Category: #IT/CYBER/TECHNOLOGY

 

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in a cybersecurity professional’s education.

I presented on this topic at RSA Conference 2014 and will also be discussing it at Ignite 2014. I love a good argument, so feel free to let me know what you think.

The Girl with the Dragon Tattoo (2005) by Stieg Larsson

When I read The Girl with the Dragon Tattoo for the first time a few years ago, I got the idea that there must be a lot of books published involving hackers and how they hack. I started to seek them out to see if any of them were any good.

What I discovered was that you could categorize these hacker books into two broad categories. In one category, the author does not really understand hacking at all and does not even attempt to describe how anything is done. I call this the “Harry Potter School of Hacking”: the hackers do a lot of hand-waving and say a lot of magic words like “Sending spike now!” or “Breaking encryption, this will just take a couple of seconds,” but you never really see how they accomplish those tasks. A good example of this kind of hacker storytelling is The Zenith Angle by Bruce Sterling. I loved the story, but Harry Potter might as well have been the main character because the hacking accomplished is magically done.

In the other category, the author has spent some time trying to understand hacking culture and to describe exactly how the hacker did what he or she did. A good example of this kind of storytelling is The Blue Nowhere by Jeffery Deaver, which I reviewed for a previous Cybersecurity Canon post. Deaver gets the technical details right by describing real-world and fictional tools that the two main hackers use against each other. The Girl with the Dragon Tattoo also falls into this latter category. Not only is it a fantastic story, but Larsson also gets the technical details right.

You probably have seen the popular movie versions, but this is one case where you definitely need to check out the book.

The Story

The Girl with the Dragon Tattoo is a ripping-good detective story set in the vicinity of Stockholm, Sweden, during a time when the only way to connect to the Internet from your home was with inexpensive modem lines or expensive ADSL lines.

The story revolves around a disgraced journalist, Mikael Blomkvist, who agrees to take a research case from a very old family patriarch, Henrik Vanger. The case involves the disappearance of Vanger’s favorite niece, Harriet, some forty years prior.

At a family gathering on their private island, Harriet disappeared without a trace. The local law enforcement officials suspected a runaway, then suicide, then murder, but were unable to find any meaningful clues one way or the other. Vanger suspects murder and is convinced that someone in his own family was behind the crime, but because the members of his extended family all vehemently hate each other and have a long list of fetishes and prejudices, any one of them could have had the motive to do it.

For the seven years before Harriet disappeared, she gave Vanger a framed exotic flower to hang on his wall for his birthday. For the next thirty-seven years after Harriet’s disappearance, he anonymously received another framed exotic flower in the mail on his birthday. Each flower is a reminder that Harriet is gone, that Vanger has no clue what happened, and that the person sending the flower may be the killer, taunting him. Before he dies, which could be very soon, Vanger wants resolution and hires Blomkvist to solve the case.

With the mystery laid out, Larsson walks the reader through what he really wants to talk about: a culture of violence against women. The working title to the book before he published it translates as Men Who Hate Women, so you know what Larsson had in mind. Lisbeth Salander is the tattooed girl referred to by the book’s title. She is an orphan, a ward of the state, a hacker with a photographic memory who works for a private investigation firm, and a young woman who refuses to be a victim.

Lisbeth is an amazing character — a real woman with strengths and flaws but who can be held up as someone to admire for her intelligence and determination. Blomkvist hires her to help him with the Vanger mystery, and although the story is told from Blomkvist’s perspective, you come to realize that the story is really about Salander.

The Tech

The story is so engulfing that when I read it for the first time, I got through about 75 percent of it and realized that I had not seen a lot of hacking by the Tattoo Girl. All that Larsson did describe was a lot of innuendo. Phrases like “the Tattoo Girl hacked my password and looked at my hard drive” pepper the narrative, but Larsson would never explain how Salander hacked things.

I was ready to chalk the entire book up as a good read, but put it squarely in the Harry Potter School of Hacking stories, when I arrived at the second climax of the story. There are two parallel plots running through the book, and the final climax is where the hacking comes in. Larsson describes in fairly good detail how Salander was able to defeat an e-mail encryption scheme central to one of the story’s main resolutions, install a piece of stealthy malcode over time, remotely control a bad guy’s Dell laptop with her Apple MacBook (I think there is a political statement in there somewhere), and reroute his money stored in numerous bank accounts around the world to equally numerous anonymous accounts that she had sole control over. The hacking description is very realistic.

Conclusion

If you like mysteries and if you like stories about hackers, you have to read this book. Be warned: there are a number of scenes that Larsson describes in gory detail regarding the sexual abuse of women. But it’s because of the hacking explanations that I think The Girl with the Dragon Tattoo is Canon-worthy – the techniques described and outcomes created are realistic.

