Month: March 2014

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in a cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Fatal System Error: The Hunt For New Crime Lords Who Are Bringing Down the Internet (2010) by Joseph Menn

If you are interested in the evolution of cyber crime, Fatal System Error is a good first reference. The author, Joseph Menn, is able to capture the early years of the cyber criminal community as it was just beginning to productize its cyber business and professionalize it so that it ran more like a business.

Most of this book is about the incipient history of cyber crime. Menn tells the story through two early cybersecurity practitioners: a very young Barrett Lyon—an early cybersecurity services businessman who built one of the first denial of service protection companies called Prolexic Technologies—and Andy Cocker, who at the time was an agent for the UK’s National Hi-Tech Crime Unit.

Menn also manages to sprinkle in a discussion of some of the significant cybersecurity milestones from around 1995 to about 2009. He talks about the rise of cyber espionage and one of the first public discoveries of a state-sponsored amateur hacker group called the Chinese Network Crack Program Hacker (NCPH) group.

Menn also describes one of the first and most notorious known organized cyber crime syndicates called the Russian Business Network (RBN) which was virtually untouchable by law enforcement during this period. The owner of the syndicate was the son of a high-placed political official, so even if a Russian police officer felt the urge to arrest this cyber criminal, there were powerful forces within the Kremlin that made it a good idea not to.

Menn also covers the familiar ground of Estonia, Georgia and Kyrgyzstan where attackers first proved that cyber warfare was possible, and he documents some of the first uses of distributed denial of service (DDoS) attacks as an extortion tool. He explains the rise of bulletproof-hosting providers (essentially criminal Internet service providers) and the impotence of US law enforcement when tracking Russian cyber criminals during this period. In fact, Menn almost takes relish in describing the complete lack of respect for the FBI from the cybersecurity community during this time.

The Story

These details are side stories. The bulk of the book is about the rise of cyber crime. Lyon’s story is how he was sucked into protecting some less-than-savory companies that dabbled in offshore gambling and porn. Organized crime rings ran most of these operations, and the criminals involved were not above trying to sabotage their competitors’ efforts.

Offshore gambling became popular about the same time that hackers discovered that it was possible to launch DDoS attacks that could take a website or a data center offline by simply bombarding it with random data streams from thousands of computers – a botnet – around the Internet. These new cyber criminals used those kinds of tools against their competitors in an effort to drive them out of business. Lyon’s company owned the technology that could mitigate these kinds of attacks, and the organized crime operators came calling to get his help. Lyon’s story is about how he naively gets involved with these cyber criminals and subsequently tries to get himself out of the situation. It was not easy.

Cocker’s story is a bit different. He was an old-school British police officer frustrated with the inability of law enforcement to break down jurisdictional lines across international borders to arrest known cyber criminals. He and his National Hi-Tech Crime Unit decided to do something about it. Instead of waiting for Russian law enforcement to be compelled by political leaders to cooperate, Cocker went into the Eastern Bloc countries to build relationships with local law enforcement officials who were just as eager to bring these new cyber criminals to justice as he was. He had one tried-and-true method to accomplish this task: drink lots of vodka together. Over time, he built trust and friendships with his Russian counterparts and had amazing success arresting cyber criminals in the area.

Menn got a lot of help writing this book from various prominent cybersecurity researchers and journalists at the time. He singles out important commercial cybersecurity intelligence organizations like iDefense, Team Cymru, and SecureWorks. He pointedly casts disdain on several anti-virus vendors as being ineffective, including Kaspersky Lab and the perception that Russians were falsely persecuted by the rest of the world in terms of who was responsible for cyber crime, cyber hacktivism, and cyber warfare.

I do have a couple of quibbles with Menn’s story. He claims that RBN was the main force responsible for the DDoS attacks against Estonia and Georgia. While it may be true that computers within the RBN botnet system participated in those offensive attacks, I do not find Menn’s evidence compelling that RBN leaders orchestrated the attack on their own.

Both attacks had too much precision—some would say military precision—to be run from a civilian organization. I also do not like the way that Menn jumps back and forth in the timeline. For example, in one chapter, he will talk about events in 2008, jump to events in 2002, and then jump ahead to significant events in 2006. He makes it tough for the reader to understand the narrative arc. I would have appreciated a straight-up timeline to keep everything straight. But these are small quibbles. I do not have any compelling evidence either about who is responsible for the Estonia and Georgia attacks, so who am I to criticize the way that Menn tells this complicated story?

Conclusion

If you are interested in the evolution of cyber crime, Fatal System Error is a good reference. If you read this book and another that I just recently reviewed, Kevin Poulsen’s Kingpin, you will have a fairly thorough understanding of the cyber criminal world. Fatal System Error is a vital historical reference for the cybersecurity community. It is worthy of being a part of the Cybersecurity Canon, and you should have read it by now.

