快猫短视频

The defenders: Inside an online siege

Who will protect your money, your identity and your secrets from hackers? Richard Fisher joins a bunch of hopefuls to find out if they're up to the task

Editorial: The cyber-enemy at the gate

Battling the dark side
Battling the dark side
(Image: Aaron McCoy/Photographer's Choice/Getty)

Who will protect your money, your identity and your secrets from hackers? 快猫短视频 joins a bunch of hopefuls to find out if they鈥檙e up to the task

5 March 2011, 10:59:59

Time remaining 00:50:00

In a quiet, windowless auditorium in Bristol, in the west of England, Lucy Robson and her team hunch over their laptops as the seconds on a giant clock above begin to count down. In a few moments, the enemy will begin the attack 鈥 but these villains won鈥檛 be coming in through the doors.

Robson is competing in the finals of the , held at Hewlett-Packard Labs in Bristol. The participants, largely teenagers and amateur programmers, have been plucked from outside the cybersecurity industry. The hunt is on to find a new generation of people with the skills to battle the darkest elements of the online realm 鈥 the hackers who seize government secrets, anonymous activists bent on causing mayhem, and criminals stealing credit cards.

The industry needs fresh blood because the nature of the threat has changed. 鈥淔ive to ten years ago, you鈥檇 be protecting against a clever kid who wants to deface a website,鈥 says Martin Sadler of HP Labs. That kind of unsophisticated attack was once relatively easy to thwart. But those days are over. Take the hackers who broke into the Sony PlayStation Network earlier this year. They breezed past the security measures of one the world鈥檚 biggest electronics companies to steal the names, addresses and possibly credit card numbers of over 100 million people. Sony had barely recovered when a different part of the company came under attack last week.

Hackers are no longer motivated by mischief alone but by big money. Cybercrime alone 鈥 including stolen credit card numbers and industrial espionage 鈥 now costs the UK , according to the government鈥檚 . The story is no different in other parts of the world.

At the same time, new forms of illegal online activism have grown up, with a collective called Anonymous at the vanguard, crippling websites and gleefully exposing secrets. 鈥淎nonymous is not a specific group that you can go and arrest,鈥 one of the competition judges explains. The label masks an ever-shifting informal membership who might be active for a year, or for 3 hours. 鈥淚t鈥檚 a bank manager who wants to be a bad guy for the day,鈥 he says. 鈥淵ou can鈥檛 punch someone in the face on the street, but you can on the web.鈥

While the diversity, motivation and acumen of the bad guys may have grown exponentially, the defenders are struggling to keep up. Pure technical acumen doesn鈥檛 cut it any more. The current crop of cybersecurity professionals badly need to up their game. The Cyber Security Challenge, if not an act of desperation, is certainly one of necessity.

Last year about 4000 people entered the competition hoping to be crowned ultimate cybersecurity champion. Today, after a series of gruelling heats, only 30 remain. To the winners will go expensive training courses and internships. But the real beneficiaries might be the sponsors. They include security firm Sophos, defence contractor Qinetiq, and the UK government鈥檚 Defence Science and Technology Laboratory, and they are treating this contest as a scouting operation.

Earlier, the contenders got their orders from the fake CEO and board members of a fake manufacturing firm called the Metal Box Company. Today鈥檚 task, they were told, was to secure the firm鈥檚 website and network. Then the finalists were split into teams with names like Enigma, Turing and Bombe.

They are about to start the first of the day鈥檚 trials that will test their technical abilities, interpersonal skills and teamwork. Later on, judges will award two prizes: one to the winning team, the other to the best individual player. Entrants vying for the title include a professional actor, a geeky kid with hair down to his shoulders, a postman from northern England and, competing in Team Enigma, 17-year-old Robson, the contest鈥檚 only girl.

Robson taught herself network security by reading Wikipedia and textbooks she bought with money she earned from a part-time supermarket job. 鈥淚f it affects me, I want to know how it works,鈥 she says. She lives in Cromer, a small town on the east coast of England, with her dad, a carpet fitter and her mum, a certified chartered accountant. 鈥淢ake sure you get the 鈥榗ertified chartered鈥 bit, it鈥檚 important,鈥 Robson instructs. She speaks as if she鈥檚 processing every word before it emerges. Her cropped dark hair rests on the collar of a grey suit and a fashionable scarf. The other entrants wear T-shirts and jeans.