Start with the book, but I’d also recommend you watch both movie versions of the book: the original 2009 Swedish version with Noomi Rapace as Salander and the American 2011 remake with Rooney Mara as Salander. Both actresses provide a compelling and completely different take on Salander, and each is fascinating to watch.

Rick Howard

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in a cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Fatal System Error: The Hunt For New Crime Lords Who Are Bringing Down the Internet (2010) by Joseph Menn

If you are interested in the evolution of cyber crime, Fatal System Error is a good first reference. The author, Joseph Menn, is able to capture the early years of the cyber criminal community as it was just beginning to productize its cyber business and professionalize it so that it ran more like a business.

Most of this book is about the incipient history of cyber crime. Menn tells the story through two early cybersecurity practitioners: a very young Barrett Lyon—an early cybersecurity services businessman who built one of the first denial of service protection companies called Prolexic Technologies—and Andy Cocker, who at the time was an agent for the UK’s National Hi-Tech Crime Unit.

Menn also manages to sprinkle in a discussion of some of the significant cybersecurity milestones from around 1995 to about 2009. He talks about the rise of cyber espionage and one of the first public discoveries of a state-sponsored amateur hacker group called the Chinese Network Crack Program Hacker (NCPH) group.

Menn also describes one of the first and most notorious known organized cyber crime syndicates called the Russian Business Network (RBN) which was virtually untouchable by law enforcement during this period. The owner of the syndicate was the son of a high-placed political official, so even if a Russian police officer felt the urge to arrest this cyber criminal, there were powerful forces within the Kremlin that made it a good idea not to.

Menn also covers the familiar ground of Estonia, Georgia and Kyrgyzstan where attackers first proved that cyber warfare was possible, and he documents some of the first uses of distributed denial of service (DDoS) attacks as an extortion tool. He explains the rise of bulletproof-hosting providers (essentially criminal Internet service providers) and the impotence of US law enforcement when tracking Russian cyber criminals during this period. In fact, Menn almost takes relish in describing the complete lack of respect for the FBI from the cybersecurity community during this time.

The Story

These details are side stories. The bulk of the book is about the rise of cyber crime. Lyon’s story is how he was sucked into protecting some less-than-savory companies that dabbled in offshore gambling and porn. Organized crime rings ran most of these operations, and the criminals involved were not above trying to sabotage their competitors’ efforts.

Offshore gambling became popular about the same time that hackers discovered that it was possible to launch DDoS attacks that could take a website or a data center offline by simply bombarding it with random data streams from thousands of computers – a botnet – around the Internet. These new cyber criminals used those kinds of tools against their competitors in an effort to drive them out of business. Lyon’s company owned the technology that could mitigate these kinds of attacks, and the organized crime operators came calling to get his help. Lyon’s story is about how he naively gets involved with these cyber criminals and subsequently tries to get himself out of the situation. It was not easy.

Cocker’s story is a bit different. He was an old-school British police officer frustrated with the inability of law enforcement to break down jurisdictional lines across international borders to arrest known cyber criminals. He and his National Hi-Tech Crime Unit decided to do something about it. Instead of waiting for Russian law enforcement to be compelled by political leaders to cooperate, Cocker went into the Eastern Bloc countries to build relationships with local law enforcement officials who were just as eager to bring these new cyber criminals to justice as he was. He had one tried-and-true method to accomplish this task: drink lots of vodka together. Over time, he built trust and friendships with his Russian counterparts and had amazing success arresting cyber criminals in the area.

Menn got a lot of help writing this book from various prominent cybersecurity researchers and journalists at the time. He singles out important commercial cybersecurity intelligence organizations like iDefense, Team Cymru, and SecureWorks. He pointedly casts disdain on several anti-virus vendors as being ineffective, including Kaspersky Lab and the perception that Russians were falsely persecuted by the rest of the world in terms of who was responsible for cyber crime, cyber hacktivism, and cyber warfare.

I do have a couple of quibbles with Menn’s story. He claims that RBN was the main force responsible for the DDoS attacks against Estonia and Georgia. While it may be true that computers within the RBN botnet system participated in those offensive attacks, I do not find Menn’s evidence compelling that RBN leaders orchestrated the attack on their own.

Both attacks had too much precision—some would say military precision—to be run from a civilian organization. I also do not like the way that Menn jumps back and forth in the timeline. For example, in one chapter, he will talk about events in 2008, jump to events in 2002, and then jump ahead to significant events in 2006. He makes it tough for the reader to understand the narrative arc. I would have appreciated a straight-up timeline to keep everything straight. But these are small quibbles. I do not have any compelling evidence either about who is responsible for the Estonia and Georgia attacks, so who am I to criticize the way that Menn tells this complicated story?

