Editorial: âThe cyber-enemy at the gateâ

Who will protect your money, your identity and your secrets from hackers? Âéśš´ŤĂ˝ joins a bunch of hopefuls to find out if theyâre up to the task
5 March 2011, 10:59:59
Time remaining 00:50:00
In a quiet, windowless auditorium in Bristol, in the west of England, Lucy Robson and her team hunch over their laptops as the seconds on a giant clock above begin to count down. In a few moments, the enemy will begin the attack â but these villains wonât be coming in through the doors.
Advertisement
Robson is competing in the finals of the , held at Hewlett-Packard Labs in Bristol. The participants, largely teenagers and amateur programmers, have been plucked from outside the cybersecurity industry. The hunt is on to find a new generation of people with the skills to battle the darkest elements of the online realm â the hackers who seize government secrets, anonymous activists bent on causing mayhem, and criminals stealing credit cards.
The industry needs fresh blood because the nature of the threat has changed. âFive to ten years ago, youâd be protecting against a clever kid who wants to deface a website,â says Martin Sadler of HP Labs. That kind of unsophisticated attack was once relatively easy to thwart. But those days are over. Take the hackers who broke into the Sony PlayStation Network earlier this year. They breezed past the security measures of one the worldâs biggest electronics companies to steal the names, addresses and possibly credit card numbers of over 100 million people. Sony had barely recovered when a different part of the company came under attack last week.
Hackers are no longer motivated by mischief alone but by big money. Cybercrime alone â including stolen credit card numbers and industrial espionage â now costs the UK , according to the governmentâs . The story is no different in other parts of the world.
At the same time, new forms of illegal online activism have grown up, with a collective called Anonymous at the vanguard, crippling websites and gleefully exposing secrets. âAnonymous is not a specific group that you can go and arrest,â one of the competition judges explains. The label masks an ever-shifting informal membership who might be active for a year, or for 3 hours. âItâs a bank manager who wants to be a bad guy for the day,â he says. âYou canât punch someone in the face on the street, but you can on the web.â
While the diversity, motivation and acumen of the bad guys may have grown exponentially, the defenders are struggling to keep up. Pure technical acumen doesnât cut it any more. The current crop of cybersecurity professionals badly need to up their game. The Cyber Security Challenge, if not an act of desperation, is certainly one of necessity.
Last year about 4000 people entered the competition hoping to be crowned ultimate cybersecurity champion. Today, after a series of gruelling heats, only 30 remain. To the winners will go expensive training courses and internships. But the real beneficiaries might be the sponsors. They include security firm Sophos, defence contractor Qinetiq, and the UK governmentâs Defence Science and Technology Laboratory, and they are treating this contest as a scouting operation.
Earlier, the contenders got their orders from the fake CEO and board members of a fake manufacturing firm called the Metal Box Company. Todayâs task, they were told, was to secure the firmâs website and network. Then the finalists were split into teams with names like Enigma, Turing and Bombe.
They are about to start the first of the dayâs trials that will test their technical abilities, interpersonal skills and teamwork. Later on, judges will award two prizes: one to the winning team, the other to the best individual player. Entrants vying for the title include a professional actor, a geeky kid with hair down to his shoulders, a postman from northern England and, competing in Team Enigma, 17-year-old Robson, the contestâs only girl.
Robson taught herself network security by reading Wikipedia and textbooks she bought with money she earned from a part-time supermarket job. âIf it affects me, I want to know how it works,â she says. She lives in Cromer, a small town on the east coast of England, with her dad, a carpet fitter and her mum, a certified chartered accountant. âMake sure you get the âcertified charteredâ bit, itâs important,â Robson instructs. She speaks as if sheâs processing every word before it emerges. Her cropped dark hair rests on the collar of a grey suit and a fashionable scarf. The other entrants wear T-shirts and jeans.
