Season 2 - The Invisible War / Episode 14
Malicious Life, episode 14: Deception
From the Bulgarian hacker scene of the 90's, featured in episodes 1 and 2, we now move to the vibrant underground hacker scene of West and East Berlin. Working secretly for the KGB, a young Berliner hacker attempts to hack the U.S military network, only to be stopped by a curious, and inventive astronomer.
A riveting game of cat and mouse, and a fascinating look at the hacker scenes of the early days of the internet.
Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 10 million downloads as of Aug. 2017.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.
Sam Curry, Chief Security Officer, is an IT security visionary with over 20 years of IT security industry experience. Sam served as Chief Technology and Security Officer at Arbor Networks, where he was responsible for the development and implementation of Arbor’s technology, security and innovation roadmap. Previously, he spent more than seven years at RSA (the Security Division of EMC) in a variety of senior management positions, including Chief Strategy Officer and Chief Technologist and Senior Vice President of Product Management and Product Marketing. Sam has also held senior roles at Microstrategy, Computer Associates, and McAfee.
Yonatan Striem-Amit, CTO and Co-Founder of Cybereason, is a machine learning, big data analytics and visualization technology expert, with over a decade of experience applying analytics to security in the Israeli Defense Forces and Israeli Governmental Agencies. Prior to founding Cybereason, Yonatan headed the development for Watchdox, a leading DRM and SaaS security startup.
The Cuckoo’s Egg – Deception in Cyber Security
Hello, and welcome to Malicious Life. I’m Ran Levi, and today we’re going to talk about Deception in Cyber Security.
Deception is not something we usually think of when we think about Defense in the Information Security world. True, Deception is one of the most common tools in an attacker’s arsenal – but when it comes to protection, the first picture that comes to mind is often the small icon of antivirus software in the corner of your desktop. For many years, the guiding method in the world of information security was detection, by identifying signature or unusual behavior patterns within a network.
But in recent years, Deception – although not a new idea in the world of information security – has experienced a kind of renaissance. There has been a gradual but clear transition from defense through detection, to defense in other ways. Why? Because experience has repeatedly shown us that static defense is not enough. Hackers and malicious software are getting more and more sophisticated, and every week we hear about a multi-million dollar company getting hacked, despite all detection and prevention measures. More and more people realize that we need to re-think our defenses. And when deception is involved, you don’t even need to think like an information security professional – you can even be, say, an astronomer.
A Hacker in LBL
Dr. Clifford Stoll looks like how you would expect an astronomer to look: his frame is lean and wiry, his hair long and wild, his clothes a bit crumpled – and when he speaks he is bouncy, full of exuberant enthusiasm and exaggerated hand gestures. In 1986, the year our story takes place, Stoll worked at Lawrence Berkeley Laboratory (LBL, in short) – a research institute that was one of the handful of universities and commercial companies connected to ARPANET, the military network that later became the Internet we know today.
One day in August 1986, Stoll – who in addition to his academic duties was in charge of his department’s computer network – discovered that someone in his department had exceeded their network connection budget. In those days, internet usage was billed according to the time spent online, and Stoll’s records showed that someone used 9 seconds of unauthorized connection time. It wasn’t a big deal – merley 75 cents – but it was the very fact that this was such a small deviation that had aroused Stoll’s curiosity. A large number might be attributed to a calculation error somewhere in the accounting department, but a 75-cent error was far more difficult to explain.
Stoll investigated and found that indeed, this was not an accounting mistake: someone, probably a hacker who broke into the LBL’s internal computer network, used the LBL connection to the ARPANET network without authorization. Stoll’s immediate suspicion was that this was a prank by one of Berkeley’s creative and often misbehaved students. However, Stoll also discovered that the unauthorized account created by the hacker was an admin account – meaning that the mysterious hacker had found a way to elevate his account privileges, which made this a far more serious matter. He decided to look further into the matter to find how the attacker hacked into the LBL network, and what flaws he exploited.
Looking Over The Hacker’s Shoulder
Stoll connected printers to each of the 50 incoming telephones lines, and configured them to print all the digital communication activity passing through them. A few days later, he found what he wanted. The printers documented the hacker accessing one of the lab’s computers through an external port, and exploiting a bug in an editing software called GNU EMACS to obtain system-manager privileges.
