Dragonfly Thinking is a book authored by Bruce Oberhardt intended to help you develop superior problem solving skills.

Is There Really Cyber Security? Solving the Problem

On Thursday, January 31st 2013, a front page news article headline in The New York Times read: “Hackers in China Attacked The Times for Last 4 Months.”

See: http://www.cnbc.com/id/100421708/Hackers_in_China_Attacked_The_Times_for_Last_4_Months
This caught my attention, since that week and even the previous day, January 30th, I was listening to radio programs on NPR describing the hacking of computer systems throughout the U.S., thought to have originated from China and leading up to The New York Times headline story.

The NPR special: “In China, The Government Isn’t The Only Spy Game In Town” by frank Langfitt is a remarkable account of the use of secret listening devices and cameras in China.  According to this report, athough such devices are officially illegal in China, the Chinese Government is continually spying on citizens with the aid of countless hidden cameras and microphones.  In addition, government officials spy on each other using these devices.  These audio and visual (still camera or video) bugs are also being used by Chinese citizens outside of the government to spy on each other.  A primary reason for spying is to gain economic advantage.  Follow the link to listen to the audio:  http://www.npr.org/2013/01/30/170563866/in-china-the-government-isnt-the-only-spy-game-in-town

When audio and visual bugging devices are added to the mix, as in China, computer passwords are easily compromised, and many other activities, conversations, and actions can be recorded by spy devices.  Apparently, privacy has become a thing of the past in many places in China.

According to this special NPR radio program, in addition to electronic bugging devices that can be purchased in China, there are devices that can also be purchased there to uncover hidden electronic audio and visual bugs.  These bug-finding devices are like metal detectors.  They detect the data transmission signal coming from the bug.  An expert that I subsequently spoke with informed me that some bugs transmit continuously and can be identified.  Others, however, store data and transmit infrequently or in the middle of the night when no one is typically around, and these are hard to locate.  Some devices are hidden in cars, in pens, in offices, in bathrooms, in bedrooms, in computers, etc.  Although bugs can be used to identify keystrokes and passwords, there are other ways to gain entry into computer systems.

The New York Times attacks apparently resulted first from installed malware – malicious software – enabling hackers to gain entry to any computer in The New York Times network.

Experts traced the NY Times attack to university computers used by Chinese military to attack US military computers in the past.  Apparently, intelligence gathering by cyber-attacks is commonplace in China and used against other countries as well as by Chinese against Chinese.

On February 19th 2013, The New York Times displayed a picture of the 12-story building, located on the corner intersection of Tongang Road and Datong Road on the outskirts of Shanghai, that serves as headquarters of Unit 61398 of the People’s Liberation Army, where the cyber-attacks against the NY Times were coming from, according to the cyber security company Mandiant.  See: http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?pagewanted=all&_r=0 .

One would think that Chinese officials would be embarrassed by the picture of this building in an American newspaper and its location clearly specified, but the officials contacted simply denied knowledge of the hacking effort and indicated that their computers had been hacked quite a bit.  I would not be surprised at all if their computers were hacked.

On January 31st, the day of the NY Times breakthrough headline, I just happened to attend a breakfast meeting on Cyber Crime at the Raleigh-Durham Chapter of ACG (Association for Corporate Growth): http://www.acg.org/raleighdurham/ .

The topic was: “The High Cost of Cyber Crime – Protecting Yourself and Your Business”.  According to the third annual study of U.S. companies, the occurrence of cyber-attacks has more than doubled over a three-year period, while the financial impact has increased by nearly 40 percent.  The distinguished panel of experts at this event included cyber security advisors and one person from the FBI Cyber Crime Squad.

One of the more interesting revelations was that last year all South Carolina tax records were hacked.  Another issue discussed was that an estimated 53% of professionals carry laptops with confidential data, and each year many laptops are stolen or lost.  The panel emphasized that top C-level executives need to learn how to respond to security breaches in this new environment.  The world has certainly become more complex.