Robson entered the competition with two friends she met at a computer summer school. In the run-up to the finals, their team shone, sussing out well-disguised flaws in a home computer. âWe got here because of Lucy,â says her friend Stuart Rennie. âShe was amazing.â But today, Rennie has been placed on Team Bombe, competing against Robson.
Itâs 11 am, and the attack is about to start. The task is to identify and fend off waves of invaders who want to break into the Metal Box Companyâs computer network. The teams are clustered in one corner of the auditorium, isolated from each other by barriers. The wires trailing from their laptops disappear into a tangled clump under a nearby table, where the action is coordinated by the games masters, led by Andrew Laird of Bristol-based security firm . The exercise is being staged on a Cassidian-built software simulator called Hotsim (for âHands on Training Simulatorâ), which is robust enough to manage the cybersecurity training of the Brazilian and Finnish militaries. Hotsim reproduces all the day-to-day traffic youâd expect in a big company network, such as employees browsing the internet, instant messaging and exchanging emails, so the teamsâ laptop screens mirror what an IT security team in a real company would be looking at.
The competing teams monitor this virtual traffic for signs of intrusion, using standard programs that display employee activity, a breach detection system and a firewall to keep out threats. A skilful cyberdefender knows how to program these tools to spot and block threats. If the contenders can successfully juggle all three, they can prevent the invasion.
Team Enigma, though, start badly. Itâs only a few minutes before the first sign of trouble: a âport scanâ conducted by the enemy. Ports are the way into the network. Think of an arterial road system into a city that provides hundreds or thousands of routes for different types of vehicles and destinations. Similarly, a network has many thousands of specific routes along which traffic travels, called ports. By convention, internet browser traffic on a server comes in through port 80. Email tends to go out of port 25. Potential intruders will scan thousands of these ports in an attempt to discover weaknesses in the networkâs security. Thatâs what is happening now, but in their initial scramble to secure the perimeter neither Robson nor the rest of Team Enigma have noticed.
The person in charge of monitoring the traffic zipping around on the network router is Tony Shannon, a stocky, confident 28-year-old with a pierced eyebrow. After a few years in the IT industry, heâs back studying computer security at Nottingham Trent University, UK. Shannonâs style is nothing like Robsonâs. He has decided that the way to impress the judges is to mount ostentatious vocal displays. âOh yeah, weâre FUBAR,â he declares, as thing start to come unstuck. âWeâre folding like a cheap deckchair.â And the team really is folding in the face of the attacks. For all his earlier bravado, Shannon hasnât found much to contribute so far. Thereâs anxiety in his voice.
Time remaining 00:31:20
Twenty minutes in, and the Metal Box Company website has been hacked. The home page has been replaced by a simple message: âPwned by /bâ, followed by a stream of Latin. When youâre pwned, youâre conquered, goes the web slang.
Team Enigma manages to restore the home page, but they are missing crucial information: if they canât figure out how the attackers got in, their fix is only temporary. Further investigation reveals that the hacker has used a method called SQL injection vulnerability. SQL is a language used on websites to extract information from a database. Many online retailers draw on such databases to update, in real time, the stock of products they display, as well as customer details. SQL automates the retrieval of that information and so makes web designersâ lives easier. But if the websites are badly designed, hackers can turn SQL on itself to break in and steal information. Consider the forms you use to fill in your name, address and credit card details on a website: every one of these can potentially be a door to a websiteâs inner sanctum.
Team Enigma suspect that the attacker entered via one of these forms by submitting malicious code posing a deliberately inexact query to the database. The shoddily built Metal Box Company website then failed to block that query. That allowed the hacker to force the website to reveal what should have been hidden database information. Thatâs probably how the attacker stole the password that was then used to deface the website.
Time remaining 00:13:19
Things are getting serious. Until now, the attacks have been simple vandalism, but now the Metal Box hackers have set loose a particularly nasty piece of malware that hunts down pass-words, financial statements and sensitive personal information. That kind of data can be embarrassingly easy for a malware program to find. An email or document with the word âconfidentialâ at the top, says Laird, âis like a flag saying âHey, Iâm interestingâ â.
