Bob Eisenhardt looks back at Clifford Stoll's classic cyber-spying true story from 1989 and poses the question, how much has really changed in the world of cyber-espionage? Not that much, as it turns out.
In 1989, Clifford Stoll wrote a fascinating spy story — a cyber chase — about catching a hacker in Germany, employed by the Soviet Union , who was blatantly hacking "secure" military systems in search of anything connected with the "Star Wars" defense initiative called The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage. Back then, there was no real Internet as we know it. The ARPANET was just beginning to expand into the public arena, but still was the primary vehicle for the military mid-range and mainframe systems to communicate. As a cyber-sleuth, Stoll was by trade an astronomer with a hand in programming Berkeley Unix.
The trail began with the hacker entering systems through open, non-administrative accounts and planting a small program in the secure area of Unix through the GnuEmac word processor. This free program (remember shareware?) knew of no secure/non-secure areas of any system, thus it was ideal for copy-paste from a public patch to a secure patch. Then, every five minutes, Unix ran a daemon to check system resources and allocate them. The hacker's program granted him Administrator Super User access! SHAZAM! He would then erase his tracks and begin browsing whatever he could find. Stoll kept a log of his adventure and traced this "scum" (his word) around the world for 10 months as the data lead his search far beyond our shore, over the transatlantic satellites to Europe. Along the way Stoll learned that many "secure" systems were anything but — wide open sometimes, badly managed most of the time. Eventually the spy was caught and served time in prison and Stoll became a much wiser guru of systems security.
I've been thinking about Stoll's book recently and wondered, in light of so many of the security issues we have in abundance today, how MUCH have we changed since 1989 and the planting of that elusive Unix egg?
The more things change, the more they stay the same
Two years ago, I noticed an employee from the Beijing Railroad in China trying to password blast my Windows 2003 server through an open FTP session. My password syntax is very secure so he was just door banging, but using much the same logic that Stoll's evil assailant might use on military systems: Try standard account names and throw passwords every second at it, repeat forever until a door opens. After five minutes of education, I stopped the FTP service and that was that. But yes, Virginia, there are hackers out there targeting YOU!
According to the TechRepublic blog post, "Why isn't everyone hacked every day," by Michael Kassner, Cormac Herley of Microsoft observed that passwords are still left on public Post-It notes and recycled every 30 days. Well, Stoll's villain would be right at home. In 1989 his hacker read public emails that contained lists of user names and passwords, i.e., "going on vacation, here are the keys to my kingdom." On the plus side, there is now an explosion of user accounts and passwords as compared to 1989, with billions of possible combinations. The percentage of obvious attacks has to drop by statistical law, so perhaps we feel safer than we really are.
After all, Stoll's ARPANET used the limited bandwidth available through the mighty 2400 baud modem, and while we are now connected internationally at far greater speed, underneath the hood of our 2012 fibre-optic, wireless rocketcar is (for the most part) our old friend - IPv4.
Complexity does not guarantee security, but rather offers new methods of penetration such as the incredible HP OfficeJet portal into secure IPv4 addresses. That was, to me, a stunner! There, displayed in a Google search, were dozens of OfficeJet printers with their hard-coded IP address displayed. To a determined hacker, this is delicious, and the game is already over. Stoll's 1989 hacker would know this playground by intuition.
It was a different world back in 1989. Sony Playstation? Bah, Humbug!! Malware did not exist. Internet credit card traffic was for the future as were ATM machines. But copying files to floppy disks from a secure station could be done, and Pvt. Bradley Manning just proved that USB keys are just as portable, giving us WikiLeaks. Technology does not protect us from the simple, stupid method. We are not so smart after all.
Stoll's hacker of today would not be limited to a count of one. The truly huge data breaches are done by "Hacktivists" — groupings of dedicated, warped professionals out for revenge on a bad planet. The "Anonymous Collective" cries out for all the attention it has received. Sometimes, just publishing the theft is all the glory these scum (see 2nd paragraph above) are seeking as if it were all a game. But by publishing such data, charities and 501C3 groups have taken a huge hit in donations. "Ho Ho, Ha Ha, it is to laugh" said Daffy Duck.
Secure websites? Stoll did not have that one either. Another few billion doors just opened up and my writing another 90 paragraphs alone on this one is for another day. But secure systems and passwords were not needed when military subcontractor SAIC lost 4.9 million records for TriCare patients, data left on backup tapes in an open car. Stoll's hacker was, at least, in Germany and not Texas.
In 1989, the outsourcing of IT support for public and private data centers to firms such as Computer Sciences Corporation and Scientific Applications International Corp was an invention of hell for a future date. Bangalore was a backwater town. Today, 39% of all secure data breaches occur when trust is placed in the secure(?) control of third party vendors. Back then, Stoll was able to call, directly, military personnel in charge of a data center and advise them that somebody was, amazingly, trolling their files RIGHT NOW. Today, he would probably be on hold forever while someone in India frantically paged through a manual of tasks even as data is waltzing out the door.
In 1989, medical records were the property of your doctor, stored on shelves in file folders. Are we any more secure with HIPAA regulations mandating secure storage and disposal? I have seen hospital records that should have been shredded, dumped intact into dumpsters, and stood stunned when an outsourcing firm I worked for determined that thirty (30) computers just walked out of secure storage INSIDE a hospital. Heaven forbid electronic health records in the secure cloud.
All in all, I feel that Clifford Stoll's antagonist of 1989 would indeed feel right at home today. Our technology and software are vastly different from the enchanting simplicity of entering command line codes on a Unix mid-range system, and the ARPANET was truly ugly. Other than that, I do not see that we have changed all that much. For all the fancy tools and secure beauty of Windows, Linux and HTML on the top, the bottom still holds. Indeed, he would not have to use a University computer in Bremen connected via 2400 baud phone line to work his magic. Any Starbucks will do nicely, the coffee is good and those chocolate covered graham crackers are, well, just to die for.