Shostack + Friends Blog Archive


Time to update your threat model to include "friendly fire"

mousecomestodinner-717479In case you haven’t been following all the talk about cyber war, many people are advocating “offensive cyber capability” — which basically means “hack them before they hack you” (c.f. here, here, and here). If you work in InfoSec outside of the military, you may be thinking that this doesn’t apply to you.  Don’t be so sure.  I think it’s worth considering for every organization.

Consider this new development: “U.S. Military Developing Hacking-for-Dummies Cyber-Warfare Device“:

Apparently, there are several [offensive hacking] devices currently being developed behind closed doors specifically for such [offensive] purposes, but the one Aviation Week talks about is intriguing.  It is basically a highly complex hacking tool designed for the unexperienced that is to turn soldiers into veritable script kiddies. Granted, script kiddies with a lot of firepower.  [Wired article here]

This expensive hacking gadget can be carried around in the backpack on the battlefield and used to assist in missions that might require breaking into wireless networks, such as the ones used for VoIP or satellite communications. However, the icing on the cake is the ability to hack into SCADA (Supervisory Control and Data Acquisition) systems. These systems are used to administrate industrial equipment at power and chemical plants, nuclear facilities, oil refineries, etc., so one can easily imagine how that would be extremely valuable.  [emphasis added]

Here’s the twist:  what if the potential target knows that such attacks may be coming?  They could sets up a deceptive defense to counter the “hacking gadget”, redirecting it to another organization’s network.  The most effective tactic would be to redirect or spoof to a similar network elsewhere in the world (e.g. SCADA, as mentioned above).  Because the people running the “hacking gadget” are equivalent to “script kiddies”, they won’t have the skills to know whether they are attacking the real enemy network or the spoofed network.   Thus, instead of shutting down a chemical plant in Country X (enemy), the soldier-script-kiddies might be shutting down a chemical plant in Country Y (ally), or some other spoofed target.

OK… this particular scenario may be technically infeasable, or it may play out differently.   Someone more knowledgable than me could fill out the specifics.  My point is that arming offensive “script kiddies” creates a risk because the could easily “misfire” and not know it.  Outside of this “hacker gadget”, there are plenty of other friendly fire scenarios.  It’s worth considering them.

Last point: Let’s hope that offensive capabilites do not become prevalent in non-military organizations.  That could lead to a “Mad Max” cyber world, which Bruce Schneier warns against here.

[Update]  While I admit that my SCADA spoof scenario may be too fanciful, I found another example of “friendly fire” that is much more plausable and potentially widely damaging:

One scheme has been proposed that a nation, particularly the United States, could in times of extreme need, induce their software industry to push updates to their installed base that included malware that could be used to disable their enemy’s computers. Imagine the impact Microsoft, Cisco, or Oracle could have if they used their automatic update capability to secretly infect millions of machines with back doors, Trojan horses, or kill switches.

I wonder how the automatic update program would differentiate between “enemy computers” from every other computer.  Oh, I know!  Just look at registry entries: “Organization = Al-Qaeda”.  🙂

One comment on "Time to update your threat model to include "friendly fire""

  • Stiennon says:

    Ha! Thanks for pointing out the friendly fire issue with the malicious update scenario. But, large software vendors *do* know who their customers are. Assuming that the Kremlin does not use pirated versions of Windows, Microsoft could install Trojans on every computer quickly and quietly. It’s intriguing to think about.

Comments are closed.