Rick Howard

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in a cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Daemon (2006) and Freedom™ (2010) by Daniel Suarez

If you appreciate hacking stories like The Girl with the Dragon Tattoo or gaming stories like Ready Player One or stories that combine both like Reamde, you will love both Daniel Suarez’s Daemon and his Freedom™ like I did.

These two books tell one long story and are loaded with seemingly futuristic ideas that are just years away from general deployment. Suarez introduces these new ideas from an old-school hacker perspective in an effort to reboot the world order.

He demonstrates quality writing that gets the technical details right. The two books combine into one story that is Cybersecurity Canon-worthy.

Two Books, One Story

Published by Verdugo Press, but self-published first by the author and his wife in 2006, Daemon is a story about hackers who begin a revolution using near-future technology as catalysts to change the world. The sequel, Freedom™, published in 2010, is really the second half of the story. Daemon and Freedom™ describe a world that is rebuilt from the ground up if hackers were to seat themselves comfortably at the design controls.

The premise is fascinating. Matt Sobol is the long-time CTO and founder of a gaming company that built and maintains a hugely successful World of Warcraft-like massively multiplayer online role playing game (MMORPG). With that experience, he learned a little something about artificial intelligence and how it interacts with real humans. In the first few pages though, Sobol dies of cancer. In his place, he leaves behind a software daemon that, in interviews, Suarez has said is a “transmedia news-reading, human-manipulation engine.”

For the uninitiated, the word daemon is ”an acronym for Disc and Execution Monitor [used in UNIX environments] and is pronounced {dee-mon}. Essentially it is a program that runs in the background, fully automated, and usually handles mundane activities such as log in requests, initiating transactions, etc.”

Sobol’s daemon is a little more sophisticated. As the mad genius of the story, Sobol anticipates his death, designs a complex logic tree of potential outcomes, and configures the Daemon to watch for those outcomes. His purpose is to inject catalysts into the old-world system to cause revolution, a reboot if you will, and he is not against burning the entire world down to get it.

Suarez tells the story in two parts. The first book, Daemon, revolves around the rise of the Daemon, its disciples in the Darknet community, and how the US government and its corporate partners plan to defeat them. The good guys in the story, the ones organizing against the Daemon, consist of an NSA code breaker, a local California cop, an FBI SWAT team commander, a CIA special operator, and a software security consultant/gamer/hacker.

The second book, Freedom™, focuses on the Darknet reboot aftermath, how society changes for the better after the reboot, and the cataclysmic showdown between Darknet forces and the commercial and government forces attempting to hang onto the past. Some of the good guy forces from the first book eventually switch over to the Darknet side, realizing that there is no going back and that the reboot result is way better then the old system.

The Tech

Some of the hype around Suarez is that he is a legitimate heir to the Michael Crichton throne of storytelling, specifically fiction such as Jurassic Park, State of Fear, Prey, and Disclosure that is about the societal impact of technologies that are just a few years away from reality.

I concede the comparison. Both of Suarez’s books are loaded with fantastic ideas that already exist and could be in common use within the next decade. Things like “sound production without speakers [that] can make voices appear in mid-air,” autonomous vehicles (in 2006, this was four years before military drones became the operational centerpiece to President Obama’s foreign policy decisions in the Middle East), advanced voice-recognition systems, desktop manufacturing, and augmented reality are just some of the technologies that drive the Darknet.

Of course, because Sobol is dead, he needs living surrogates to do his bidding. One of the things his Daemon does is recruit, initially from his game. For the non-gamers in the crowd, people who excel in MMORPGs have a lot more skills than simply pressing the Enter Key really fast in order to kill monsters. As they progress in the game and gain experience, they learn how to organize large groups of people from around the world, function within a team to accomplish team goals, assess strengths and weaknesses within the team and of potential adversaries, and plan and execute operations that leverage those strengths and weaknesses for success.

If you think I am kidding, read Rick McCormick’s article in The Verge that describes the epic space battle that occurred in January of this year. In an MMORPG called Eve Online, McCormick estimates that more than 5,000 players joined the fray on both sides of a conflict that ultimately resulted in the loss of more than $200,000 of real US dollars because of the resulting virtual spacecraft damage. Building up fleets of that size takes years of planning and effort. The skillsets involved are quite extraordinary. In the game world, these people are the centers of power and manipulation and the results of their actions can mean real money.

Sobol knows this and recruits the best players in his game by giving them special missions to test their individual skill sets. He eventually sends the best of the best out of the game to accomplish real-world missions, and this is where the hacking comes in.

