Cyberwar: superhacker versus security experts
Charles Miller is a computer security researcher with the consulting firm Independent Security Evaluators. Prior to his current employment, he spent five years working for the National Security Agency. In 2008 he won a $10,000 cash prize at the hacker conference Pwn2Own in Vancouver Canada for being the first to find a critical bug in the ultrathin MacBook Air-deploying an exploit in 2 minutes. The next year, he won $5,000 for cracking Safari in under 10 seconds. In 2009 he also demonstrated an SMS processing vulnerability that allowed for complete compromise of the Apple iPhone and denial-of-service attacks on other phones. He holds a Ph.D. in mathematics from the University of Notre Dame. (Wikipedia)
Mikko Hyppönen is Chief Research Officer for F-Secure Corporation. He has worked with F-Secure since 1991. Hyppönen led the team that took down the world-wide network used by the Sobig.F worm in 2003, was the first to warn the world about the Sasser outbreak in 2004 and named the infamous Storm Worm in 2007. He has assisted law enforcment in USA, Europe and Asia on cybercrime cases. He has written for magazines such as Scientific American, Foreign Policy and Virus Bulletin and has addressed the most important security-related conferences worldwide. He is also an inventor for several patents, including US patent 6,577,920 "Computer virus screening". Hypponen, born in 1969, was selected among the 50 most important people on the web in March 2007 by the PC World magazine.
Assaf Keren is director of IT security at Israeli e-government project called Tehila. Tehila's aim is to improve the online interaction between the government and the citizens. The main roles of Tehila are: being the ISP for the government's different ministries and hosting their websites and services. Tehila is a key participant in every IT project that involves communication between the government and the citizens.
All three participated at International Conference of Cyber Cecurity in Tallinn, Estonia on June 15 -18.
Charlie Miller answers to Assaf Keren
When you talk about 0days and attacking machines, you have confidence, that nothing can stop you. Dont you think that good defence arrangement can stop you, or at least make it more difficult for you?
Certainly good defense makes life harder for me. However, I tried to design the attack to withstand occasional detection. I use many different custom exploits and attack tools so that if one is detected, it will not help detect other ones. I also plan a very patient attack, over a period of two years, where mostly nothing is happening. This makes it difficult to detect as well.
You certainly have skills to improve the defence. Yet you chose to focus on attacks. Its true that your research in the end improves defence, but we need good people to think broader. Why dont you help in this way?
I focus on attack because I find it more interesting, and frankly, it is much easier than defense. I hope that by presenting an offensive talk, it will at least help defenders to think about how their defense would stand up to an attack like this and how improvements could be made.
In your presentation you said that software companies should be liable for inscure code. Dont you think that security researchers, like you, should be liable, if their research becomes an exploit?
Haha, of course not. There are two important differences between researchers and software vendors. One is people pay money to vendors to purchase their products and with that comes a certain responsibility to create a product that doesn't put the users at risk. Customers don't pay researchers anything and so shouldn't expect anything from them. Also, the software vendors are the ones who write the code which includes the vulnerabilities. They make the vulnerabilities and thus are responsible for them. Researchers merely discover the vulnerabilities. It would be like Consumer Reports being responsible for finding problems in automobile breaking systems and being held liable when cars crash.
Charlie Miller answers to Mikko H. Hypponen
Do you consider Microsoft Update to be a botnet? If not, why not?
No because you purchase Microsoft Windows in the first place and so allow Microsoft to run code on your computer. I will admit it has some of the characteristics of a botnet, but the distinction is users implicitly give them rights to run code on their system by running their operating systems.
What do you consider to be the most secure desktop operating system at the moment in theory?
Probably Windows 7, although most are pretty comparable.
When will we see the first worldwide outbreak of an iPhone worm? Or a Symbian worm?
It will happen, but maybe not for a bit. The SMS vulnerability found by Collin Mulliner and myself could have been an iPhone worm, if a bad guy had it. I'd say within 5 years.
In your opinion, if there would be a worldwide crisis, would US government use it's power to control other nations via widely used US-based software and hardware (Microsoft, Cisco, Juniper, Adobe etc)?
I assume you mean a cyberwar. Its hard to imagine that at present, but if you look at the way governments behave in full scale "world wars", I would think they would use any powers they could to try to win.
Assaf Keren answers to Charlie Miller
How would you dedect exploits (0-day exploits) that no-one knows of?
In the defensive side of the fence - detectig 0-days is one of the more problematic challenges we have, while I do my best to do heuristics, and check for anomalies, my best concept is that I can't find 0-days and that machines can get compromised. The only way to go here is to do two things, the first would be to try and mitigate the damage that can be done by exploitable machine. The second would be to constantly do log analysis and research.
Charlie´s 2-year plan to prepere a cyberwar. How would you respond? How is it possible to fight back?
Charlie's plan is geared towards one thing, which is to do damage. For that he needs to spread out into the world. I would probably do what any country would do in this case, which would be intelligence gathering and waiting for the other side to make mistakes.
Would this plan (to attack a country) be more likely successful 10 years ago, now, or 10 years later?
This plan would be more and more successful as technology progresses. The advances we see in technology usually bring new threats with them, while old ones tend to stick around. Also, the more a country is more advanced the impact from such an attack can be more devastating to the country.
Mikko H. Hyppönen answers to Charlie Miller
How would you dedect exploits (0-day exploits) that no-one knows of?
From an antivirus point of view, emulation and sandboxing would be the best bets. They could use several techniques, from detecting buffer overflows to noticing suspicious functionality (for example, if opening a PDF file creates a new EXE file to the hard drive, that's not normal).
Charlie´s 2-year plan to prepere a cyberwar. How would you respond? How is it possible to fight back?
It would be very hard if not impossible to protect against a serious attacker with time and money. Especially if that attacker is capable of recruiting skilled individuals and insiders. So I would focus on finding the leadership behind the cyberwar attack and eliminating them.
Would this plan (to attack a country) be more likely successful 10 years ago, now, or 10 years later?
Ten years ago, in 2000, it would have been very easy to break into existing systems. Level of security was low compared to 2010. Security is getting better, and targets will be harder in 2020.
Unfortunately, amount of connectivity is only going up. And we will be even more reliant on computerised systems in 2020.So the plan would be more succesful in 2020 than now or ten years ago.