Stoll decided to keep track of the hacker’s actions to see what he was looking for. He connected a printer to the telephone line through which the hacker penetrated, and again configured it to print each and every action and keystroke typed by the intruder, 24 hours a day, seven days a week. He had no idea that this decision would lead to a year-long chase, at the end of which the astronomer, who until now had been primarily engaged in the design of telescope optics, would find himself at the center of an international espionage scandal.
With the hacker’s line of access tapped, Stoll was able to “look over the hacker’s shoulder”. It soon became clear that the LBL itself was not at the top of the intruder’s priorities: he used the lab’s network only as a connection point to ARPANET, where he tried to penetrate the computers of Air Force, Navy and Army bases, defense contractors in Texas and California, and academic institutions that took part in military projects such as the National Computing Center at Livermore, CA.
Stoll realized that this was not some reckless prank, but an actual espionage attempt. Alarmed, Stoll contacted the FBI. He spoke on the phone with an agent and tried to explain to him the suspicious activity he discovered, but in 1986 cyber espionage was practically unheard of, and the FBI agent had difficulty understanding what the eccentric astronomer was talking about. “How much money have you lost in this attack?” He asked Stoll. “Um … well … 75 cents.” Replied the astronomer. “Don’t bother us with such trifles,” said the agent. “Just shut down the phone line in question, delete the hacker’s account and that’s it.”
Fortunately for Stoll, his curiosity did not allow him to accept the agent’s advice-and he continued to follow the attacker.
Getting into The Attacker’s Mind
Sun Tzu, a Chinese general who lived 2,500 years ago, wrote in his book The Art Of War –
“All warfare is based on deception. Hence, when we are able to attack, we must seem unable; when using our forces, we must appear inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.”
I’m not sure that Sun Tzu understood a lot about Cyber Security – I think he still used COBOL back then – but he was right on one thing at least: successful deception means, first and foremost, getting into the enemy’s mind. To have that insight, Clifford stoll decided to follow the hacker and learn his goals and operational methods. He watched him trying – and sometimes succeeding – to penetrate the computer networks of dozens of different organizations, usually through simple dictionary attacks on default or well known passwords, or passwords found on files he stole. Stoll always tried to remain one step ahead: every time he saw the hacker trying to infiltrate a particular organization’s network, he contacted someone in that organization and warned him about the attack.
It wasn’t easy. The hacker was very careful: he made sure to check for any admins logged onto the same machine he was infiltrating and, if so, he quickly broke away. He also showed unusual patience: sometimes he created new accounts in systems he had broken into, and waited for half a year or more until coming back to exploit them. He followed the e-mail activity of users and looked for clues that someone was onto him. And the mysterious attacker did not take into consideration Stoll’s schedule–often the astronomer had to jump out of bed at four in the morning or leave parties or meals to talk to technicians and admins in other organizations he had no affiliation with.
Hackers In Hollywood
But Stoll did have one advantage over the attacker, and that is the fact that hacking – despite what hollywood movies would like us to think – is a slow process. Here’s Yonatan Stirem Amit, Cybereason’s CTO, and Sam Curry, it’s CFO.
“[Yonatan] There is often, when we talk about cyber within the industry, there’s an almost Hollywood-esqe image of what a hacking operation looks like.”
“[Sam] Hollywood has done us a disservice.”
“[Yonatan] People imagine a hacker with a hoodie on and a laptop…”
“[Sam] probably with a funny accent…”
“[Yonatan] you know, banging at the keyboard, eventually hitting a dramatic Enter…”
“[Sam] and two minutes later, “We’re done,” right?”
“[Yonatan] and then he somehow penetrates into an entire organization.”
“[Sam] Oh, great, you did your job now we can, George Clooney can go off with Matt Damon, and do something on the wings, right? I’m thinking of Oceans Eleven, not point out too many names – but that’s not true. It doesn’t work that way.”
“[Yonatan] Reality is way more complex than this.”
“[Yonatan] I always ask people the first time I see them, if I gave you a computer within my own company’s network, how long will it take you, you as a person, to know everything that you want to know, and extract all the information and create a kind of damage that we see in the headlines? You don’t know anything about me, who I am, what my controls are, who the key people and where the key information lies.