One of the main recruits is Brian Gragg (hacker name: Loki). Sobol tests Loki by having him break into a remote facility using nothing but his hacking skills. Loki uses a software tool called “Netstumbler” to locate a wireless access point that is using Wi-Fi protected access (WPA) for authentication. He uses another software tool called “Air-Jack” to force key exchanges from the Wi-Fi router and uses a third tool called “Asleap” to collect the wireless key exchanges.

Loki cracks the WPA key by using an off-line phase-shift keying (PSK) dictionary, basically a collection of words that he can test (brute force) against the acquired keys. Once on the network, he uses a fourth tool called “Superscan” to ping sweep and port scan the entire network. He telnets to the one Unix machine (OpenBSD) that he can see and uses a simple network management protocol (SNMP) buffer overflow attack to compromise it. Once in, he finds that the Unix box is connected to a Web server that is tightly locked down. He uses an SQL injection attack to break in, and Sobol rewards Loki by making him a key operative in the Daemon’s quest.

That sequence is a real-world hack using legitimate hacker tools that could have worked in 2006 (when Suarez wrote the book), and most likely, a hacker could use a variation of it to break into some systems today.

Sobol collects people like Loki, black-hat hacker types, who have no moral problems with killing bystanders and intermediaries for the greater goal. But he also collects people with more socially acceptable skills to round out his new world order called the Darknet. The purpose of the Darknet is all-out destruction of the status quo: corrupt governments and the international corporations that pull the strings in the background. The Daemon infiltrates as many corporations as it can (the good ones and the corrupt ones) via the Internet and through Sobol’s Darknet operatives in the real world. But the Daemon does not destroy these companies; it creates a symbiotic relationship with them. It tells the organizational leadership of these now-infiltrated organizations that if they accept the relationship and some basic behavior rules, they can still function. If they don’t, the Daemon will destroy them.

Many do not comply, and the Daemon vaporizes them by erasing all of their corporate data (and whatever backups they had). Those that comply donate a small percent of their revenue to the Darknet cause but are allowed to stay in business. The money the Daemon collects from the thousands of companies it infiltrates funds the growing Darknet.

Darknet operatives wear specially designed sunglasses that act as a direct connection to Darknet operations. The glasses provide the wearer with an augmented Darknet reality, broadcasting video as an overlay to the world directly to the inside lens. The augmented reality allows Darknet operatives to recognize other members and to manipulate Darknet objects, initially Daemon programs but eventually programs and data sets created by other Darknet members. The Darknet glasses are eerily similar to the Google Glass experiment that we started reading about in 2012.

Darknet operatives plan and communicate through this interface, this D-Space. Their opponents desperately try to crack and infiltrate the D-Space network in order to collect intelligence that will help them defeat the Darknet forces. I found this idea intriguing and realized how closely it mirrors some thinking from the intelligence community in the last decade.

US intelligence organizations have considered the prospect that these MMORPGS could be used for terrorist planning purposes. You can log in from all over the world, your avatar is for the most part anonymous, you have access to voice and message communication services within the game, and the language of the game suits itself to planning and destroying military and civilian targets. Players of the game use the same language to actually play the game.

Conclusion

I loved these two books. They fit nicely into two separate categories that I like to track: hacker novels that do not exaggerate the genre and the combination of gaming and future intelligence collection.

It is not a perfect story by any means. You have to suspend disbelief a bit to accept that notion that Sobol could anticipate every major response to his Daemon over a three-year period. With Sobol’s great insight, he develops a viable plan to do something about each and every response from his opponents and programs the Daemon to execute that plan, and everything happens without a glitch. Personally, I can’t get my browser to work correctly unless I reboot the computer on a regular basis. But I am fine with that little conceit. Sobol is the mad genius after all, and I have suspended my disbelief for other novels with similar characters. Also, Suarez presents a love story between the good guy hacker and the NSA code breaker that seems a little forced. But these are minor quibbles. Daemon and Freedom™ together represent an engaging story. Along the way, Suarez introduces the reader to some new tech that will be available to the general population in the near future, describes what it takes to be a real hacker, and highlights how the lessons learned through MMORPG development might be beneficial in the real world.

The bigger notion that Suarez gives the reader, one that can be lost with all the other amazing things going on, is that Suarez does not like the direction the country, and indeed the world, is going. He believes that most people do not realize it, but that we are all slaves to some severe controls that our governments and their corporate sponsors place upon us, that we all depend too much on these handlers and give away too many liberties to them in the name of security and fear. The title of his second book, Freedom™, is no accident. He does not believe that we can unshackle ourselves without some sort of major cataclysm. In this exciting story, the Daemon causes that cataclysm.

Rick Howard

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Kingpin: How a Hacker Took Over the Billion-Dollar Cybercrime Underground (2011) by Kevin Poulsen

Kingpin tells the story of the rise and fall of a hacker legend: Max Butler. Butler is most famous for his epic, hostile hacking takeover in August 2006 of four of the criminal underground’s prominent credit card forums. He is also tangentially associated with the TJX data breach of 2007.