Conclusion

If you are interested in the evolution of cyber crime, Fatal System Error is a good reference. If you read this book and another that I just recently reviewed, Kevin Poulsen’s Kingpin, you will have a fairly thorough understanding of the cyber criminal world. Fatal System Error is a vital historical reference for the cybersecurity community. It is worthy of being a part of the Cybersecurity Canon, and you should have read it by now.

Rick Howard

For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in a cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.

Daemon (2006) and Freedom™ (2010) by Daniel Suarez

If you appreciate hacking stories like The Girl with the Dragon Tattoo or gaming stories like Ready Player One or stories that combine both like Reamde, you will love both Daniel Suarez’s Daemon and his Freedom™ like I did.

These two books tell one long story and are loaded with seemingly futuristic ideas that are just years away from general deployment. Suarez introduces these new ideas from an old-school hacker perspective in an effort to reboot the world order.

He demonstrates quality writing that gets the technical details right. The two books combine into one story that is Cybersecurity Canon-worthy.

Two Books, One Story

Published by Verdugo Press, but self-published first by the author and his wife in 2006, Daemon is a story about hackers who begin a revolution using near-future technology as catalysts to change the world. The sequel, Freedom™, published in 2010, is really the second half of the story. Daemon and Freedom™ describe a world that is rebuilt from the ground up if hackers were to seat themselves comfortably at the design controls.

The premise is fascinating. Matt Sobol is the long-time CTO and founder of a gaming company that built and maintains a hugely successful World of Warcraft-like massively multiplayer online role playing game (MMORPG). With that experience, he learned a little something about artificial intelligence and how it interacts with real humans. In the first few pages though, Sobol dies of cancer. In his place, he leaves behind a software daemon that, in interviews, Suarez has said is a “transmedia news-reading, human-manipulation engine.”

For the uninitiated, the word daemon is ”an acronym for Disc and Execution Monitor [used in UNIX environments] and is pronounced {dee-mon}. Essentially it is a program that runs in the background, fully automated, and usually handles mundane activities such as log in requests, initiating transactions, etc.”

Sobol’s daemon is a little more sophisticated. As the mad genius of the story, Sobol anticipates his death, designs a complex logic tree of potential outcomes, and configures the Daemon to watch for those outcomes. His purpose is to inject catalysts into the old-world system to cause revolution, a reboot if you will, and he is not against burning the entire world down to get it.

Suarez tells the story in two parts. The first book, Daemon, revolves around the rise of the Daemon, its disciples in the Darknet community, and how the US government and its corporate partners plan to defeat them. The good guys in the story, the ones organizing against the Daemon, consist of an NSA code breaker, a local California cop, an FBI SWAT team commander, a CIA special operator, and a software security consultant/gamer/hacker.

The second book, Freedom™, focuses on the Darknet reboot aftermath, how society changes for the better after the reboot, and the cataclysmic showdown between Darknet forces and the commercial and government forces attempting to hang onto the past. Some of the good guy forces from the first book eventually switch over to the Darknet side, realizing that there is no going back and that the reboot result is way better then the old system.

The Tech

Some of the hype around Suarez is that he is a legitimate heir to the Michael Crichton throne of storytelling, specifically fiction such as Jurassic Park, State of Fear, Prey, and Disclosure that is about the societal impact of technologies that are just a few years away from reality.

I concede the comparison. Both of Suarez’s books are loaded with fantastic ideas that already exist and could be in common use within the next decade. Things like “sound production without speakers [that] can make voices appear in mid-air,” autonomous vehicles (in 2006, this was four years before military drones became the operational centerpiece to President Obama’s foreign policy decisions in the Middle East), advanced voice-recognition systems, desktop manufacturing, and augmented reality are just some of the technologies that drive the Darknet.

Of course, because Sobol is dead, he needs living surrogates to do his bidding. One of the things his Daemon does is recruit, initially from his game. For the non-gamers in the crowd, people who excel in MMORPGs have a lot more skills than simply pressing the Enter Key really fast in order to kill monsters. As they progress in the game and gain experience, they learn how to organize large groups of people from around the world, function within a team to accomplish team goals, assess strengths and weaknesses within the team and of potential adversaries, and plan and execute operations that leverage those strengths and weaknesses for success.

If you think I am kidding, read Rick McCormick’s article in The Verge that describes the epic space battle that occurred in January of this year. In an MMORPG called Eve Online, McCormick estimates that more than 5,000 players joined the fray on both sides of a conflict that ultimately resulted in the loss of more than $200,000 of real US dollars because of the resulting virtual spacecraft damage. Building up fleets of that size takes years of planning and effort. The skillsets involved are quite extraordinary. In the game world, these people are the centers of power and manipulation and the results of their actions can mean real money.

Sobol knows this and recruits the best players in his game by giving them special missions to test their individual skill sets. He eventually sends the best of the best out of the game to accomplish real-world missions, and this is where the hacking comes in.

