The Great Hack

It would appear that the furore over Facebook / Cambridge Analytica and manipulation of elections hasn’t died down that much. I recently watched a documentary on Netflix called The Great Hack, and I’d recommend that you do too, if you can.

The programme provided a lot of the backstory to who was involved, how and when, as told by some of the people who were there. This included:

  • Brittany Kaiser was the Director for Business Development at Cambridge Analytica, and had previously worked on Barack Obama’s presidential campaigns.  She comes across as very naive at times, though towards the end of the show it becomes obvious that the penny drops and the seriousness of the situation is made apparent;
  • David Caroll, a professor who not unreasonably asked for a copy of all data that Cambridge Analytica held on him.  If not for him, the whole situation might not have escalated as it did;
  • Julian Whitehead, the former CFO at Cambridge Analytica. I was concerned at how little he seemed bothered by the morality of what was carried out by his company; and
  • Carole Cadwalladr is an investigative journalist at The Guardian and Observer newspapers in the UK.  She did a lot of the digging and legwork, trying to find people who would and could talk to her about things that had gone on.  Carole was the reporter who broke the news, and who continued to find and release fresh information as time went on.

Perhaps the most shocking aspect of the programme was the revelation that Cambridge Analytica had been involved in some way in elections around the world since the mid-2000s.  There was an expose of how their work influenced the elections in Trinidad and Tobago which showed how manipulative Facebook posts could be, as well as discussions of how the same techniques were used both for the Brexit campaign and for Trump’s election in 2016.

It was notable that Alexander Nix, the former head of Cambridge Analytica, declined to be interviewed, and also that Julian Assange / Wikileaks should be a part of the story. I didn’t know until I watched this that Steve Bannon, erstwhile Strategist at the White House under Donald Trump and former executive chairman of Breitbart news was a cofounder of Cambridge Analytica, or that Nigel Farage was closely linked with him.

It’s worth checking out Carole Cadwalladr’s TED talk in Silicon Valley, where she asks the heads of the big tech companies whether they are happy with the world they are creating. She suggests that it is now impossible to have a free and fair election because of abuse of their technologies.

She illustrated this ably by talking to people in South Wales to ask why they voted for Brexit: many had said they worried about immigration (she also spoke to someone who thought they were the only immigrants in the area), while others said the EU had done nothing for them yet they were surrounded by construction and facilities paid for by well advertised EU funding.

I’ve mentioned the perils of taking part in online quizzes and personality profiles “for fun” on Facebook. This documentary provides the evidence of how that information can be harvested and used to target specific people – never mind groups – who are deemed to be persuadable and who can swing an election result one way or another.

 

Big Data

The amount being generated these days is more than ever before, and it’s growing exponentially. It won’t be long before we see yottabytes of data, and making sense of what we have is going to be a growing problem for us. I’ve made a start on reading about how this will be done and how we’ll have to sort structured from unstructured data (eg databases from email content).

I’ve also started reading about the sort of tools which can be used to help identify the patterns and to find the specific needle you sent in a super-haystack sized pile of needles.

These books are as far as I’ve got, from the left on the shelf. Once you get to the Misha Glenny books were on to a different topic, which I’m sure I’ll write about soon…

Cyber viewing

Just as my recent post focussed on a selection of books related social engineering and the psychology behind cyber crime, this post will look at a range of films, documentaries and TV shows which offer insight into the industry. They’re not intended to be a definitive list, and there are many great examples which aren’t included here, but you’ll get the idea…

So, what do we have in this little collection? All 3 series of Lie to Me basically dramatise the work of Paul Ekman, deailing with microexpressions and what they tell us. Ekman was actually a consultant on the series, so you’d have to hope that a lot of what it tells us about the science is true.

Catch Me if You Can is the film of the book by Frank Abagnale, starring Tom Hanks and Leonardo DiCaprio. It’s quite a good adaptation, but I have to say I think the book is much better. They both document Abagnale’s exploits as a teenage con artist who spent time variously as a pilot, doctor, teacher and lawyer. He was eventually caught by the FBI and became a valuable resource to them and financial institutions, explaining how fraudsters operate and helping to develop ways of making counterfeit banknotes more difficult.