Butler’s downfall resulted from the famous FBI sting called Operation Firewall where agent Keith Mularski was able to infiltrate one of the four forums Butler had hacked: DarkMarket. But Butler’s transition from pure white-hat hacker into something gray—sometimes a white hat, sometimes a black hat—is a treatise on the cyber criminal world. The author of Kingpin, Kevin Poulsen, imbues the story with amazing descriptions of how Butler hacked his way around the Internet and pulls the curtain back on how the cyber criminal world functions.

In much the same way that Clifford Stoll’s The Cuckoo’s Egg reads like a spy novel, Kingpin reads like a crime novel. Cybersecurity professionals might know the highlights of this cyber criminal underworld, but Poulsen is able to provide a lot of detail about how this world functions that is understood by mostly only the cyber criminals themselves and the law enforcement officials who stalk them.

The Story

Back when I first learned of the Max Butler story, I remember being fascinated at the time that this guy was linked to another strange and amazing story about the hackers behind the TJX breaches in 2007. I even presented the story at RSA in 2010. Poulsen, from Wired magazine, did some of the original reporting on the story in 2008 and then took the time to publish this book about it in 2011.

Butler—a.k.a. Iceman among other aliases—happened to be one of its most notorious carders. For the uninitiated, a carder is a hacker who engages in the illicit collection (theft) andunderground-market selling of stolen credit card information. Butler’s infamy did not just come from his brilliant hacker prowess, however. The hacking community considers him to be a hacker god because of his unbelievable moxie. Poulsen fills the book with unbelievable stories of hacker derring-do, but in my humble opinion, Butler’s most astonishing act came when he decided that he did not like the status quo of the current carding scene.

After Shadowcrew

Two years after the feds shut down the Shadowcrew underground carding forum in October 2004, the carding community was fractured. Multiple carding groups emerged to fill the space left by Shadowcrew, but there was mistrust in the air, and none of the hackers were sharing information. Butler had a naive view of the hacking world and believed that there should be a place for underground researchers to freely share and discuss this kind of credit card information without the worry of getting arrested. He thought there needed to be a place where people like him could meet and discuss tradecraft and business within a trusted environment. So, he decided to fix the situation.

In a 48-hour marathon hacking session, Butler compromised the four leading carding forums of the day, which were run by criminal hackers; stole the user databases that resided there, which included user IDs and passwords; stole the forum transcripts that also resided there, which included everybody’s chat sessions; reinstalled everything on his own forum called CardersMarket; destroyed the data that resided on those rival forums; and then sent an e-mail to every user on the four compromised servers saying that he was now the forum Kingpin. How awesome is that? What ego does it take to even think that you could get away with such an operation? But he did. The customers of the now-defunct servers—the cyber criminals—grumbled a bit. But because they could continue to operate, most stayed on Butler’s new CardersMarket forum.

One of the four forums that Butler compromised was called DarkMarket. This is the same forum that FBI agent Keith Mularski was able to penetrate as an undercover agent just months prior to Butler’s takeover. Mularski convinced the owner of DarkMarket to let him be the forum administrator. Because of that, DarkMarket was the only forum to survive Butler’s attacks. Mularski was scrupulous about making backups, and because of that, he had DarkMarket back online only days after Butler’s blitzkrieg. He remained undercover as a forum administrator and monitored every conversation on the forum for the FBI for two years. Because of that effort, Mularski helped put the puzzle pieces together that ultimately resulted in Butler’s arrest.

Before Kingpin, I always assumed that Butler suspected Mularski as being a fed from the start. According to Poulsen, Butler had traced Mularski’s IP address back to the National Cyber-Forensics & Training Alliance (NCFTA) and knew he was a plant. Butler told anybody on the forums who would listen to him to stay away from Mularski, but nobody believed him.

Poulsen describes how the “new” CardersMarket forum was a cesspool of mistrust and politics, and Butler accused a lot of hackers of working for the feds as they accused him of doing likewise. Nobody got any traction. Butler’s takeover did not instigate a new era of trust and cooperation among the carders; it had almost the opposite effect.

The Tech

Butler’s gateway drug to hacking was probably the online phenomenon called TinyMUDs, the successors to multi-user dungeons (MUDs). MUDs were typically Dungeons & Dragons (D&D)-themed multi-user text-based games, the precursor to the three-dimensional and graphical massively multiplayer online role-playing games (MMORPGs) like World of Warcraft today. TinyMUDs discarded the D&D game elements and allowed users to meet each other and build onto their environments as they saw fit, kind of like the precursor to the three-dimensional MMORPG called Second Life. I recently highlighted this MUD culture in a blog about anotherCybersecurity Canon-worthy novel called The Blue Nowhere. Just like both hacker characters in The Blue Nowhere, Butler was an avid TinyMUD player, and also just like the hacker characters, he stored the tools of his trade in unsuspecting compromised sites, tools likes NetXray, Laplink, and Symantec’s pcAnywhere.