Robson entered the competition with two friends she met at a computer summer school. In the run-up to the finals, their team shone, sussing out well-disguised flaws in a home computer. 鈥淲e got here because of Lucy,鈥 says her friend Stuart Rennie. 鈥淪he was amazing.鈥 But today, Rennie has been placed on Team Bombe, competing against Robson.

It鈥檚 11 am, and the attack is about to start. The task is to identify and fend off waves of invaders who want to break into the Metal Box Company鈥檚 computer network. The teams are clustered in one corner of the auditorium, isolated from each other by barriers. The wires trailing from their laptops disappear into a tangled clump under a nearby table, where the action is coordinated by the games masters, led by Andrew Laird of Bristol-based security firm . The exercise is being staged on a Cassidian-built software simulator called Hotsim (for 鈥淗ands on Training Simulator鈥), which is robust enough to manage the cybersecurity training of the Brazilian and Finnish militaries. Hotsim reproduces all the day-to-day traffic you鈥檇 expect in a big company network, such as employees browsing the internet, instant messaging and exchanging emails, so the teams鈥 laptop screens mirror what an IT security team in a real company would be looking at.

The competing teams monitor this virtual traffic for signs of intrusion, using standard programs that display employee activity, a breach detection system and a firewall to keep out threats. A skilful cyberdefender knows how to program these tools to spot and block threats. If the contenders can successfully juggle all three, they can prevent the invasion.

Team Enigma, though, start badly. It鈥檚 only a few minutes before the first sign of trouble: a 鈥減ort scan鈥 conducted by the enemy. Ports are the way into the network. Think of an arterial road system into a city that provides hundreds or thousands of routes for different types of vehicles and destinations. Similarly, a network has many thousands of specific routes along which traffic travels, called ports. By convention, internet browser traffic on a server comes in through port 80. Email tends to go out of port 25. Potential intruders will scan thousands of these ports in an attempt to discover weaknesses in the network鈥檚 security. That鈥檚 what is happening now, but in their initial scramble to secure the perimeter neither Robson nor the rest of Team Enigma have noticed.

The person in charge of monitoring the traffic zipping around on the network router is Tony Shannon, a stocky, confident 28-year-old with a pierced eyebrow. After a few years in the IT industry, he鈥檚 back studying computer security at Nottingham Trent University, UK. Shannon鈥檚 style is nothing like Robson鈥檚. He has decided that the way to impress the judges is to mount ostentatious vocal displays. 鈥淥h yeah, we鈥檙e FUBAR,鈥 he declares, as thing start to come unstuck. 鈥淲e鈥檙e folding like a cheap deckchair.鈥 And the team really is folding in the face of the attacks. For all his earlier bravado, Shannon hasn鈥檛 found much to contribute so far. There鈥檚 anxiety in his voice.

Time remaining 00:31:20

Twenty minutes in, and the Metal Box Company website has been hacked. The home page has been replaced by a simple message: 鈥淧wned by /b鈥, followed by a stream of Latin. When you鈥檙e pwned, you鈥檙e conquered, goes the web slang.

Team Enigma manages to restore the home page, but they are missing crucial information: if they can鈥檛 figure out how the attackers got in, their fix is only temporary. Further investigation reveals that the hacker has used a method called SQL injection vulnerability. SQL is a language used on websites to extract information from a database. Many online retailers draw on such databases to update, in real time, the stock of products they display, as well as customer details. SQL automates the retrieval of that information and so makes web designers鈥 lives easier. But if the websites are badly designed, hackers can turn SQL on itself to break in and steal information. Consider the forms you use to fill in your name, address and credit card details on a website: every one of these can potentially be a door to a website鈥檚 inner sanctum.

Team Enigma suspect that the attacker entered via one of these forms by submitting malicious code posing a deliberately inexact query to the database. The shoddily built Metal Box Company website then failed to block that query. That allowed the hacker to force the website to reveal what should have been hidden database information. That鈥檚 probably how the attacker stole the password that was then used to deface the website.

Time remaining 00:13:19

Things are getting serious. Until now, the attacks have been simple vandalism, but now the Metal Box hackers have set loose a particularly nasty piece of malware that hunts down pass-words, financial statements and sensitive personal information. That kind of data can be embarrassingly easy for a malware program to find. An email or document with the word 鈥渃onfidential鈥 at the top, says Laird, 鈥渋s like a flag saying 鈥楬ey, I鈥檓 interesting鈥櫬犫.

