08/21/2012 11:07:25 AM EST
Please allow me to emend the claim that "sometimes we don’t even know that a successful attack occurred".
The standard case for some years now has been that we do not know when attacks have succeeded. We find out later, or someone else discovers that one machine in a network has served as a platform for network discovery, surveillance, and control, leaving an agent on each machine or just returning to each machine as needed. Sometimes attackers come and go leaving no trace, but generally they stay on once the breach is exploited.
In fact, sometimes multiple attackers occupy a machine and they may get into disagreements. I had such a situation, with malicious common criminals exploiting in one case a standard US backdoor and in another the old Sony rootkit. They jostled one another and when I blocked network traffic completely I found the US goverment on my systems, having forced their way in upon finding the front door locked, leaving the network vulnerable to anyone looking for adventure. Now the FBI, DHS, etc. want Congress to legalize retroactively the horse pooh these and other relevant agencies have been dooing for the last decade.
With the US government heavily involved in hacking its citizenry and with other parties (local law enforcement, media companies, computer manufacturers and vendors, industry lobbying groups, web vigilantes, and, yes, software developers, among others) who feel they have "rights" regarding computing equipment they do not own, some of the evil originates with misguided abusers of power or opportunity. Especially since 2001 we have as a society created - with no broad agreement - a surveillance state that regards effective network defense as a threat. So self-defense for many of us may do more harm than good. In all cases, those looking to pwn your box prefer that you do not detect their presence.
Generally the attackers succeed in not being found. Finding their presence is not a simple thing, and smug confidence that your system is clean impedes discovery. Once entrenched, the toolkits prove difficult to remove, even if you change equipment. To hear experienced administrators talking about wiping disks and reinstalling systems as curative for these issues really saddens me. We have a lot of willful ignorance of the computer-security crisis. Unfortunately as well, the industry has willingly undermined network and machine and software safety with backdoors, among other ways. Where it has not been done willingly, code can be adjusted in other ways.
As I typed this, I just flashed back about six years to a goverment contractor telling me - in hacker-speak and writing remotely into a file on my own machine - that my resistance was absurd because whatever I did to my network I would by undermined by the fact that they had free access to my connections to the web through my ISP. That wasn't the half of it.
It turned out they controlled and actively visited my whole apartment building (as far as I could tell) and they arrived on my machines by wifi, telephone, bluetooth and other radio, powerline, cable, and standard wired web connections, as available and needed. They dropped what they needed in small packets ready for automated recombination where they were deprived of system-borne drivers and apps. Code would be hidden directly in programs and files unrelated to their network activities and reactivated to to jobs. I found their tools on every public (rental machines, Kinko's, library, retailer demos, etc.), academic, and personal computer I could get access to at that time. Researching this was for years a bit of an obsession for me, because the ugliness of it proved to be at each turn worse. It is bottomless, indeed, because now on top of secrecy and misclassification of the facts at the government level, these abuses are being resold as necessary for - of all things - our security as a nation. After all that has gone on, bought and/or duped politicians are being primed to codify this insanity as legal and even necessary.
Learning what I did required an enormous expenditure of resources. I would not recommend doing things the way I did, particularly if you fancy continuing to develop systems and applications for a living. One should be aware that the problem is enormous, and that developers quite generally are targeted for abuse. Getting access to code at the source, be it firmware or software, counts among the most appealing and fertile of targets for network creeps. None of us cannot afford complacency on this and we put more than our networks at risk where we descend into complicity.
United StatesRobert Callahan
Copyright © 1999-2013 BZ Media LLC, all rights reserved. Legal and Privacy
Phone: +1 (631) 421-4158 • E-mail: firstname.lastname@example.org