My name is Security, Cyber-Security

(To Fabrizio Colalongo)
02/03/20

Images of guns and beautiful girls chase each other on the big screen while the famous jingle plays. Then, an "M" person appears who, with an authoritarian approach, assigns an impossible task to "double-0-seven". The secret agent takes from the hands of a resigned "Q" some improbable tool and throws himself into the eternal struggle between good and evil.

The special effects, the martinis, the strokes of luck and the turn of unexpected events bring the story to the epilogue: the innocent dead are avenged, the world is safe and the traces of Mr. Bond are lost on an island tropical or another pleasant location.

We all forget how the fairy tale started but we go to bed happy to have been in the shoes of humanity's saviors and, more importantly, of the British crown.

It's funny to note that even in Fleming's fascinating fantasy world, rebuilt in a parodic simplification, James had two aids without which the story would have fallen under his own weight. "M" already had the mission framework and "Q" had ready the tools of ... secret agent.

But how did "M" know everything? Reading carefully between the lines of the 50s novels we discover the intense activity of collection of information which preceded the "operational" phase. Spy planes, newspapers, traitorous enemy agents, distractions ... but most of all, "Q" had invented a machine too secret to remain hidden even in the eyes of the double zero agents. An octopus that works in the virtual world of information that has access to an infinite amount of data, organized by type and indexed by the best archivist of all time. To be sure, well-informed people suspect that the machine was invented by SPECTER, but it is certain that "Q" has found a way to use this information "god" by putting it at the service of the common good (see Johnny Long and his project called "hackers for charity"). This machine is an engine that searches for data in a huge network of distributed nodes and makes them available to analysts.

The years of the Cold War and licensed agents have gone out of style. The wall has been torn down; the veil that covered the great secrets has flown away. Complex network usage procedures have been simplified, technology has become transparent and the boys of the 90s have all become aspiring agents. The net has spread and its tentacles have entered every home. Whether it was the British, the CIA, the KGB, the SPECTER or the aliens who invented the internet (and the WWW) does not matter but to understand how this prodigy works, some elementary (and I hope not trivial) notion of the functioning of an engine is needed. traditional search, such as Google.

When you open your browser you are faced with a thin window where you can enter a word or phrase that will return many websites that have a relationship with what we are looking for. Sometimes the relationship is evident because the searched phrase is contained in the text of the newspaper or blog article. Other times, however, the site I was looking for has completely different terms, yet it is exactly where I wanted to go. Magic was successful and a cold intelligence understood what I wanted. I ask myself a few questions and, after a couple of double clicks, I make very important decisions that will decide the future of my family, the extermination of planet Earth or the color of the next doormat.

If one goes a little deeper, he discovers that search engines allow you to enter instructions that interact with their artificial intelligence. Google calls them dorks and they are among the most useful features of the Mountain View giant. With them you can organize, filter, expand and customize searches. The use is simple, just add special characters or commands to the words to be searched for different results. For example, if you are looking for information on the ~ kestrel (this symbol ~ is called tilde and, with the Italian keyboard is done by holding down Alt and then, subsequently, 1-2-6), google will return all those sites that have the word sought or one of its synonyms (with little scientific rigor). In fact, the google header will be "Kestrel and Falcon related searches". If, on the contrary, I will write "kestrel" (between double quotes), then the result will be limited to those sites that have the word or phrase searched without any elasticity. THE dorks they are hundreds. For example, by simply adding filetype: pdf to a search, we can obtain documents in pdf format. But what are the potential of this tool? Without going too much in theory, writing: "john curriculum vitae" filetype: pdf you will get dozens of CVs containing private and confidential information of the various Johns who have had little care in protecting them. Doing this research is not illegal and abusing this information is only a matter of morale, imagination and a pinch of technical ability.

But what does Google know and how does it know what the site I am looking for contains? The answer is contained in two words: metadata and spiders (bed spy ... der). The search engine sends small mobile agents that, like clumsy spiders, creep into every part of the web servers (and not only ...) and collect useful data to index their contents. Each word is inserted into a context and artificial intelligence, also evaluating possible interpretations and translations, extrapolates connections and meanings. So far, it's all good. However, already from the first years in which the well-known search engine started to popularize the internet, it was noticed that spiders, together with immense quantities of "legitimate" data it brought a large amount of sensitive information out of the servers.

At this point it will be clear that a savvy user can easily use Google Dorks to find, index, organize the data in the way he deems most appropriate. If the savvy user is armed with bad intentions, the same day that a new evil tool comes out (technically "malware": MALicious softWARE), he can carry out an extensive search to identify those servers that have security problems and attack them mercilessly . Hackers call this type of activity "the picking of low fruit"low hanging fruits"). The metaphor refers to the fact that, evidently, the fruits hanging from the trees are the easiest to reach but for this reason, they do not have time to ripen properly. Not being protected, he can eat enough to survive even those who are not equipped with skills or refined techniques and are content to take less sugar1.