Throughout Poulsen’s book, it is clear that Butler never really understood where the line existed between white-hat and black-hat activity. One of Butler’s early epic hacks came about when the security community discovered a gigantic security vulnerability in the BIND implementation of the domain name system (DNS).

Thinking that it was his duty as a white-hat security researcher to fix the problem, Butler crafted a buffer overflow attack that leveraged the vulnerability, scanned the Internet for DNS systems that were vulnerable, compromised those machines with the buffer overflow attack, downloaded a rootkit to each of the machines that he now owned, and installed the patch that fixed the vulnerability. He thought he was doing a worthy community service to the world. The owners of all of those DNS boxes had a different opinion.

As a white-hat researcher, he helped develop BRO, one of the first experiments in intrusion detection systems. While assisting the Honeynet Project, he developed a program called Privmsg that allowed him to reconstruct hacker chat messages by listening to network traffic. The guts of Privmsg became a part of BRO.

Wearing his black hat, Butler became an expert at wardriving to find unprotected WiFi sites that he could use to hide his hacking activity. He used the Bifrost Trojan to gain entry into unsuspecting victim computers but modified it to bypass anti-virus engines. He tested his modifications on multiple VMware instances running different versions of anti-virus engines. Then he delivered his creation to other black-hat hackers in order to see what they were doing and to steal their credit card dumps for his own profit. He took advantage of a serious vulnerability in a software program called RealVNC. VNC stands for virtual network console, and the RealVNC software ran on point-of-sale devices on many small businesses’ computers. Like he did with the DNS vulnerability, Butler scanned the Internet looking for vulnerable instances in order to compromise the machines and steal the credit card information that the business owners collected daily. To say the least, he was a little conflicted.

Butler’s business partner, Chris Aragon, was responsible for the money-laundering piece of their illicit carding enterprise. After reading Poulsen’s description of the mechanics, you cannot help but think that being a cyber criminal is really hard work. Most non-geeks never really think about the difficulty of converting stolen credit card numbers into real cash. There is a convoluted process involving specialized equipment and many small transactions involving multiple people. You essentially have to make credit cards, and the accompanying driver’s licenses, by imprinting the credit card numbers and user information onto blank card material. You hand those cards to your mules—in Aragon’s case, four or five young and attractive women—who would spend the day shopping for high-end luxury items. The mules return the merchandise back to Aragon, who in turn sells it on eBay at reduced prices. Poulsen goes into great detail about how Aragon, and later Butler on his own, went about this daily business.

Poulsen also describes how the advent of distributed denial of service (DDoS) attacks originated in the hacking community as a way for black-hat hackers to mess with each other. But when Michael Calce—a.k.a. MafiaBoy—launched an experimental DDoS attack against some prominent public websites—CNN, Yahoo!, Amazon, eBay, Dell, and E-Trade—the cat was out of the bag, and the result was an emergency meeting of security experts at the White House.

Butler used hard drive encryption to protect his data and, by inference, his hacking activity. The thought was that this best practice in the hacker community would protect hackers in case law enforcement seized their equipment. Law enforcement officials could grab the hard drives, but because the drives were encrypted, officials would not be able to read any of the information. When the feds finally showed up on Butler’s doorstep, accompanied by some forensics experts from Carnegie Mellon, Butler thought he was secure. Unfortunately, they showed up almost unannounced, and Butler did not have the time to power his systems down. What he did not realize is that while the systems are running, the key for the encryption is stored in RAM. It took them a while, but the forensics experts were able find the encryption key in RAM and unlock Butler’s hard drives.

Conclusion

Poulsen nails this story. He recounts the transition of Max Butler from pure white-hat hacker into something gray: sometimes a white hat, sometimes a black hat. The technical hacking detail is fascinating, but more importantly, Poulsen is able to pull the curtain back on the cyber criminal world and describe how it functions with a lot of detail. You should have read this by now.

Rick Howard

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Worm: The First Digital World War (2011) by Mark Bowden

Worm: The First Digital World War is the story of how the cybersecurity community came together to do battle with what seemed at the time to be the largest and most significant cyber threat to date: the Conficker worm, which was covered frequently by Palo Alto Networks researchers, among many others.

It was the time of the Estonian and Georgian distributed denial of service (DDoS) attacks, and the Conficker botnet was growing to be the largest DDoS delivery system ever created. A white hat group of cyber übergeeks formed the Conficker Cabal to stop the worm because most of the world could not even understand it, let alone do something about it.

