactly the kind of single point of failure that leaves organizations vulnerable.

Most users are inadequately trained to deal with cyberthreats themselves. This further exacerbates the impact of the abrupt and fast transition to working from home. Even if businesses had the resources and procedures in place to train all of their employees working from home, today’s common security practices mean many other issues can result in massive compromises for organizations.

Super Hackable Internet of Things: Spies and Saboteurs Everywhere

To assess an individual’s device security three questions must be answered:

1. Has the user done any security hardening to the device?

2. What other users share the device?

3. Are any Internet of Things (IoT, or internet connected) devices “phoning home,” or sending information somewhere else?

Any IT professional will tell you the majority of computer users barely check the configuration of programs they use daily, let alone change it. When users do attempt to practice good cybersecurity they often stumble through a number of unnecessarily laborious steps to accomplish tasks. Usually, a few changes to default settings would achieve the same result and be far easier. And unless someone is a cybersecurity professional, taking steps to actually check what settings can make the device more secure is exceedingly rare.

Users also share computers and devices with other family members or roommates. Though many devices support separate accounts to isolate user data and configurations, it is astonishing how many people share one account on a device and then complain about other users changing settings.

Even when there are separate accounts - an act greatly undermined when every user has been made an administrator for convenience - downloaded applications are not well isolated on today’s systems. If one user downloads a cheat program for a popular game or a pirated version of the game itself, it’s highly likely the download was packed with malware. The subsequent cyber attack, whether its key-logging, ransomware or something else, will probably attack the entire machine and every user on it.

Even worse, today’s malware doesn’t stop at attacking one machine. In an age during which even a fish tank is connected to the home Wi-Fi new ransomware is designed to quickly spread and attack other machines on the network.

This means IoT devices are their own threat vector. Once installed, users rarely adjust configuration settings or give a thought to security. This allows hackers to use insecure devices to traverse networks much the same way that one climbing a mountain uses hand and footholds.

Something as benign as a smart lightbulb can function as a pivot point for a cyberthreat to enter the home network and then move on to other devices. The original Philips HUE smart light bulbs had inadequate cryptographic engineering, meaning all bulbs used the same key to encrypt the local network password. Anyone who knew that password could connect to the lightbulb, retrieve the encrypted network password and then decrypt the password and use it to access the WiFi network.

Further reading: Zoom got caught installing a secret web server

Attackers can also mess with your smart devices. This could range from minor annoyances, like screwing with your light settings, to costing you money by manipulating the thermostat. The worst-case scenario is a potential escalation to harassment and abuse. Lax cybersecurity can quickly become a real-world security breach thanks to the ability to glean a user’s schedule based on their smart device usage. This is a robber’s dream come true.

It’s not totally implausible that an attacker could gain control of enough devices to attack entire cities. The Mirai botnet, made up of IoT cameras, brought down DNS service on the East coast by successfully collecting the cameras into an attack that all but halted the internet on the East Coast.

“Smart devices” also eavesdrop, sending at least some information back to the home base for analytics and advertising. Alexa, Google Home, and Apple’s Siri are especially greedy when it comes to collecting data because their corporations use the information to train machine learning models. This is why lawyers are sometimes told to turn off voice assistants during cases to prevent leaking privileged attorney-client information. It is surprisingly difficult to determine which devices present these risks because microphones may be embedded in the device but not initially activated or advertised to end-users. When listening or data capabilities are activated at a later date, users end up getting far more than they bargained for.

Another smart device vulnerability is their inability to work unless connected to their related cloud service. This means even when users do have a firewall in place they may voluntarily make it less secure so they can use the device they paid for – a reasonable decision on a practical level but potentially disastrous when it comes to security. The cloud services these devices connect to themselves are another potential point of attack, too. A cloud-enabled door lock could fall prey to a Denial of Service (DoS) attack and leave a homeowner stranded outside their door. Smart locks can be susceptible to replay attacks.