CSI: Cyber follows the same format as all the other CSI series, but focusses on a crack cyber team which includes some former black hat hackers. There are some really interesting (and realistic) scenarios brought to life in both series.

Sneakers and Hackers are both well known in cyber security circles, though quite dated now. Mr Robot is the current favourite for some of my colleagues, who tell me it’s pretty realistic in many respects.

Citizenfour is the real documentary telling the tale of Edward Snowden’s breach: at the time it was filmed the only people who knew it was happening were in the room. Snowden is a dramatisation of the events leading to Snowden making the decision to leak the documents.

We Steal Secrets is the story of Julian Assange and Wikileaks. After watching this and Citizenfour you’ll have a much clearer idea of the scale of data theft and the personalities behind two of the key people who have been maor players over recent years.

Honourable mentions have to go to a couple of films missing from my shelf. Spectre and Skyfall are the two most recent 007 James Bond films, and they both give a good idea of the art of the possible these days. Spectre in particular should ring alarm bells when you see that many governments want to share data with each other.

Die Hard 4.0 is a bit tongue in cheek, but if you think of the story with nation states involved rather than terrorists then it is also (allegedly) possible in parts. Just think of the instances where Ukraine has lost its entire power supply from time to time, or when every Estonian government department was offline for several days and you’ll see that it’s already happening (probably).

What other films or shows have you come across? Are there any you’d recommend?

Social Engineering and Human Nature

I’m often asked, particularly by new entrants into cyber, what books they should read, and what podcasts they should listen to. The list of both is endless, but I thought I’d share some titles with you. Before we start though, a word about my relationship with books…

I’m a passionate reader, and a compulsive purchaser of books. So I have a lot on my shelves that I’ve not yet read, but loads that I have.  I had cause to sit and ponder today and reckon I’ve over 25m of bookshelves at home, which are mostly full – and a pile of books by my bed, and another on my desk.

For some reason, I group my books by subject matter and height order, and have recently moved away from keeping all by the same author together to having them grouped by colour. (My LPs are stored in alphabetical order, by artist then by album title: this is something I’ve done since I was a teenager!)

The picture with this post shows my “social engineering” shelf, which includes titles on microexpressions (Paul Ekman), phishing (Chris Hadnagy and Michelle Fincher) and the psychology of persuasion (Robert Cialdini). Interestingly, the author of the Cyber Effect, Mary Aiken, was a producer and consultant for the show CSI: Cyber, and was in fact the inspiration for Patricia Arquette’s character in the programme.  (Beware though, once you start watching, you’ll watch the entire series in one sitting!)

It’s not possible to be a good social engineer, to gain people’s trust and ask them to do things to help you, without understanding human psychology. Ditto if you’re carrying out phishing attacks, you need to know what will make people click on links etc.

Microexpressions give away how someone is really feeling, so it’s really important that social engineers understand and recognise these. If you want to know how they can be used, you might want to watch the show Lie To Me. Paul Ekman was a consultant on the show, and his work is explained particularly well in season 1.   (Another binge watch alert here!)

It’s impossible to talk about social engineering without mentioning Kevin Mitnick. Once one of the FBI’s top 10 Most Wanted fugitives, Mitnick is one of the foremost authorities in the world on social engineering. I have already written a post about his book, Ghost in the Wires.

I’ll share information on some of the other books on my shelf another time. These should be a good starter for you if you’re interested in the meantime!

Tubes

This book by Andrew Blum is a fascinating insight into what the internet physically looks like. It starts with the author wondering where the wire goes from his house, how it joins other wires and how does data go round the world. He visits a site where an undersea cable is being brought ashore, and he gets as close as most people can to a Google data centre.

The journey takes in some of the history of the internet, how it started and where. The author even visits some of the first sites and machines which were connected as part of the nascent World Wide Web,

I appreciate that it’s a little bit nerdy, a little bit geeky, but I found it a really interesting read. I’d recommend it to anyone with a passing interest in how the world is connected now.