So, for a hacker, it’s the same. Once – when a hacker goes into a system the first time, he needs to start understanding everything about that system, who’s computer am I on, what’s the network structure, what controls do they have, where’s the information, what systems do the company has, can I get more assets and move laterally within the organization? This is a very, very long process, month long at a time, where the hackers, at this point, really create no damage or just learning the target environment.
[Ran] Just fumbling in the dark, maybe, kind of way.
[Yonatan] Initially, yes, and then they learn more. And then they’re fumbling in more light, and then they start to get more targeted. And eventually, they find their way to the people who have the key information they want.
At this point, even though I, as a hacker, have complete control of your environment, I still need to move and get more credentials, more access, more information to understand where is the information I’m looking for, who has access to it and how do I do that without getting caught.”
The long period in which an assailant circles the net in the dark, trying to learn the environment in which he or she operates – is also the ideal time for deception on the part of a defender – which is exactly what Clifford Stoll did.
Over the next few months, Stoll began to reveal tiny clues about the attacker’s identity and interests. The hacker’s working hours matched nighttime hours in Europe, when the cost of connecting to the Internet was lower, and occasionally he typed German slogans and words. Stoll also noticed that in every computer penetrated, the hacker searched for documents containing the words ‘norad’, ‘nuclear’ and ‘SDI’, which was President Reagan’s famous Star Wars initiative.
Stoll contacted the Deutsche Bundespost, the German federal post office, which was also responsible for international telephone communications in West Germany, and asked them to help locate the address from which the attacks were made. The Bundespost cooperated, and its technicians were able to locate several West German universities from which the attacker connected to Stoll’s lab. With the help of the universities, the Bundespost’s technicians began to zoom in on the exact address of the attacker. Here Stoll encountered a problem: the tracing attempts could only be made when the attacker was online – but the cautious hacker made sure his sessions were as short as possible. The technicians told Stoll that in order to trace the address, they needed the attacker to be online for longer.
Stoll thought and thought about a solution that would make the attacker stay connected longer. As we learned from General Sun Tzu’s quote, Deception means entering into the attacker’s mind and looking at the problem from his own point of view. Stoll wondered what the mysterious hacker wanted… and then realized that the answer was actually obvious. The keywords that the hacker searched for on the computers he broke into clearly indicated his interests. With this in mind, Stoll decided to set a trap for the hacker.
This is probably the right point in our story to introduce one of the oldest forms of deception in cyber security: the HoneyPot.
“[Yonatan] Honeypots are basically creating assets for the adversary that they would want to attack. For example, I could create a machine called CFO machine or CFO computer, which is not actually used by the CFO but if a non-suspecting hacker would scan the network for computer names, that kind of machine will potentially be a very lucrative interesting target worth going after, worth trying to attack.
Legitimately, users within the environment won’t really want like legitimately to start accessing the CFO computer. So any access to that computer has become almost immediately –
[Ran] It’s a sign.
[Yonatan] Yes, it’s a sign.”
In other words, a HoneyPot is a device that pretends to be a device that a potential attacker will be interested in. One of the great advantages of a HoneyPot is that it solves, in principle, the “the needle in the haystack” problem: how can the defender detect an unusual activity, from the numerous actions that occur at any given moment in a network? Well, for a HoneyPot – every activity is an abnormal activity. By definition, a HoneyPot is a device that has no real use on the network and therefore should not see any activity at all.
The Honeypot that Stoll set up for the hacker was a new account on the LBL network called SDINET. This account belonged to a fictional department in LBL that was recently formed to collaborate with the military’s Star Wars initiative. The department even had a fictional secretary named Barbara Sherwin who wrote memos, sent e-mails and even signed travel expenses approvals for the department “staff”.
Stoll created a document folder for SDINET and added to it a few dozen new documents containing classified information, so to speak, about the SDI project. Some of the documents contained data Stoll had taken from newspaper articles about future satellites and space shuttle launches, and others were simply piles of what Stoll called “an impressive-sounding bureaucratic gobbledygook”:
“All you have to do to make military gobbledygook is to use academic gobbledygook and change the job titles—‘undergraduate’ to ‘lieutenant,’ ‘professor’ to ‘colonel,’ and ‘dean’ to ‘general,’ then throw in words like ‘parameters’ and ‘implement.’ Who can tell the difference? I sure didn’t.”
A Spy Ring
Now’s a good time to move the focus of our story from Berkeley, California – to Europe’s West Germany. In the 1980s the hacker scene in West Germany was quite vibrant. The Chaos Computer Club, or CCC in short, was one of the first hacker associations in Europe, and thousands of German computer enthusiasts held joint events and exchanged information of every kind.
Karl Koch was part of that vibrant hacker scene. Koch, 21, whose underground nickname was Hagbard – was a fascinating and somewhat tragic character. He was talented and bright – but suffered from mental problems that were exacerbated by a cocaine addiction, an addiction that also led him to financial difficulties. In 1986, Koch gathered around him a group of young hackers who wanted to make money by hacking into computers. Koch contacted a KGB agent in East Berlin named Sergei Markov, and struck a deal with him – the group would collect confidential US information, in exchange for money and drugs.
The person who was responsible for most of the group’s operational activity – that is, the actual hacking into the ARPANET network – was Markus Hess, 26 years old, of Hannover. During the day Hess worked as a programmer at a small software company in Hannover, and at night he was the mystery hacker who – unknowingly to him, of course – fought a battle of minds against Clifford Stoll at LBL. During 1986, Hess transferred five diskettes full of information to Koch, who sold them to the KGB agent.
When Markus Hess came across the HoneyPot Stoll had created for him, the SDINET account, he could not resist. He downloaded the fake files, and because the communication rate was only a meager 1200 baud, Hess had to stay connected to the LBL network for much longer than usual. That was the opportunity Stoll needed. The Bundespost technicians were able to pinpoint the address of Hess’ home in Hannover.
By this time, the FBI and the CIA had been in the loop, having realized – very belatedly – the seriousness of the matter. The West German police raided the homes of the group members and arrested them. The affair exploded in the press – and Clifford Stoll became a star; he even published a book called ‘The Cuckoo’s Egg’ about the affair. In one of the interviews Stoll shared an amusing anecdote. He approached a publishing house and suggested that they publish a book he wrote about the espionage affair: this was before the affair made it to the headlines. The publishing house editor rejected his manuscript and explained to Stoll that he simply could not write. Two months later, when Stoll’s picture adorned the newspapers, the editor called and asked to publish the book. ‘But two months ago I did not know how to write, and I still can’t write.’ Stoll said, surprised. ‘It’s not as important anymore.’ The editor told him. So much for my professional pride as an author…
The five members of the hacker group were interrogated by the Western German intelligence services. Some collaborated with the interrogators, and the others were sentenced to various prison terms for spying for the Soviet Union. Less than two years later, when the Berlin Wall fell, they were released. In 1989, Karl Koch left his workplace and disappeared. Nine days later his car was discovered in one of the nearby woods. Not far from the car, the police found Koch’s charred body, with a fuel tank next to it. Koch seems to have committed suicide – but there are those who still doubt this claim, and speculate that perhaps the Russians – or someone on their behalf – wished to settle accounts with Koch, who was one of the hackers who chose to collaborate with his interrogators. They point to the fact that although it was not raining at that time and the grass in the forest was rather dry – the fire that Koch started did not spread beyond a few meters around his body. Did anyone took care to extinguish the fire so as not to attract attention?… we will probably never know.
An Hungarian Spy Appears
There is one more interesting detail in Clifford Stoll’s story that I haven’t mentioned yet. In one of the documents created by the fictional secretary Barbara Sherwin, she mentioned the existence of a mailing list for people associated with the project, and invited the readers of the document to join the mailing list and receive additional documents. It was a shot in the dark, and Stoll did not really believe anyone would fall into this trap – but one day, he was surprised to find in his mailbox a letter for none other than Barbara Sherwin.
The letter’s author, who introduced himself as Laszlo Balogh, asked to join SDINET’s mailing list. The KGB, it turned out, wanted to make sure that the information obtained by the Western German hackers was correct, and asked for the Hungarian Secret Service’ help. Laszlo, who was an undercover agent of the Hungarians in Pittsburgh, was asked to send the letter to Barbara. Laszlo’s unfortunate request was a definite proof that the LBL incident was indeed a Soviet spy scheme.
In retrospect, the fictitious mailing list created by Clifford Stoll for SDINET is what modern researchers would call HoneyTokens – a term coined by a security researcher named Augusto Paes de Barros in 2003.
