Friday 29 August 2008

Spies like us

I am a member of LinkedIn, the business networking site. You can add me with my old hotmail account if you like and have an interest in coding, debugging or security - and I guess that you wouldn't read this if you didn't. The address is MarkALong64 at hotmail dot com; There is no sense in feeding the dumber harvesters of addresses.

Anyway, someone posted a wonderful question. What would you do if you were a spy with the tools and skills of a hacker? Now, there is an interesting question. Let me consider… I am e-007, an agent licenced to hack.

A lot would depend on what my mission goals were. There are a number of things that can be done.

Let us imagine for a moment that I am told that this is a request from the police and they are looking to get a botnet shut down. Well, you could start killing the bots. Indeed, that is what every antivirus solution and the Microsoft malicious software remove tool do on a regular basis. It works pretty well and largely killed the Storm Botnet. However, a lot of people do not get the updates (which is the normal time when the MSRT runs) because they don’t trust it and some people run with no AV solution or a broken one. You can’t kill a botnet that way. However, all the modern bots have a feature which allows them to update themselves – malware often adopts features from legitimate software. What would happen if you seized control of the botnet and told all the bots to replace themselves with an executable which was basically notepad.exe? Well, that would kill the botnet rather efficiently. Of course, there are legal issues with that. You are installing software on end user systems without their consent. How bad this is very much depends on what the system is doing. If it is a home user, you have broken the law but you have done so for a good and moral reason. However, what happens if the system that you have fixed was controlling a machine delivering radiotherapy to cancer patients? Well, you probably have made it work better. There is an outside chance that the update will break the system in such a way that the X-ray machine will cause the patient to glow in the dark from an excessive dosage. So, your benign but illegal act could kill due to the good old law of unintended consequences.

What if the orders from M were to find out more about them? Well, in that case, finding a way to insert a keylogger onto their systems would seem like a good option. It would allow you access to at least half of email conversations or instant messenger session. Put in a filter driver that send disk access over the wire and you will get a whole bunch more and implicate more and more people. Of course, this is just fiction. The bundestrojaner is not that clever. Well, perhaps not quite. The specifications are not exact public.

How about if I were looking to serve my government’s political aims? Well, if that were the case, then I would look to use compromised systems to attack the infrastructure of the enemy. It seems that all the Russian controlled botnets are busily attacking systems owned by the Georgian government. Maybe they have a counterpart to e-007 somewhere in the Kremlin – or maybe the link is a little more direct than that. Again, the documentation is not a matter of public record.

However, what is the most common activity in every civil service in the world? Why, empire building, naturally. If I had a way of talking to a group of talented hackers, maybe I would be best off recruiting them. A one way ticket to a nice part of the country and some new papers showing them to be naturalised Poles or Hong Kong Chinese would be part of the package, I think.

Of course, a true cyber spy wouldn’t be e-007 but 0xE007. Somehow 57351 doesn’t have the same ring.

Are there such people? I have never seen anyone in a Tuxedo at SecWest or BlackHat but I doubt that everyone there is using their own names. If there are such people, they are probably playing a very subtle game indeed.

Oh, on an unrelated note, we have been giving the website a bit of a facelift. Feel free to let me know what you think at Mark.Long@DigitalLookingGlass.co.uk

Signing off

Mark Long, Digital Looking Glass Ltd

Mark

No comments: