Apr 21, 2014

Security In Media: "Intelligence" - S1E11 - The Gray Hat

Show Overview:
Intelligence is an drama/action television show on CBS. The premise is that the United States Cyber Command has implanted a computer chip into one of its agents that allows them to connect to any device (via the Internet) and granting him all manner of fantastic abilities. The show follows the agent, and his team of partners and handlers as they deal with threats to national security, mostly involving terrorism and "cyber"terrorism *gag*.

As a premise, the show is fine, and I'm more than willing to grant the willing suspension of disbelief that the chip can operate as advertised and do what the show depicts that it can do. However, given the setting of the show, they naturally deal with information warfare and computer and information security in the more mundane and traditional sense, and the show consistently drops the ball on this part.

Episode Synopsis:
In this episode, a computer worm is unleash in the Los Angeles area, taking out the power grid for most of the west coast. The code for the worm was stolen from a notorious hacker (Cortez) by an anti-Nuclear terrorist group who are attempting to use it to cause a meltdown at a Nuclear Reactor, all as a scheme to get the brother of one of the terrorists released from US custody before he is extradited to Russia and executed.

This episode touches on issues about hacking in general and computer worms in particular, fails on just about every point made. It is rather stunning, as if someone knew what they were talking about, but deliberately got the facts wrong on purpose. I struggle to believe that someone couldn't have gotten something right, if only by chance.

Grey Hat Hackers

The title and plot of the show reference Grey Hat hackers and hacking. In the show, it's described as targeting someone or some group with malicious code, taking down the system and then blackmailing them to fix their system.


Just no.

That is BLACK Hat hacking. In fact, it is pretty much the text book definition of what a Black Hat hacker is. This is in contrast to a White hat hacker, who is a person that is authorized and given permission to find flaws and vulnerabilities within a computer system, in order to either fix them or inform the owner who can then fix them.

Gray Hat hackers fall in between. They skirt law and ethics, but aren't looking to exploit vulnerabilities or engage and blackmail or extortion. They usually inform the targets of the existence of the vulnerabilities so they can be fixed and almost always publicize the discovery of these vulnerabilities so that vendors and users can take appropriate actions.

Cortez and the anti-Nuclear group have malicious purposes and are in this for personal gain. They aren't interested in the vulnerabilities and exploits themselves, just how they can use them to achieve other means. They are Black Hats through and through.

This is unfortunate, as Grey Hats are often lumped in with Black Hats, as given in the notable case against the hacker known as weev. Weev was part of a security group that discovered a flaw in AT&T that allowed for the disclosure of e-mail addresses, which he then released to the vendor and the media. Without getting too off topic of this post, how this case was treated is more likely to encourage Grey Hat hackers to turn their hats a little darker, and media depictions like this aren't doing much to help that.

The Worm

Before we get into the show's depiction of this worm, let's ask, what is a worm? At the very least, a worm is a type of self-replicating computer code. This is contrasted with a virus or a Trojan, that requires some sort of explicit action or execution to be activated and spread. Worms can be as simple as that, coping itself within and among various computers. This itself can be dangerous, as it fills up disk space, memory, processing, and network bandwith. This alone can take down individual systems and entire networks.

Additionally, worms can carry various payloads designed to do other things as well, such as:
  • Deleting or encrypting files;
  • Transmitting or disclosing files;
  • Creating "back doors" that allow for unauthorized, remote access and control;
  • Take control of a computer to launch additional attacks or send Spam;
Worms spread from computer to computer of networks by exploiting vulnerabilities in the target computer.

For Example:
The SQL Slammer worm was a famous worm that operated in the early 2000's. It would operate using the following rough methodology:

1. Generate a random list of IP addresses.
2. Takes its own code and sends it out to those IP addresses.
3. If any of those IP addresses corresponded to active computers using a vulnerable version of Microsoft SQL Server, it would accept the code.
4. The code was specifically designed to exploit a buffer overflow vulnerability in Microsoft SQL Server. This would cause the vulnerable computer to write the code for the worm in its own memory and then execute it, repeating the process.

The worm was so effective, it infected 75,000 within 10 minutes. While the worm itself did not direct damage, the network traffic generated by its propagation overloaded the routers that allow for internetwork communication, taking them down.

In some cases, the show did get a few things right:
  • Worms can act "like a python" and "squeeze the life out of a system";
  • Virtually impossible to predict;
However, they get plenty of things wrong:

Encryption. The code they come into possession with is encrypted, and they have to spend considerable effort decrypting it. While malicious code can use encryption for a number of purposes, the code itself is not likely to be encrypted in the wild. Encrypted software cannot be read or executed (hence the significant damage caused by such malware as Cryptolocker). Worms spread by forcing the host system to execute its code, which would require it to be decrypted in order to do this. Now, it's possible that the code encrypts itself after replicating, but it would not be able to be communicated with or continued to spread after this point;

Would see Gabriel's "chip" as prey. In several instances they talk of the code as seeking out specific systems. It's true that the worm could be coded to target specific systems that have specific vulnerabilities, or to even be geared toward specific organizations, the episode grants the code a level of psychic awareness, as if it knows where these systems are automatically and seeks them out. What's ironic is that they only forbid Gabriel from analyzing the code via his chip, they never disconnect his chip from the Internet, where it would still be exposed to the worm;

Targeting Nuclear reactors. The show clearly got its cues from the Stuxnet malware that infected Iranian centrifuges, causing irreparable damage. The worm in the show tries to be an analog for this, but fails in several crucial elements. Stuxnet was specifically built to target the software used by these centrifuges, and did not cause damage otherwise, and was set to delete itself after a certain period of time. By contrast, the worm in the show caused massive damage wherever it went, despite having a target of a specific nuclear reactor.