Alongside these tools, simple and accessible to all but powerful to be used by cyber-security specialists, there are even more security-oriented tools for collecting information. To name a few of the best known, there is "Maltego", "TheHarvester", "Recon-Ng", "SpiderFoot" and, above all, "Shodan". The latter is the favorite of many cyber-operators and analysts because it returns all types of information useful for assessing the level of security implemented in almost every device connected to the network. Whether you are considering a laptop, desktop or microwave oven, Shodan will be able to identify the target by providing us with essential information. The spodans of shodan.io (advanced spiders that carry out an exhaustive search also exploiting the banners of IP addresses) are always at work to look for default passwords, exposed network ports, vulnerabilities, active services, operating systems not adequately configured and updated, etc.

With the advent ofIoT - Internet of Things (and even worse it will be with theMe and - Internet of Everything), we are witnessing a diffusion of devices capable of connectivity but unable to update. In fact, it has long been understood that computers need to adapt to changing protection needs (security updates, anti-malware, anti-virus, software firewalls, patches of hardware vulnerabilities, etc.) and today, every company that produces software, invests large (but in any case insufficient) resources in safety. The same, however, can be said of those who make surveillance cameras, fire sensors, cars, televisions, appliances, smart plugs, smart homes, etc.?

Each of these objects can represent an access point for the curious and malicious. In fact, the danger of these devices is not only linked to their operation and the data they contain. With the exception of specific cases relating to alarm or remote control systems, the common problem occurs when an IoT device becomes the gateway to more confidential areas or when many different devices are coordinated in order to carry out a collective attack (or more properly "distributed") towards a third party service.

But that's not all.

For years it has been under the illusion that the electronic command and control systems of the mechanical infrastructures of large companies were safe because they were disconnected from the outside. However, for a thousand reasons, SCADA (from English "Supervisory Control And Data Acquisition", that is "supervision and data acquisition" of industrial automation systems, ports, airports, etc.) has long been on the internet ; consequently, the distance between theIT - Information Technology andOT - Operational Technology it is thinning. In an ideal context, the communication network containing sensitive devices should be disconnected from the internet and therefore not accessible by those who are not authorized. But the news stories show that theAir gap, or the physical separation of different contexts, it is no longer considered an inaccessible barrier (think of the Stuxnet case in which the centrifuges of the Iranian "Natanz" nuclear power plant were attacked). If IT is the nervous tissue of the social organism, OT represents its musculature. The risk today is no longer only in the "information domain" but is in the "cybernetic domain", that is, it enters that space where thought is transformed into action.

So do we have to worry? The answer is a simple "no". Computer science is a formidable tool that has multiplied man's ability to act on the world in which he lives. But it is a tool and as such has advantages and dangers. In recent years we have exploited Some of benefits of this progress by dealing only marginally with its risks but cyber-security is starting to be a need felt also at a domestic and international political level and, I am sure that the James Bonds of the XNUMXst century are already at work. What would be appropriate, however, is greater awareness on the part of all. In fact, nobody "worries" when he leaves the house to take a walk because each is the patrimony of diligence in the management of the dangers of the physical domain. We all learned to cross the road from an early age without underestimating its risks. Even those who were born in the era when cars were a rarity, had to learn to live with them, exploiting their potential but keeping their eyes open. The same we should teach our children that, willingly or unwillingly, they will be adults who will live in the cybernetic domain.

Let's take a small step back and return to information gathering, the prodromal phase of every successful offensive and defensive operation. With Shodan, network administrators with a simple request (for example by adding the tag: "hacked by") can obtain information on the status of an innumerable number of servers whose violation has been signed. At this point, the large organizations to which they refer will be able to easily identify the flaws in the system and put in place the necessary countermeasures to avoid the recurrence of the event.

To conclude, I will reveal a secret that told me "my cousin who is a friend of a friend of that James": there are hackers who do not act for noble ends and, certainly, those who belong to the SPECTER do not sign or denounce the doors it opens for its dirty traffic. To counteract them, you need knowledge, complex practices, resources and lots of study. However, this common commitment is not required of the common man. It is enough for him to know that since the various Google Hacking and Shodan exist, it is not appropriate to leave your data around the web. It is enough that you learn that John's privacy and CV were not protected by his anonymity. "Who is looking for me?" it is not a defense technique.

A little more have to do the "Q" and the "M", ie managers and operators of the IT sector, because it is necessary that they have a clear idea of risks, their management and protection practices. However, even the latter can simply keep up to date and do their job well because the double zero agents and spy-thriller writers are at the forefront of evil.

1 The fact that it is easy to exploit a vulnerability does not also mean that it is lawful. Stealing low fruit is still stealing. The only abusive access in a computer system is a crime punishable according to art. 615 ter of the Criminal Code which provides, in the absence of circumstances, for the imprisonment of up to three years. The legally protected asset is the confidentiality of the data, so it does not matter if other crimes are committed "in the break-in". However, simple research with the tools described in this article is lawful activity that does not configure per se no risk.

Photo: US Marine Corps Forces Cyberspace Command