Physical workarounds to tech troubles also invite users to weaken their own security. For example, an internet service provider might ask a user to plug the computer directly into the wall when they have an outage at the service provider. This bypasses what little protection users get from Network Address Translation (NAT) and the firewall in their router.

These are isolated examples. In the real world, these experiences can happen simultaneously, each one exacerbating the other until the costs don’t simply add up, they multiply each other.

The chronic understaffing in cybersecurity will likely hasten the move of the last few remaining on-premise services to the “cloud.” The dirty secret of the cloud is it is just “your stuff on someone else’s computer.” While it’s true the security teams of the cloud service may be better than the one a small business can provide, there have still been a number of outages and attacks that should give us pause. It’s also worth considering when multiple clients are all in one place the reward for breaching the system increases dramatically.

At the end of the day, most homes do not have anywhere near the level of security or monitoring of corporate offices. If the home is the new office, this needs to be seriously considered.

Human Factors

These are just technical threats. The human element further exacerbates vulnerabilities.

The ever-constant onslaught and torrent of scams and attacks already makes it nearly impossible to keep ahead of threats. In fact, much of cybersecurity uses software and programs to do so because it is impossible for humans to scan the sheer amount of information that needs to be monitored.

Still, workers have a role to play in cybersecurity. They must be alert to threats like phishing that cannot be reliably caught by automated systems. Working with external partners is crucial to business, but the internal vs. external distinction of business phone systems made it more obvious when the person on the other end of the line was suspicious.

Working from home, however, many of these habits or protocols are abandoned. Work calls are conducted on far less secure personal phones. Parents have to educate their children while working, an understandable distraction that can nonetheless cause a worker to be less vigilant and more likely to fall for scams they may not have normally.

The added stress of being in dire financial straits as a result of the pandemic can make even someone with healthy skepticism vulnerable to attack. Stimulus money meant to bolster people and businesses during the pandemic has given scammers the opportunity to call and ask people for sensitive personal information. These criminals either divert the payment to themselves or conduct identity theft.

Cyber attacks: Cheap and Getting Easier

Cybercrime is particularly insidious because it happens in a subtle, invisible manner. Being robbed at gunpoint is noticeable. A key logger stealing the password to your checking account is invisible.

This is not the only reason cybercrime appeals to criminals. Cybercrime is terribly convenient and low risk. Gone are the days of casing a person’s home to discover habits and access points. The digital equivalents are far quieter and less conspicuous, in some cases using fully passive techniques. Just listening for PNO (Preferred Network Offload) broadcasts can be enough to find out where someone lives.

The risk of robbing someone is quite high. The attacker faces the risk of bodily injury if the victim attempts to defend themselves or the police shoot at them. If the robbery is successful, the risk of being followed or caught remains.

Cybercrime, on the other hand, can be committed from the comfort of one’s home and, importantly, in a completely different legal jurisdiction. Tracing traffic on the internet can be quite complicated. Since a cryptographically secure identity protocol hasn’t been widely deployed, impersonating another party is still relatively easy.

Even if cybercriminals are caught the likelihood of them being arrested, much less charged with a crime, are fairly low if they were smart enough to commit their crimes from an adversarial jurisdiction.

Cyberattacks are generally easy to automate and thus can be bought and sold fully formed online or deployed with the push of a button like any other aaS (as a Service) offering.

Subtleties of attacks

Attacks have evolved from the mostly harmless pranks of the 1980s to far more strategic and malicious breaches and intrusions.

The goal is no longer to simply show that a system can be breached. In many cases, breaches have business objectives or geopolitical significance. Viruses and threats based on exploring the internet and spreading a little humor are out. Slow, stealthy and persistent is in.

Today’s malware is increasingly designed to be inert if it’s running in the virtual machine of a cybersecurity researcher, thus evading intense scrutiny and study. This is one of the tactics used in the SolarWinds attack.

The one exception to the slow and stealthy rule is ransomware. It stays as stealthy as possible until it has encrypted its target files. Only then does it make a big show of telling the user that their data is no longer theirs.