Mark Bowden, who wrote Black Hawk Down: A Story of Modern War among other books, accurately captures the essence of our cybersecurity community in times of crisis. He compares us all to cybersecurity superheroes, like the X-Men of Marvel Comics fame, because of what he sees as our superhuman ability to work with computers and our desire to help each other.

Seasoned security professionals will learn nothing new here in terms of technology and craft, but they will remember that time and how we were all very worried about 1 April 2009: the day that the world thought that Conficker would come to life.

I think freshmen security practitioners will get a lot out of this book, however. Bowden does a great job of simply and clearly explaining many of the key technical pieces that make the Internet run. If you’re new to the community, this book makes a great introduction. It is canon-worthy material, and you should have read it by now. (But more importantly, how can you not like a book where the author favorably compares the cybersecurity community to the X-Men? As Stan Lee likes to say, “’Nuff said.”)

The History

When Bowden published Black Hawk Down, I was blown away. In that book, Bowden puts you right in the streets of Mogadishu, Somalia, with the soldiers, rangers, and bad guys who made up that fight. And then, when the 2001 movie came out and was equally as intense, I felt like I had some smidgen of understanding regarding what the U.S. armed forces had to deal with during this specific fight but, more generally, what they have to endure every day when they are deployed to areas like the Middle East.

When I heard that Bowden was taking a stab at the story behind the Conficker worm, I was excited. He is a high-caliber author attempting to describe the geeky details of the cybersecurity community at a key point in our history. I was hoping that he would make what we do in the security community sound as interesting and astonishing as he made the soldiers sound in Black Hawk Down. I think that he accomplishes this task but not in the way that you might think. He succeeds in giving a bird’s-eye view of our community’s collective thinking process. He captures our almost universal and delightful — if somewhat naive – belief that we should all help each other out and contrasts that to the relative size of our egos and how self-destructive that can be to a group effort.

As you may recall, Conficker is a worm that started targeting victims running the Windows operating system in 2008. For non-techie readers, a worm is a piece of malicious code designed to compromise a computer and then replicate itself automatically through the network to as many computers as it can. Every compromised host belongs to the worm’s collective called, in generic terms, a botnet or a robot network. It is a robot network because the owner of it can direct every machine within the collective to do his or her bidding: deliver spam, decipher encryption, dispatch denial of service attacks, etc.

John Brunner, the author of The Shockwave Rider, first wrote about the idea of a worm in his prescient 1975 novel a full decade before the Internet was more widely talked about. Around the same time, Robert Thomas built the first proof-of-concept worm called Creeper, which was designed to be an experimental mobile program in which the program itself would look around the network to find the best computer to use for its task. It was not until 1988 when the Morris worm brought the Internet to its knees that we all began to understand what a malicious application of a worm might accomplish.

Today, botnets are reusable. Authors send new instructions to their botnets when they want to repurpose them through some sort of command-and-control mechanism. The difference between a virus and a worm is that a virus does not try to spread on its own. Good worms spread very fast. Famous worms in our short Internet history include the Morris worm, Code Red and Slammer.

In the Slammer case, the worm infected 90 percent of the vulnerable computers connected to the Internet within ten minutes of the first infection. Let me restate that again so that you understand the magnitude of that incredible statistic: of the 75,000 machines connected to the Internet that were vulnerable to the attack, the worm compromised 90 percent of them in the first ten minutes after it compromised victim zero. The mind boggles.

Security researches first noticed the Conficker worm at the end of 2008. Microsoft immediately patched the vulnerability in its operating system, but because many of the computer owners who run the Windows operating system do not patch their systems regularly, they were vulnerable to the attack. By the end of 2010, as Bowden explaions, infection rates had grown large enough to pass the Slammer worm infections rates of 2003. Strangely, the botnet owners had not done anything with the system yet. Between 2008 and 2010, the botnet sat idle, growing exponentially but never being used, growing around the same time as other real-world cyber events took place, including the 2007 DDoS attack against Estonia and the 2008 DDoS attack against Georgia.

The community had DDoS attacks on the mind. Prominent individuals in the security community became alarmed that this new threat, this new weapon, this largest denial of service machine ever created, was continuing to grow unabated. Some decided to do something about it. The “cabal,” as it was affectionately referred to by its members and later changed to the Conficker Working Group, had many security luminaries.

The Story

Bowden spools the story out in two threads. The first thread is the description of the punch-counterpunch between the cabal and its adversaries. It’s fascinating and shows how two groups of übergeeks—the cabal and the Conficker authors —who understand the Internet and its systems in a way that mere mortals could not comprehend did battle over a two-year stretch in a classic white-hat-versus-black-hat confrontation. Rarely does the public get to see this interchange in the public arena. Other books that cover similar battles are Clifford Stoll’s The Cuckoo’s Egg and David E. Sanger’s Confront and Conceal, both of which I’ve already reviewed for the Cybersecurity Canon.