Although these estimates do not account for value of the vast amount of intellectual property that has been stolen, based on the statistics, in a study conducted by the Ponemon Institute and sponsored by HP, the 2012 Cost of Cyber Crime Study found that the average annualized cost of cybercrime incurred by a benchmark sample of U.S. organizations was $8.9 million. This represents a 6 percent increase over the average cost reported in 2011, and a 38 percent increase over 2010. The 2012 study also revealed a 42 percent increase in the number of cyber-attacks, with organizations experiencing an average of 102 successful attacks per week, compared to 72 attacks per week in 2011 and 50 attacks per week in 2010.  It appears that we are living in a new era, and that cybercrime has moved to a new level.

Three weeks later I attended a 10-year anniversary reception at a local, growth-phase software company.  I had the opportunity to discuss cyber security with a number of expert software developers and other interested attendees.  The people I spoke with at this event did not have good solutions to hacking problems but had certainly thought about it.  One attendee, the CEO of another software company, confided in me that he shuts down his computer when he is not using it to increase security.

As I pondered what I had learned during the past month or so, I became aware that the primary protections against hacking are passwords.  That is, confidential data can be accessed once the password is known and the entry point is obtained.  I imagined a barn with treasure inside:  let’s say a valuable diamond or, even better, an encoded carbon nanotube with military secrets.  Once the lock is picked, broken, removed, or more likely opened with a stolen key, the criminal gains access to the barn and to the treasure inside.

Then I thought: what if the carbon nanotube were located in a haystack – like the proverbial needle in the haystack – inside the barn, or even better in a haystack of similar appearing carbon nanotubes?  If this were the case, the time and effort and expense of locating the correct needle in the haystack could be astronomical.  The hacker, even if computer-aided would have to spend an inordinate amount of time – perhaps his or her entire life – on the project.  Perhaps many such lifetimes would be required to discern the correct nanotube, the carrier of the real confidential information.

Or imagine the plans to a manufactured product, say a widget.  If the hacker downloaded 1010 plans for manufacturing this widget, each with variations from the original, it would be a mystery as to which one would be correct.  To find out, one would have to attempt to set up fabrication methods for each widget plan.  A human only lives for about 1010 seconds, so the task would be daunting.

One could argue that this cyber protection approach makes little sense for two reasons: a) it is computer memory intensive, and b) there must be an identification tag or a pathway that the owner of the computer or the employee uses to access the correct widget manufacturing plan, and this pathway could be hacked.

The answer to objection a) is that it may not take much additional computer memory to store a lot of additional widget plans of the same type.  In fact, they could all be generated from a master plan, a generalized widget manufacturing plan.  Moreover, according to Moore’s law, computer chip memory will keep increasing through 2013 and possibly 2020, and there should be plenty of memory to spare.  See: http://en.wikipedia.org/wiki/Moore’s_law

But what is the response to objection b)?  This is a more difficult issue.  It is anticipated that the hacker, befuddled by the massive data swarm, will not realize that another type of password exists.   If the hacker catches on that there is a data key or password to obtain the correct data then it will be searched for.  Whatever password methodology is used by the authentic computer operator (ACO) to gain access to the correct widget plan would be expected to be ultimately entered via keystrokes or sent to the computer electronically and could be hacked.  So, apparently we are back to square one – gaining entry – or are we?

Let’s explore gaining entry a bit further.  What if gaining entry does not involve a set password or a unique electronic code but involves the mutual identity interface from two separate sources.  The first source could be the ACO.  The second source could be an artificial intelligence source that shares information with the computer, enabling operation on the confidential information and without which the computer operation and the confidential information is compromised or incomplete.  In such a situation, the outside source could undergo periodic transformations and could also enable the ACO’s computer to do so as well.  The artificial intelligence source might come into play not via the internet but by some other means, e. g. a cell phone tower.  Could the artificial intelligence signal be hacked? Perhaps it could, but this would probably require two simultaneous and independently coordinated hacking attacks: one on the computer and one on the cellphone.