Most other threats stay stealthy and continue to carry out their mission as quietly as possible. They are successful enough that most businesses do not detect their breaches but are usually alerted to them by the security teams of other businesses noticing odd traffic and other behavior emanating from their network.

Scalability of attacks

Cybercrime is also far more scalable. No matter how ambitious or skilled the criminal there are only so many cars they will be able to steal each day. A physical crime spree is also constrained by external factors like location, a barking dog or busybody neighbors.

Meanwhile, cybercriminals rely on automation. Though sophisticated attacks sometimes require tremendous skill and significant time investment, once the attack is known it can be automated and anyone with access to the code can execute the attack. Once automated, the number of potential victims is limited only by the number of vulnerable systems an attacker has access to.

Attacks can also be run on multiple machines simultaneously. This is the main reason we’ve seen massive growth in botnets, the cloud infrastructure of the cyber criminal. With a botnet, a single individual can attack an almost limitless number of targets.

As a cybercriminal increases their number of successful attacks, they can potentially build up a global army of devices that can be turned toward a target at a moment’s notice. These devices could be full computers or just “smart devices.” One need only learn about the Mirai botnet to understand the potential damage IoT devices can cause.

Commercialization of cybercrime

Cybercrime is now a full industry unto itself. Operations have full offices with support staff and various levels of management. The biggest differentiator between corporations and cybercriminal groups is which laws they decide to obey.

Since many attacks originate overseas, attempting to seek relief via the legal system is often not feasible. Most incidents are conducted from countries either openly hostile or indifferent to the local laws of the target. As a result, anything short of a true act of cyber warfare warranting a full-scale military response is unlikely to be investigated or prosecuted.

Thus the inherent scalability of attacks is multiplied by economies of scale. Cybercrime operations can benefit from the increased funding and skills specialization afforded inherent in corporate structures. Clients benefit from the extra distance, increased skill, sophistication, and resources of these CaaS (Crime as a Service) outfits.

As these are criminal organizations they do not follow regulations and are far more agile than the businesses which they attack. It’s like a game of cat and mouse in which the cat is a cheetah.

It’s easier to devise attacks

Finding vulnerabilities and devising new attacks is getting easier all the time for three main reasons:

1. As software becomes more complex, it has more flaws for criminals to work with.

2. As everything becomes “smart” – and uses software – the general attack surface grows.

3. The tooling to find attacks is getting better.

While web pages 30 years ago were mostly static HTML and eventually some CSS, today’s basic news sites have dynamic frontends in complex frameworks such as React. JavaScript is being added to almost every website, even though many blogs and other sites don’t have any need for the advanced interactivity that requires JavaScript. This pervasiveness comes at a steep cost as many web pages using JavaScript pull in far more external libraries than is necessary to display the content. This turns JS-enabled web pages into potential attack vectors

Web browsers, no longer a simple program to render HTML, have evolved into entire operating systems (think Chrome, with its extensions, themes and other bells and whistles). Vendors constantly attempt to improve the security of browsers but securing something as complex as an operating system is not easy and today everyone effectively has an operating system within an operating system.

Cybercrime is no longer limited to computers. Now everything is a computer or has one inside. This includes everything from smart speakers, smart televisions and most toys, right down to the price tags on them, now with programmable RFID or NFC chips. Even toilets are becoming computerized, implementing the, ahem, opposite of face unlock. The sheer number of items and places with potential cybersecurity vulnerabilities is becoming uncountable. Everywhere you look there is something to hack into.

There is some hope. The tooling to conduct black box analysis of systems, or the probing of a system without access to any source code or schematics, is improving. Analyses that would have required a considerable time from a highly skilled human can now be done with software. On one hand, it makes it easier for problems to be discovered before the software is shipped to consumers. It also makes it easier for attackers to find the flaws that inevitably fall through the cracks.