The second thread of the story is about the people working in the cabal. This is where Bowden hits the ball out of the park as an author. He compares the group members to the X-Men, the famous Marvel Comics super hero team with mutant abilities:

“What were superheroes, after all, but those with special powers? Marvel’s creations were also invariably outsiders, not just special but mutant, a little bit off, defiantly antisocial, prone to sarcasm and cracking wise, suspicious of authority, both governmental and corporate.”

Bowden describes how most of the cabal members had realized at one time or another that compromising computer systems was pretty easy. That ability was their “mutant superpower.” Most “normal” people have a hard time simply understanding the computer’s on-off switch. These übergeeks did not. And when they were doing their normal day jobs, they assumed the role of the mild-mannered Clark Kent: not intimidating and practically invisible to the rest of the world.

Writes Bowden: “They went about their day jobs as unassuming techies, men whose conversation was guaranteed to produce the Glaze, but out here in the cyberworld they were nothing less than the Anointed, the Guardians, the Special Ones: not just the ones capable of seeing the threat that no one else could see, but the only ones who could conceivably stop it.”

“The Glaze.” I love that phrase. I have seen it many times on the faces of my friends and family members when they politely ask me a question about what I do for a living. Sometimes I forget and actually attempt to explain it until I get, as Bowden says, “the unmistakable look of profound confusion and uninterest that descends whenever a conversation turns to the inner workings of a computer.”

I think my record for achieving “The Glaze” is less than 10 seconds.

The Tech

To describe the punch-counterpunch of the übergeeks, Bowden has to explain a lot of the technical pieces involved in order to make the story compelling, and he has to describe a bit of Internet history so that the reader can understand why the conditions for the Conficker worm were perfect for when they occurred.

Bowden has a knack for taking complex Internet technology and explaining it in a way that even a non-techie can understand. He uses a wonderful analogy comparing a botnet to the Starship Enterprise, explains the Internet by comparing it to human brain function, and describes buffer overflows by demonstrating how a chef reads recipes and cooks food in a kitchen.

He also does a decent job explaining the function of communications ports, why malcode is packed (compression and stealth), the difference between dynamic and static malcode analysis, why bad guys obfuscate their code, and how public key encryption and the Domain Name System (DNS) work.

Conclusion

Bowden’s critics like to deflate the importance of this book because the Conficker authors never used the system to any significance. Well, actually, two weeks after the 1 April 2009 update, theConficker authors rented the botnet to a well-known spammer named Waladec, and in June 2011, US and Ukraine law enforcement officials arrested 16 Kiev hackers who used Conficker to steal $73 million from international banking accounts.

However, nobody used the botnet to take down the Internet like the Morris worm did. After the cabal finally succeeded in getting the security community worried about the potential threat, the 1 April deadline came and went with a whimper. The press compared it to the other great nonevent of our Internet history: Y2K. The cabal did not succeed in eradicating the worm from the Internet either. The group stopped it from receiving instructions—check—but they were unable to kill it—no checkmate. At last count, Conficker continues to infect some twenty-four million computers connected to the Internet.

But here’s why I think that criticism is shortsighted. Back then, during the time of the Estonia and Georgia DDoS attacks, we were all still thinking that somebody might try to kill the Internet for some diabolical purpose. That thinking has largely changed since then. Why would bad guys kill the Internet when they need it to accomplish their goals?

Back then, we were all concerned about it. Bowden captures the security community coming together to combat a potential worldwide threat, a threat that few people on the planet could fully understand, let alone do something about. He precisely and, I think, accurately captures the essence of our community, these cyber X-Men with the übergeek superpowers who volunteer to combat this threat simply because they can.

For that reason alone, the book belongs in the cybersecurity canon. But if you are trying to explain some of this stuff to, say, a nongeek boss, this book also might come in very handy. I believe it is canon-worthy material, and you should have read it by now.

Rick Howard

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

The Blue Nowhere (2001) by Jeffrey Deaver

Jeffery Deaver is best known in literary circles as a crime novelist. He is not normally associated with technical thrillers, but he turned his writing skills in this book to a manhunt-type story where the serial killer in question is also a world-class hacker.

The Blue Nowhere is a cyber thriller written by an accomplished novelist about the hacking culture. It is interesting to compare this to other more recent cyber thrillers written by cyber experts who are writing their first novels, such as Richard A. Clarke’s Breakpoint (2007) andMark Russinovich’s Zero Day (2011) and Trojan Horse (2012), all of which I’ve reviewed in previous installments in the Cybersecurity Canon. Compared to Clarke and Russinovich, Deaver may not have as much of a technical background, but he knows how to flesh out his characters. The Blue Nowhere feels more like real people in a cyber story as opposed to a cyber premise populated with cookie-cutter characters.