Its quarry identified, the malware is now chopping up the documents into tiny segments, and encrypting them. To sneak its swag out of the network unnoticed, the malware hides all these fragments inside messages known as domain name server queries. These queries are normally sent out of the network any time someone connects to an outside server. When you search for, say, newscientist.com, your web browser sends a request to a server that translates the text-based web address 鈥渘ewscientist.com鈥 into its real address, which is a long and unmemorable string of numbers. Because these queries form a large part of normal web traffic on an internal network, it is easy to hide bits of extra information inside them without arousing suspicion. The malware can therefore idly transmit the segments of encrypted data inside thousands of these outbound DNS queries. Once they have been safely smuggled out of the network, the attacker can simply reassemble the pieces at their destination. This type of attack is called 鈥淒NS exfiltration鈥.

The US government estimates that data exfiltration has caused government departments and agency networks to lose more than 20 terabytes of data, but because the thieves encrypted what they stole, it鈥檚 hard to tell what was lost. 鈥淭hey don鈥檛 know what it is and they don鈥檛 know where it鈥檚 gone,鈥 says Laird. It鈥檚 the perfect heist.

Team Enigma have failed to spot the breach, and the Metal Box Company is haemorrhaging data: over 2000 documents have left the network. Robson, who is normally calm, seems harassed, furiously logging details of the attacks, while the others try to track down what鈥檚 happening. The airless room is claustrophobic with the shouts of the teams, and there鈥檚 a smell of nervous sweat. By the time the team spot the DNS theft, it鈥檚 too late.

Time remaining 00:02:58

The Hotsim attackers have barred all the company鈥檚 employees from accessing their own user accounts, including the security team. If you have ever entered the wrong password three times in a row and been locked out of your account, you鈥檒l know how this works. This attack is usually a decoy for staging a more serious theft, but today it鈥檚 more like a final taunt.

鈥淭ake your hands off your keyboards,鈥 says games master Laird. The teams lean back on their chairs. They look dazed. 鈥淢y head hurts,鈥 says Robson. Shannon stares at the clock.

Robson, Shannon and the others have had their first taste of what the good guys are up against. All over the world, cybersecurity specialists are under siege. They don鈥檛 know when the next attack will arrive, or why.

6 March 2011, 13:30:00

The organisers are about to announce the winners at the awards ceremony lunch, being held in a fancier venue in Bristol. It鈥檚 a fresh, wintry Sunday, and the sunlight glints on the cutlery and glasses.

Team Enigma haven鈥檛 won the overall prize. That went to Team Bombe, which included the competition winner, Dan Summers, the postman. But Team Enigma are in good spirits.

Up on stage, Robson accepts an award for her performance in the heats that brought her to the final competition, a coveted digital security internship with Qinetiq. Even Shannon is in a good mood, having won a training course. 鈥淚鈥檒l stop grinning sometime in my sleep tonight,鈥 he says. As the ceremony winds down inside the hall, Robson is outside, texting on her phone. Next year, she鈥檒l be studying computer science at university, or perhaps she鈥檒l take a gap year.

Meanwhile, someone, somewhere is plugging into the vast web of cables, processors and servers joined up around the planet. And they鈥檙e up to no good.

Virtual crime, real world

It鈥檚 2020, and you are lost in an unfamiliar neighbourhood because you were trying to avoid congestion on the main roads. But you鈥檙e not worried: you are being led to a clear stretch of road by your car鈥檚 navigation system, which is chatting with billions of sensors embedded into the roads to avoid traffic snarls. But can you trust your satnav? If hackers can break into a website, they can also make short work of this network of sensors and cause mischief on a city-wide scale, misdirecting cars for kicks, perhaps down a side street where someone is waiting to rob you.

If the scenario seems unlikely, consider that billions of networked sensors will soon become embedded throughout our cities and possessions, generating a flood of information about you and your surroundings. Gigabytes of sensitive data will circulate through this 鈥渋nternet of things鈥, a global network of interconnected and continually monitored objects.

鈥淭his world of sensors will create new problems,鈥 says Martin Sadler of Hewlett-Packard Labs in Bristol, UK. Clearly, it will need a completely different kind of custodian to protect it from falling into the wrong hands, he says. Time to start training the next generation of cyberdefenders.

Topics: Computer crime / Hacking