The increasing sophistication of attacks

A popular misconception about cybercrimes is that they are simple. Most serious modern attacks are multi-phase, multi-day or multi-month endeavors that depend on a number of techniques to gain footholds, move past defenses and move laterally in multiple stages to get closer to the final target.

The ability to combine and carry out attacks is on the cusp of a new frontier. Machine learning will allow far more sophisticated passive identification of targets and their weaknesses. It will also enable more adaptable attack systems that can change strategies and, to some degree, learn from the target’s responses.

The line between computer attacks and social engineering may soon begin to blur in truly troubling ways. While the targets of automated attacks are mostly machines right now, things will get truly interesting when sentiment detection technology starts to mature and is deployed against humans. Just as an experienced conman adjusts their approach to the real-time reactions of their mark, automated attack systems will soon be able to respond just as nimbly.

While artificial intelligence brings some advantages (like automatic anomaly detection) to those defending networks, it brings with it just as many new problems. AI systems are “fuzzy” and adaptable which is both exciting and terrifying. Their adaptability can enable attacks such as “poisoning the well” during which the adversary slowly teaches the AI a new normal so when an attack happens it does not raise suspicion. In a worst-case scenario, the attacker may be able to convince the AI that a valid user is actually malicious.

We detect fraud right now partly by looking at the age and legitimacy of unknown accounts. This will be useless in the face of automated cybercrime systems able to create an entire web history automatically and instantly. Already GANs are synthesizing convincing photos of people, things, places, and are creating rather convincing text. A whole website, news site, resume, Twitter account, blog, etc. can be conjured from the ether in an instant. Though there are telltale signs that images of people are GAN generated, the time taken to look through these false assets and identify such artifacts can buy an attacker valuable time.

Defenders are not advancing as fast as attackers

Cyber threats and attackers are perpetually shifting and evolving. Yet the list of common security vulnerabilities such as the OWASP Top Ten has remained relatively stagnant with many of the same types of vulnerabilities continuing to be how attackers breach systems.

Though individual programmers may learn and improve over the course of the career the industry as a whole seems to be standing still.

The grueling hours demanded from tech workers, combined with the increasing severity of the consequences of getting something wrong – even devs are, in fact, fallible humans after all – have created a tech industry in which short professional stints due to burnout are common, particularly in cybersecurity.

Further, the demand to push out new features frequently causes management to steer talented teams to release code to customers that is nowhere near ready for today’s security challenges.

The tooling hackers use to find vulnerabilities can just as easily be deployed by software engineers to find such issues before releasing code. However, the extra time to properly test and evaluate code is seen as an onerous expense.

We would argue that the numerous costs of a breach or attack are far higher than building software correctly. The added benefits of higher uptime and more reliable operation of properly designed and built systems should be more than enough justification to build systems right initially rather than trying to layer security on after the fact.

The majority of security efforts focus on adding new layers of security on top of software that is still fundamentally vulnerable. The problem with this approach is these layers are necessarily porous to allow the software underneath to perform its business function. And with the increased “cloud” and “aaS” (as a Service) options, systems frequently need more and more access to systems outside the secure perimeter provided by today’s security approach.

The increased ease, ability and organization of those looking for new attack techniques along with the decreased cost make for a perfect storm that threatens today’s defensive tactics and strategies. We’re rapidly nearing an inflection point where the number, type and frequency of cyberattacks becomes so overwhelming today’s methods are completely inadequate to deal with the problem.

The Central problem remains

All of these problems stem from our addiction to large, proprietary, poorly built software. While Moore’s law and Kryder’s law have started to slow, the toll our current approach is taking on our digital world continues to climb. Much of this can be addressed foundationally with the implementation of uniform quality standards. Just as a building must meet code to go from a blueprint to a brick-and-mortar structure, so too should software meet defined criteria of standards before being put into innocent users’ hands as a product or service.

Fortunately, there is a way forward that we will examine in the next article of this series.

Edited: This article was edited on Monday, December 28 to correct several minor typos. the content and information were not impacted or changed.