Spam – a lighthearted look

If you have an email account, you’ve almost certainly also received spam emails. They’re the electronic equivalent of junk mail. If you’ve ever wondered what would happen if you answered one or more messages, check out this post from my other blog site.

It’s a bit more lighthearted that some of the items I’ll post here, but I thought you may appreciate the examples given.

Ghost in the Wires

Ghost in the Wires by Kevin Mitnick and William L Simon is perhaps the seminal work on social engineering by one of the industry’s most famous exponents. Mitnick attained a certain amount of notoriety by going on the run for two years before finally being apprehended by the FBI, but I think that his biggest claim to fame is his ability [as alleged by prosecutors] to be able to phone NORAD, whistle down the line and launch a nuclear strike. This is obviously preposterous, and is not something that will be discussed in the rest of this article.
When reading the book the first time, I was struck by how early Mitnick embarked on his career as a social engineer. Persuading an LA bus driver to divulge where he could get a machine like the one used to punch tickets at the age of 12 shows how a bit of knowledge and the knack of talking to people can reap dividends.

I also particularly enjoyed the episode Mitnick describes in a South Dakota registrar’s office. Having explained that he was a private investigator, he was given a desk and ultimately given access to the Crown Jewels – blank birth certificates and the official embossing tool for them. In a short space of time he had all the documentation he needed to continue to reinvent his identity as and when needed. Patience and an open personality, with an eye on the prize in the long game again produced rewards.

Having called in to the NSA itself (and in the wake of Snowden’s revelations how ironic is that) and accidentally overheard a conversation about himself must have been incredible. It’s unsurprising that Mitnick didn’t dare to push his luck by calling in again.

It felt that throughout the book Mitnick was at pains to explain how he never hacked anything, just persuaded people to give him access through what he said and how he said it. He also made it clear that he wasn’t doing any of it for financial gain, but more as a test of his abilities, which were honed and improved over the years. Having a remarkable memory for numbers obviously helped tremendously.

I’m not convinced that downloading / obtaining source code and trawling through it for bugs which could be exploited is as innocent as he claims: at the very least, whoever he told about the vulnerabilities may have committed serious crimes.

This was an interesting book, and one which should be on every security professional’s reading list.

The Code Book

Having seen Simon Singh explaining how the Enigma machine worked while at a conference, I picked up this book. It charts the history of codes and ciphers from well before Roman times to the current day, and shows how they have developed over time. It was also very useful to read the difference between code (replacing words) and ciphers (replacing letters): most of what was discussed in the book fell into the latter category.

Singh writes in a very clear and informative manner, and makes the history of the topic interesting and at times exciting. I have to confess that some of the maths which was used went over my head, though I understood the general meaning in what was being said.

I was fascinated by the work done to understand the Linear A and Linear B languages, and the fact that initially scholars of Ancient Greek were convinced that neither text were part of that language: it must have been incredible for the person who finally worked out that Linear A was indeed Greek, albeit 500 years older than that used by Homer 3000 years ago.

The assertion that the most unbreakable code was that used by the Navajo code talkers in the Second World War is quite an interesting one. I understand that if you use a language that no-one else understands, then you improve the chances of it not being understood, but the fact that new phrases had to be introduced for English words which don’t appear in the native language must introduce some opportunities for the code breakers to make a start. Some form of frequency analysis would have some effect, but I think that the differences between Japanese kanji and English Roman script had something to do with it too.

The development of near-identical public key cryptography technologies by mathematicians in the US and the U.K. at approximately the same time is also an interesting revelation. (Diffie-Helman and RSA were both more or less simultaneously discovered on either side of the Atlantic, though GCHQ were slightly ahead in each case.) The fact that the cryptologists in the UK were based at GCHQ and therefore unable to share any of their work externally (or to review external solutions) shows I think that given enough time any technology can be “discovered” by different people in different locations.

In summary, I believe that this book is a good introduction to many different concepts, along with many good examples of each concept. It is well worth reading.