The main problem is they treated the worm as a singular entity that was roaming around networks causing destruction, looking for a nuclear reactor, and would stop when it found and disabled that computer system. The entire point of worms is that they replicate. The Stuxnet worm would replicate through a variety of techniques and, if the host computer met certain criteria, it would sabotage the software used the control the centrifuges.

In theory, the show's computer could have worked like this, but there would be no practical way for specific instances of the worm to communicate with other instances of the worm to tell them to stop when a reactor was found. Furthermore, there would be no way for any of the instances of the worm to psychically know where any nuclear reactor systems were, so setting up a "virtual" nuclear reactor would do nothing until the worm found it via its propagation technique and, even then, there would be no practical way for the instances communicate with each other to determine that one was a better target than another such that it would only go after the best target (not to mention that the worm was apparently hard coded to go after the San Jacomo reactor).

So while a worm can be coded to take specific malicious actions against computers that meet certain criteria, instances of worms operate independently and don't communicate with each other and won't stop simply because another instance found the desired target;

The kill switch. Just as individual instances of the worm would have no practical way of communicating with each other, there would also be no practical way to implement a kill switch. As stated, the worm was designed to act unpredictably, even to Cortez. How would Cortez know where to send the kill signal to? The kill signal would have to be sent to each instance of the worm, which could very well number in the tens of thousands, and would have to be sent among the worms faster than they propagate.

The "cloning" of the worm. The attack is immediately recognized as that of Cortez (despite the fact that they didn't have access to the unencrypted source code at the time and, on the surface, it operated no differently than any other worm), and Cortez is immediately able to tell that the code was "cloned" but altered. In addition to the worm being coded to specifically target the San Jacomo reactor (!?), it contained a "routing algorithm" he recognized as belonging to a friend of his. So his code was modified by other people. So what? First, the "distance-vector protocol" is gibberish when it comes to worms. It's a protocol used by routers to route traffic between networks. A charitable interpretation would have us interpret this as how the worm propagated, but that's what makes a worm what it is! Worms are defined by how they propagate and what they do. If that both of those aspects have changed, then in what way is this still Cortez's worm?

The Response to the Worm

If their depiction of the worm wasn't bad enough, their response to the worm was atrocious. They were somehow able to estimate that the worm would hit the San Jacomo nuclear reactor in 5 hours and cause a meltdown. They then proceeded to do nothing about that and just let the worm continue to propagate.

Completely and utterly absurd. Everyone on that team should be fired.

The worm has to propagate through some sort of mechanism. With samples of the code and Cortez in hand, then they should know exactly how the worm propagates and the vulnerabilities and exploits it uses to do so. That alone should give them the information they need to implement measures to stop the worm from propagating. Most of the popular worms in the wild exploited known vulnerabilities for which there were readily available patches, almost always some sort of buffer overflow.

Yet they do nothing. They don't contact the press to let them know there is a worm going around. They don't contact the vendors of the affected software to have them develop a fix (assuming it was a zero-day exploit). They do nothing.

At the very least they could have disconnected the nuclear facility from the Internet!

Software and anti-virus vendors would be scrambling to develop patches and fixes to combat the worm and sensitive networks (such as those controlling Nuclear facilities!) would be advised to disconnect and become stand-alone.

The Amazing Cortez
Let's take a look at his resume:
  • Practically invented "hostageware". Amazing, considering this type of malware dates back to 1989, the better part of a decade before he was born;
  • Thinks that limiting control over his code to a single computer, using esoteric biometric authentication, was a good idea;
  • Despite already being in possession of the modified code, thinks he still needs to "get his code" back;
Other Odds and Ends 

Local IPs. They deduce that, since the Los Angeles power grid only allows access from local IP addresses, the perpetrator had to be in Los Angeles to do so. That's now how that works. The "local" of local IP address is a logical designation. Local IP addresses can be physically and geographically distant, and remote IP addresses can be physically and geographically close. While it's probably correct to say that access must be done from a local IP address, it's absurd to then conclude that it had to be someone in that geographic area.

Having power back-up means you still get to access the internet. There is more to accessing the internet than simply having power at your house. Your local ISP would still need to keep its routers up, and every router along the way to and including the Internet. Given the scope of the outage, it is unlikely that anyone there had internet access save those with dedicated circuits and connections.
Looking for encrypted connections. Everyone uses encrypted connections to access the internet. Log into facebook, check your e-mail? You're using an encrypted connection. This is no way to narrow down a list of suspects.
Servers in living space. The show has committed this sin several times. Computers generate heat and noise. Lots of computers generate lots of heat and lots of noise. Three full racks of computers would turn that living space into a hot room and make it difficult to have a normal conversation.
Bounced his e-mail through twelve different countries. Perhaps he did, but it's probably still on the computer he sent it from, the one that's right there in the room where they have him.
The code is mimicking an EKG reading! Gibberish. Just, utter gibberish.
They needed to verify that the computer was "The Mothership" and that it was transmitting the correct commands to control the worm. Gabriel should have been able to validate this through the use of his chip, why did they need to see the computer first hand?

Intelligence has committed a fair number of sins in this subject area. It's repeated, several times, the notion of "2040 bit" encryption (encryption references powers of 2, this should be 2048). It replies on Hollywood impressions of hacking, computer science, and cyberwarfare. Most of the time, this can be overlooked as tangential to the plot. In a story focusing heavily on hacking and malicious code, it turns an otherwise solid show into a farce.

No comments: