Please welcome today's honored guest, Megan Carney. Megan is an author, geek, and amateur photographer living in the Twin Cities. She has ten years of experience in the field of computer security.
Her previous short story publications include: 'Flighty Youth' in the Raritan, 'Modern Mayhem' in the Wayfarer, 'Swing By Close' in the Wayfarer, 'Directions' in the Bell Tower. 'Swing By Close' and 'Directions' both won first prize in the fiction sections of that issue. The Christian Science Monitor dubbed her self-published photography book, 'Signs of My Cities' as having "youthful zest."
Her debut thriller, Sarina, Sweetheart, was a quarterfinalist in the Amazon Breakthrough Novel Award contest. Publisher's Weekly describes it as "[a] narrative with a dark humor that complements its fast pace and high stakes."
You can find out more about Megan, her writings, photography, and geekery at megancarney.com. She also tweets as @SometimesAthena, though not as often as the social media gods say you should.
--------------------------------------
In prime time television, computer attacks are heralded by blinking red lights and audible alarms. Then there’s some clumsily written dialogue about breached firewalls, and the scene cuts to someone typing on a keyboard in a dark room where the only light comes from the glow of a computer screen. Eventually, the audience discovers this brilliant, evil hacker single-handedly compromised the main frame using a zero-day attack. In one day. While wearing a hoodie. Hackers always wear hoodies.
I’m here to save you from this trope.
Let’s start with the task of detecting computer attacks. The truth is any computer connected to the Internet is being attacked in small ways all the time. Despite the best efforts of everyone involved, legitimate ad networks host malicious ads, good websites end up hosting bad code, emails with evil attachments still make it through spam filters, and various global bad actors are scanning for weaknesses all the time. This is the first reason it is ridiculous when a computer attack triggers blinking red lights. If that were actually true, the blinking red lights would be on all the time.
The second reason it is ridiculous is that determining whether an attack represents a small annoyance or full-scale emergency requires a human analyst of some sort. The real story starts this way: someone looks at a screen and says ‘hey, that looks odd.’ Then they do some work. Then they do some more work. Then they talk to someone else. Then maybe, if their suspicions pan out, the news spreads up through various layers of management until someone decides what to do about the intrusion. If you’re lucky. In some cases, if it’s not costing the business too much money, they throw up their hands and do nothing. Comforting, isn’t it?
Okay, now about firewalls. I could write an entire blog post on how to correctly use the term firewall in fiction. In fact, I have. So let’s not rehash that. The real problem here is that most attacks, even the big ones that lead to massive data breaches, start with pedestrian tactics. The Target breach started with a malicious email. The criminals used that email to get someone to install a program that allowed them to get someone’s username and password. That username and password gave them access to an internal system on Target’s network. That was then used as a jumping off point for infecting the registers. Firewalls were never part of the equation.
And the criminals didn’t even have to write the code that infected the registers. The lone hacker single-handedly taking down a large network is a rare occurrence. And by rare, I mean vanishingly rare. The reality is that there’s a thriving black market for cybercriminals. Do you want to buy time on computers that someone else has already taken over for you? You can do that. Do you want to buy an exploit kit that will automate infecting large numbers of computers? You can do that too. Last year, the going price for the code that will mutate your evil program so it’s undetectable by 90% of anti-virus programs was two hundred dollars.
Okay. Now we can talk about zero-day attacks. They’re one of the coolest things in my field. A zero-day attack is an attack that has no available patch. That means your machine will be vulnerable to it, no matter what you do. Super scary, right? Sounds great for fiction. I hate to be the one to tell you this… but zero-day attacks are not the first choice for a criminal or even a spy agency. What’s really scary is that many computers, even at government agencies, can be compromised without resorting to fancy zero-day attacks. Patching reliably, on a large scale, is difficult. Most organizations fail. Your antagonist probably doesn’t need a zero-day attack to succeed, and wouldn’t try it first.