Phate

When the cops in Deaver’s book realize they have a serial killer-hacker on the loose, they break another hacker out of jail temporarily to be their subject-matter expert. What results is a hacker-on-hacker escalation where hackers try to one-up each other in a series of social engineering and hacking operations.

As was the custom in the 1980s, self-proclaimed hackers gave themselves nicknames. The nickname of the serial-killer-hacker is “phate,” intentionally spelled with a “ph” instead of an “F.” Members of the “cracker” subculture that emerged in this decade were mostly teenagers determined to play and share games and other programs they did not pay for. “Cracking” the software so that others members could use it gave the group their name. Members merged skateboard jargon and hacker jargon into a unique lexicon called “leet-speak” where letter substitutions were common on bulletin board communication systems: “ph” for “f”, “z” for “s”, “e” for “3”, etc. On the good-guy side, the recruited hacker is Wyatt Gillette (a.k.a. ValleyMan and renegade334).

There’s a decent love story between Wyatt and his estranged wife and a feel-good father-son mentorship side-story between the lead detective and Wyatt. But the primary manhunt story line is good and Deaver gets the computing and hacking-culture details right.

The Tech 

Deaver does a good job aligning the hacking culture with the gaming culture of the time. During the 80s and 90s, many of the same people who were involved in the hacking community were also involved in the gaming community. That relationship is not quite as common these days, but back then, there was a lot of overlap in the two worlds. You could usually count on the fact that if a hacker had any skill at all, he or she also spent some significant time crawling through multi-user dungeons (MUDs), which are text-based adventure games that are the precursor to the World of Warcraft-styled games we see today.

It turns out that phate and Wyatt both logged significant hours in their MUD of choice called “Access.” In this game, the main point was to sneak up on your opponents and get close enough to assassinate them, to get access to them. phate decided that he needed to play Access in the real world and set off on a killing spree.

The story is set in the late 90s in and around the Silicon Valley, and Deaver does a good job setting just the right tone for the hacker and computer industry culture during that Internet bubble period (1997–2000). He even takes the time to provide little historic tidbits regarding the evolution of computing. phate plans his killing to coincide with significant milestones in computing history, from the University of Pennsylvania announcing the first general-purpose computer to the world in 1946 to IBM’s 1981 announcement of the first affordable home computer for the masses.

phate and Wyatt use a mix of real hacker and forensics tools—like Norton Commander, SATAN (Security Administrator Tool for Analyzing Networks), restore, and HyperTrace —and fake tools that sound genuine—like Vi-Scan 5.0, the FBI Forensic Detection Package, and the DOD Partition and File Allocation Analyzer—to do battle with each other.

Back in my IT days, I routinely ran Norton Commander on my disk operating system (DOS) computers and SATAN on my UNIX networks. For a non-techie, Deaver does a great job of explaining what a computer BIOS is, how hackers and crackers of all sorts had thick calluses on their fingertips because of how much time they spent in front of their computers, and how hackers stash their tools of the trade all over the Internet so that they can quickly grab them from any location in the world. However, his coup de grâce was his explanation of TrapDoor.

TrapDoor is a fictionalized tool that phate develops to track his victims and enemies. phate essentially creates a man-in-the-middle attack by compromising many of the major Internet Service Provider (ISP) border-gateway-protocol (BGP) routers (like Sprint, AT&T, Qwest, and others). These are the routers that form the Internet’s backbone by connecting ISPs. Once phate discovers the IP address of the victim’s computer, he instructs his botnet of BGP routers to watch for traffic to and from that address.

If the botnet sees traffic from that IP address, the botnet redirects that traffic to phate’s own servers for collection and then returns the traffic to the normal packet stream. The victim notices nothing because phate is not on the victim’s computer. That would be a nice trick if a hacker figured out how to do it. In his endnotes, Deaver explains that TrapDoor is not a real tool and that he does not know if any hacker has subsequently built it, nor does he name anybody who might have given him the idea for it. However, it seems unlikely that a crime novelist could develop that attack blueprint without talking to somebody who is at least thinking about how it might be done.

Conclusion 

The Blue Nowhere is a good cyber thriller that gets the technical details right. I put this square on the shelf with other novels about hackers that do not exaggerate the craft. It also has the added benefit of being written by an accomplished novelist who knows a thing or two about plot, character development, and pace. It describes a time that we have mostly forgotten about these days: a time of modems, DOS, bulletin board systems, and the Internet bubble.

For the cybersecurity history buffs in the crowd, Deaver provides a nice window into the hacking culture of the time. It is a good candidate for the Cybersecurity Canon, and I highly recommend it.

Rick Howard