Another approach could be to establish and determine ACO identity via a device worn by the user, say a special badge, for example, that contains some identification (ACO credential ID) along with user features input to this device, such as retinal scan and/or finger print (ACO biologic ID), plus other identity information (system variable ID).  The system variable ID could be generated from a remote source to the user’s badge, which could receive information as does a cell phone.  This variable ID information could be changed or updated every minute or so.  If the user displays appropriate ACO credential and biologic ID, including appropriate retinal scan, etc. but not the correct variable ID, access to the computer would be denied or the user’s computer use session would be suddenly terminated.

There appear to be three key defenses against cyber-attack: passwords; data obfuscation or encoding; and user authentication.  These boil down to two primary categories of defense: a) what the user knows and b) who the user is.  The need to authenticate the user identity could offer the more powerful protection of the two.

Another way to authenticate a user is to have a person at a remote location verify the identity of the user and determine that this user is the ACO.  In such a scenario, access to the computer would require cooperation by the individual at the remote location.  If, for example, a special type of Skype video call were used, the user could be interrogated briefly, in the same manner that a guard at the gate of a secure government installation examines a person’s credentials and speaks with the person to achieve recognition and allow access.

It could be argued, however, that it may be possible at some point in the future to create a sufficiently sophisticated hacking strategy via simulation of the ACO or even more sinister malware.  Then, if this is what is to be we are in for a never ending cycle of cybercrime and deception, eventually reaching the stage where a person could be effectively simulated for enough time to fool friends and relatives on Skype calls and certainly the security guard.  Whatever is to be will be, and we may be entering the strangest of times, where identity theft could mean not merely obtaining another person’s credit cards, ID cards, and passwords but effectively simulating the entire person.  Then what?  Fortunately, technology has not as yet enabled hacking to reach this level of sophistication.

 Contact Dr. Bruce Oberhardt for speaking engagements and workshops or order the book today.Amazon: Dragonfly ThinkingBarnes & Noble: Dragonfly Thinking

3 Responses to Is There Really Cyber Security? Solving the Problem

  1. Henry Schaffer says:

    “the primary protections against hacking are passwords” – ignores the huge amount of the problem which comes from security “holes” in Operating Systems, web sites, malware – including apps, … Read up on “zero day attacks” to see some of the big problems – and then for the international context, there is an excellent interview at http://www.afr.com/p/national/transcript_interview_with_former_KnS7JDIrw73GWlljxA7vdK

    • I really appreciate Dr. Henry Schaffer’s enlightening comments. I agree that the primary protections against hacking that I mentioned in the post are passwords, yet there are holes and back doors to many operating systems. It is also of interest that “zero day attacks” are prevalent, that is attacks on recognized vulnerabilities in new software before the software company can fix them.

      The breakfast meeting I discussed in the blog, that I attended on Cyber Crime on January 31st at the Raleigh-Durham Chapter of ACG (Association for Corporate Growth), was focused on passwords and stolen laptop and notebook computers. There was no discussion on “holes”. I imagine that holes fall into a bucket that each software company agonizes over but that are more for internal action as opposed to something that an end user can ameliorate.

      The interview with General Michael Hayden linked by Dr. Schaffer is extremely interesting and a must read:
      See: http://www.afr.com/p/national/transcript_interview_with_former_KnS7JDIrw73GWlljxA7vdK .

      According to General Hayden, “We are moving from a world in which most cyber problems are mainly about stealing your data to a world in which cyber is being used to deliberately create kinetic consequences: effects on your information, effects on your networks, and other adverse physical effects on assets that are valuable to you.” His interview deals with a variety of international cyber security issues and the role of government. It is a very informative article.

  2. I have personal experience with cyber security as a website programmer. I have had to increase website application security after experiencing an increase in SQL injection from hackers located in China. I am glad to see more awareness is being brought to a serious problem that I’ve been fighting for over 10 years.

    SQL injection is a web application security vulnerability or “hole” where attackers maliciously inject SQL statements into websites to attack the database content by altering the data stored in the database or stealing private data (e.g. credit card numbers, social security numbers, etc.).

    Legacy website applications are those at highest risk because they often do not have current security measures in place. According to Veracode, 32 percent of web applications are still affected by SQL injection vulnerabilities.

    Proper construction of SQL statements in web applications is the best defense against SQL injection attacks.

Leave a Reply