Why not? Zero-day attacks are powerful because they’re secret. The more they’re used, the less secret they are. Eventually, someone submits a sample to an anti-virus company. Or the breach is discovered and the email attachment gets analyzed, and then boom, your fancy zero-day is no longer your ace-in-the-hole. Zero-day attacks also raise the profile of an attacker. Sophisticated criminals don’t want to show their hand if they don’t have to. Better to use a common weapon, so their victims aren’t alerted to their presence. Zero-day attacks are typically reserved for high value targets when other attacks won’t work.
We should also talk about timing. Most attacks worthy of a novel take time. The target is studied. Scanned. Researched. And then, when the attacker has determined the best approach, compromised.
As for hoodies? Well, I can’t really fight that one. Computer geeks of all stripes tend to own hoodies. Course, most non-computer geeks do too. You can keep the hoodie.
Hiya Megan,
Welcome to LadyKillers! And thanks for elucidating some of the fictions vs. realities of computer attacks for us. The other two bits that crop up in movie scenes that crack me up are (1) scene of "hacker team" in an internet cafe successfully hacking into a super-secret DoD site (uh, yeah, sure) and (2) the "fingers flying frantically over the keyboard" shot as if someone is playing the opening to Chopin's "Revolutionary Etude" on their keyboard [a la https://youtu.be/lI0Wd727ywU ]. And I'm soooo glad we can keep our hoodies! ;-)
Posted by: Ann | August 21, 2015 at 07:16 AM
Welcome, Megan! Thanks for the very useful, enlightening post -- I'm sticking to my rule of leaving that kind of scene to the experts like you.
Like Ann, I always chuckle at the speed with which hackers touch-type lines of meaningless "code."
Looking forward to dipping into your stories.
Posted by: Camille Minichino | August 21, 2015 at 07:50 AM
Megan, thank you for visiting!!!
Do you think big-data analytics can be used to set off those alarms? For something other than a denial-of-service attack. Like the way Google knows before the CDC how colds are trending, but with activity logs?
Posted by: Mysti | August 21, 2015 at 08:08 AM
I love it when you guys talk cyber :)
Posted by: Camille Minichino | August 21, 2015 at 09:44 AM
What an insightful post! Of course, it does make me want to shut off my internet, turn off my wi-fi, and only pay cash in physical stores from now on. = )
Posted by: Staci | August 21, 2015 at 01:45 PM
But the internet is a great thing for writers! One time I had a to know what a fiberglass boat looks like when it's burning and I didn't have one handy myself. So I went to YouTube. :)
Posted by: Megan | August 22, 2015 at 07:41 AM
Mysti -
Big data analytics are useful for detecting attacks, but still require a human to interpret the results.
As for the CDC thing, that was really interesting research, but it turns out that even when analyzing big data sets, you have to worry about causality as well as correlation. Here's a fun article - well worth the read:
http://www.ft.com/cms/s/2/21a6e7d8-b479-11e3-a09a-00144feabdc0.html
"Not only was “Google Flu Trends” quick, accurate and cheap, it was theory-free. Google’s engineers didn’t bother to develop a hypothesis about what search terms – “flu symptoms” or “pharmacies near me” – might be correlated with the spread of the disease itself. The Google team just took their top 50 million search terms and let the algorithms do the work.....Four years after the original Nature paper was published, Nature News had sad tidings to convey: the latest flu outbreak had claimed an unexpected victim: Google Flu Trends. ...Google’s model pointed to a severe outbreak but when the slow-and-steady data from the CDC arrived, they showed that Google’s estimates of the spread of flu-like illnesses were overstated by almost a factor of two....If you have no idea what is behind a correlation, you have no idea what might cause that correlation to break down."
Posted by: Megan | August 22, 2015 at 07:46 AM
Wow! That's interesting about the Google study... I had no idea. I guess I should rein in my enthusiasm when I read statements that start "The data shows..." and double check what theories/hypotheses lurk behind the curtain.
Posted by: Ann | August 22, 2015 at 08:19 AM
No! Be enthusiastic. I'm a bit of a data science geek so I'm always looking around for these sorts of things.
Posted by: Megan | August 22, 2015 at 10:57 AM