HoneyTokens are an extension of the HoneyPot idea. If a HoneyPot is an attempt to emulate a device on the network, then HoneyTokens are pieces of fake information that allow the defender to identify an attack on the network. Similar tactics of this kind of deception exist in fields past information security as well, like mapmaking. Often, a map maker adds to their work streets and roads that do not exist. If such a street suddenly appeared on a competitor’s map, then it is clear that it was copied. Dictionary authors, for another example, have occasionally been known to insert imaginary words into their books. In the context of information security, honeyTokens may be fake email addresses and imaginary credit card information stored in databases, or even fictitious mailing lists like the one created by Stoll. If we identify an action related to access to these data pieces – such as an Hungarian spy trying to subscribe to our fake mailing list – we can be almost certain that this is an unauthorized access – since a legitimate user would have no reason to access them.
Sam Curry, Cybearason’s Chief Product Officer, sums for us the basic idea behind HoneyPots, Honey Tokens and deception in general:
“[Sam] if I can make my topography without impacting availability, seem like it’s 10x or 100x what it currently is, that’s a harder terrain to go and invade if I can do it well. If I can make it so that every step the bad guys takes, is a chance for me to catch them, instead of today which is, they just got to succeed once at the perimeter, and then they just have to not make a really bad mistake and hope that there isn’t somebody bright connecting the dots.
Instead, if we can make it so that there’s multiple pathways that could lead to their immediate capture, and every step they take, every escalation and privilege, every new process that runs, every rootkit, every lateral movement or pass the hash or pass the ticket.
I want to make sure that I get a chance as a defender to absolutely neutralize them.”
The Price of Deception
Of course, there is such thing as a free lunch, which is also true for honey lovers. The design, deployment, and maintenance of a complex deception scheme – one that is supposed to mislead a skilled attacker – is not a simple task, and could take up valuable time and resources for the organization and its IT department, which is often overloaded as is.
[Sam] Well, the first thing is, we can think of, and this is fun to do, you can think of many techniques that could be used and we should be frankly be using deceptive practices, we should be thinking of how to make the terrain unfair as much as possible. But one thing I will say is, you’re going to need the corporate commitment and you’re going to be able to have to take some bets that are going to fail. This is a form of innovation.
[Ran] Such as?
[Sam] Well, I mean, it’s not that – so innovation doesn’t happen because somebody has a perfect thought, it springs out, they have the time to build it and then execute. You are going to potentially create interruptions to business slowdowns. You might use up CPU cycles. It can’t be science projects, they have to be, I would say, there has to be some chaos and some autonomy. You’re going to have to need some creative types to do this or partner with people who are like that and that you probably got a speed limit you can handle but you’re going to have to deal with the political expectation –
[Ran] Inside an organization?
[Sam] It’s a risk. And so there’s a rate at which a CSO, or whoever the executive in charge of security, can get away with that. And so now what you’ve got to do is, you got to make sure that when you engage in deception – deceptive practices, that you understand the impact it’s going to have operationally.
Deception, then, is a powerful tool in an organization’s defensive toolbox. Contrary to what Hollywood wants us to think, hackers are not omnipotent, and they too need to spend considerable time and effort to learn and understand the new network environment into which they have penetrated. At this point in time, in the first few moments after penetration, the attacker is vulnerable to deception by the defender – and creative and effective deceit can cause him to expose himself, his tools and techniques.
The price the defenders need to pay for this kind of deception, as always, hard work and lots of effort, but also – and this requirement is perhaps most import in deception than in any other field of information security – creative thinking. Who knows, maybe it’s time for organizations to start recruiting astronomers for their IT departments. Hey, it works.
Thank you for listening! Visit Malicious-DOT-Life to subscribe to our podcast, read all the full transcripts and download other episodes, and can follow us on Twitter at @MaliciousLife. Did you enjoy the episode? Want to suggest an interesting story? I’m all ears – drop me a line at [email protected] or send me a message at @ranlevi on twitter. If you like the show, leave us a 5 star review on iTunes and we’ll send you a Malicious Life t-shirt.
Malicious Life is produced by P.I.Media. Thanks again to Cybereason for underwriting the podcast. Learn more at Cybereason.com. Bye Bye.