Its quarry identified, the malware is now chopping up the documents into tiny segments, and encrypting them. To sneak its swag out of the network unnoticed, the malware hides all these fragments inside messages known as domain name server queries. These queries are normally sent out of the network any time someone connects to an outside server. When you search for, say, newscientist.com, your web browser sends a request to a server that translates the text-based web address ânewscientist.comâ into its real address, which is a long and unmemorable string of numbers. Because these queries form a large part of normal web traffic on an internal network, it is easy to hide bits of extra information inside them without arousing suspicion. The malware can therefore idly transmit the segments of encrypted data inside thousands of these outbound DNS queries. Once they have been safely smuggled out of the network, the attacker can simply reassemble the pieces at their destination. This type of attack is called âDNS exfiltrationâ.
The US government estimates that data exfiltration has caused government departments and agency networks to lose more than 20 terabytes of data, but because the thieves encrypted what they stole, itâs hard to tell what was lost. âThey donât know what it is and they donât know where itâs gone,â says Laird. Itâs the perfect heist.
Team Enigma have failed to spot the breach, and the Metal Box Company is haemorrhaging data: over 2000 documents have left the network. Robson, who is normally calm, seems harassed, furiously logging details of the attacks, while the others try to track down whatâs happening. The airless room is claustrophobic with the shouts of the teams, and thereâs a smell of nervous sweat. By the time the team spot the DNS theft, itâs too late.
Time remaining 00:02:58
The Hotsim attackers have barred all the companyâs employees from accessing their own user accounts, including the security team. If you have ever entered the wrong password three times in a row and been locked out of your account, youâll know how this works. This attack is usually a decoy for staging a more serious theft, but today itâs more like a final taunt.
âTake your hands off your keyboards,â says games master Laird. The teams lean back on their chairs. They look dazed. âMy head hurts,â says Robson. Shannon stares at the clock.
Robson, Shannon and the others have had their first taste of what the good guys are up against. All over the world, cybersecurity specialists are under siege. They donât know when the next attack will arrive, or why.
6 March 2011, 13:30:00
The organisers are about to announce the winners at the awards ceremony lunch, being held in a fancier venue in Bristol. Itâs a fresh, wintry Sunday, and the sunlight glints on the cutlery and glasses.
Team Enigma havenât won the overall prize. That went to Team Bombe, which included the competition winner, Dan Summers, the postman. But Team Enigma are in good spirits.
Up on stage, Robson accepts an award for her performance in the heats that brought her to the final competition, a coveted digital security internship with Qinetiq. Even Shannon is in a good mood, having won a training course. âIâll stop grinning sometime in my sleep tonight,â he says. As the ceremony winds down inside the hall, Robson is outside, texting on her phone. Next year, sheâll be studying computer science at university, or perhaps sheâll take a gap year.
Meanwhile, someone, somewhere is plugging into the vast web of cables, processors and servers joined up around the planet. And theyâre up to no good.
Virtual crime, real world
Itâs 2020, and you are lost in an unfamiliar neighbourhood because you were trying to avoid congestion on the main roads. But youâre not worried: you are being led to a clear stretch of road by your carâs navigation system, which is chatting with billions of sensors embedded into the roads to avoid traffic snarls. But can you trust your satnav? If hackers can break into a website, they can also make short work of this network of sensors and cause mischief on a city-wide scale, misdirecting cars for kicks, perhaps down a side street where someone is waiting to rob you.
If the scenario seems unlikely, consider that billions of networked sensors will soon become embedded throughout our cities and possessions, generating a flood of information about you and your surroundings. Gigabytes of sensitive data will circulate through this âinternet of thingsâ, a global network of interconnected and continually monitored objects.
âThis world of sensors will create new problems,â says Martin Sadler of Hewlett-Packard Labs in Bristol, UK. Clearly, it will need a completely different kind of custodian to protect it from falling into the wrong hands, he says. Time to start training the next generation of cyberdefenders.