One of the main recruits is Brian Gragg (hacker name: Loki). Sobol tests Loki by having him break into a remote facility using nothing but his hacking skills. Loki uses a software tool called “Netstumbler” to locate a wireless access point that is using Wi-Fi protected access (WPA) for authentication. He uses another software tool called “Air-Jack” to force key exchanges from the Wi-Fi router and uses a third tool called “Asleap” to collect the wireless key exchanges.

Loki cracks the WPA key by using an off-line phase-shift keying (PSK) dictionary, basically a collection of words that he can test (brute force) against the acquired keys. Once on the network, he uses a fourth tool called “Superscan” to ping sweep and port scan the entire network. He telnets to the one Unix machine (OpenBSD) that he can see and uses a simple network management protocol (SNMP) buffer overflow attack to compromise it. Once in, he finds that the Unix box is connected to a Web server that is tightly locked down. He uses an SQL injection attack to break in, and Sobol rewards Loki by making him a key operative in the Daemon’s quest.

That sequence is a real-world hack using legitimate hacker tools that could have worked in 2006 (when Suarez wrote the book), and most likely, a hacker could use a variation of it to break into some systems today.

Sobol collects people like Loki, black-hat hacker types, who have no moral problems with killing bystanders and intermediaries for the greater goal. But he also collects people with more socially acceptable skills to round out his new world order called the Darknet. The purpose of the Darknet is all-out destruction of the status quo: corrupt governments and the international corporations that pull the strings in the background. The Daemon infiltrates as many corporations as it can (the good ones and the corrupt ones) via the Internet and through Sobol’s Darknet operatives in the real world. But the Daemon does not destroy these companies; it creates a symbiotic relationship with them. It tells the organizational leadership of these now-infiltrated organizations that if they accept the relationship and some basic behavior rules, they can still function. If they don’t, the Daemon will destroy them.

Many do not comply, and the Daemon vaporizes them by erasing all of their corporate data (and whatever backups they had). Those that comply donate a small percent of their revenue to the Darknet cause but are allowed to stay in business. The money the Daemon collects from the thousands of companies it infiltrates funds the growing Darknet.

Darknet operatives wear specially designed sunglasses that act as a direct connection to Darknet operations. The glasses provide the wearer with an augmented Darknet reality, broadcasting video as an overlay to the world directly to the inside lens. The augmented reality allows Darknet operatives to recognize other members and to manipulate Darknet objects, initially Daemon programs but eventually programs and data sets created by other Darknet members. The Darknet glasses are eerily similar to the Google Glass experiment that we started reading about in 2012.

Darknet operatives plan and communicate through this interface, this D-Space. Their opponents desperately try to crack and infiltrate the D-Space network in order to collect intelligence that will help them defeat the Darknet forces. I found this idea intriguing and realized how closely it mirrors some thinking from the intelligence community in the last decade.

US intelligence organizations have considered the prospect that these MMORPGS could be used for terrorist planning purposes. You can log in from all over the world, your avatar is for the most part anonymous, you have access to voice and message communication services within the game, and the language of the game suits itself to planning and destroying military and civilian targets. Players of the game use the same language to actually play the game.

Conclusion

I loved these two books. They fit nicely into two separate categories that I like to track: hacker novels that do not exaggerate the genre and the combination of gaming and future intelligence collection.

It is not a perfect story by any means. You have to suspend disbelief a bit to accept that notion that Sobol could anticipate every major response to his Daemon over a three-year period. With Sobol’s great insight, he develops a viable plan to do something about each and every response from his opponents and programs the Daemon to execute that plan, and everything happens without a glitch. Personally, I can’t get my browser to work correctly unless I reboot the computer on a regular basis. But I am fine with that little conceit. Sobol is the mad genius after all, and I have suspended my disbelief for other novels with similar characters. Also, Suarez presents a love story between the good guy hacker and the NSA code breaker that seems a little forced. But these are minor quibbles. Daemon and Freedom™ together represent an engaging story. Along the way, Suarez introduces the reader to some new tech that will be available to the general population in the near future, describes what it takes to be a real hacker, and highlights how the lessons learned through MMORPG development might be beneficial in the real world.

The bigger notion that Suarez gives the reader, one that can be lost with all the other amazing things going on, is that Suarez does not like the direction the country, and indeed the world, is going. He believes that most people do not realize it, but that we are all slaves to some severe controls that our governments and their corporate sponsors place upon us, that we all depend too much on these handlers and give away too many liberties to them in the name of security and fear. The title of his second book, Freedom™, is no accident. He does not believe that we can unshackle ourselves without some sort of major cataclysm. In this exciting story, the Daemon causes that cataclysm.

Rick Howard