Advertisement

Cyber Espionage and Cyber Defence

  • Dominik HerrmannEmail author
Chapter

Abstract

Nation states engage in cyber espionage because they hope to gain an advantage. Cyber espionage is attractive because it is less risky than traditional espionage; there are no spies that have to enter foreign territory. After introducing the basic protection goals of information security (confidentiality, integrity, and availability) as well as fundamental security design principles, we describe typical attack vectors. As state-sponsored hacking is well funded, defensive measures are inconvenient and costly. We also present the attack-defence tree technique which helps defenders to consider all relevant attacks and countermeasures. Finally, we show that security vulnerabilities play an essential role in many attacks. Intelligence services state that their goal is to defend their homeland. However, citizens and business owners may be at the losing end: practices of stockpiling zero-day exploits and inserting backdoors on purpose make everybody less secure.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

Recommended Reading

  1. Almeshekah, M. H., Spafford, E. H., and Atallah, M. J. (2013). Improving security using deception. Center for Education and Research Information Assurance and Security, Purdue University, Tech. Rep. CERIAS Tech Report 13, 2013.Google Scholar
  2. Chen, P., Desmet, L., and Huygens, C. (2014). A Study on Advanced Persistent Threats. B. Decker; A. Zúquete (eds.): 15th IFIP International Conference on Communications and Multimedia Security (CMS), LNCS 8735, pp. 63–72.Google Scholar
  3. Heartfield, R. and Loukas, G. (2015). A Taxonomy of Attacks and a Survey of Defense Mechanisms for Semantic Social Engineering Attacks. ACM Comput. Surv. 48, 3 (2016), 38 pagesGoogle Scholar
  4. Rid, T., Buchanan, B. (2015). Attributing Cyber-attacks, Journal of Strategic Studies, 38:1-2, 4-37.Google Scholar
  5. Stoll, C. (1989). The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. Doubleday, New York, NY, USA.Google Scholar

Bibliography

  1. Ablon, L. and Bogart, A. (2017). Zero-days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits. RAND Corporation, http://www.rand.org/t/RR1751.
  2. Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Green, M., Halderman, J. A., Heninger, N., Springall, D., Thomé, E., Valenta, L., VanderSloot, B., Wustrow, E., Zanella-Béguelin, S., and Zimmermann, P. (2015). Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, CCS’15, pages 5–17, New York, NY, USA. ACM.Google Scholar
  3. Ahmed, F. (2017). The CCleaner malware targeted tech firms like Microsoft and Google. https://www.neowin.net/news/the-ccleaner-malware-targeted-tech-firms-like-microsoft-and-google.
  4. Almeshekah, M. H., Spafford, E. H., and Atallah, M. J. (2013). Improving security using deception. Center for Education and Research Information Assurance and Security, Purdue University, Tech. Rep. CERIAS Tech Report 13, 2013.Google Scholar
  5. Bernstein, D. J., Lange, T., and Niederhagen, R. (2016). Dual ec: A standardized back door. In LNCS Essays on The New Codebreakers - Volume 9100, pages 256–281, Berlin, Heidelberg. Springer-Verlag.Google Scholar
  6. Biryukov, A., Dinu, D., and Khovratovich, D. (2017). The memory-hard Argon2 password hash and proof-of-work function. Internet Draft, https://tools.ietf.org/html/draft-irtf-cfrg-argon2-04.
  7. Bhatt, S. N., Manadhata, P. K., and Zomlot, L. (2014). The operational role of security information and event management systems. IEEE Security & Privacy, 12:35–41.Google Scholar
  8. Brewer, D. F. C. and Nash, M. J. (1989). The Chinese Wall security policy. In Proceedings. 1989 IEEE Symposium on Security and Privacy, Oakland, CA, USA, 1989, pp. 206–214.Google Scholar
  9. Buchanan, B. (2017). Nobody but us: The rise and fall of the golden age of signals intelligence. Hoover Institution Press.Google Scholar
  10. Budd, C. (2013). Ten Years of Patch Tuesdays: Why It’s Time to Move On. https://www.geekwire.com/2013/ten-years-patch-tuesdays-time-move/.
  11. Chen, P., Desmet, L., and Huygens, C. (2014). A Study on Advanced Persistent Threats. B. Decker; A. Zúquete (eds.): 15th IFIP International Conference on Communications and Multimedia Security (CMS), LNCS 8735, pp. 63–72.Google Scholar
  12. Colwill, C. (2009). Human factors in information security: The insider threat – Who can you trust these days? Information Security Technical Report, Volume 14, Issue 4, 2009, p. 186–196.Google Scholar
  13. Durumeric, Z., Adrian, D., Mirian, A., Bailey, M., and Halderman, J. A. (2015). A search engine backed by internet-wide scanning. In Ray, I., Li, N., and Kruegel, C., editors, Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12-16, 2015, pages 542–553. ACM.Google Scholar
  14. ENISA (2015). Good Practice Guide on Vulnerability Disclosure. From challenges to recommendations. https://www.enisa.europa.eu/publications/vulnerability-disclosure.
  15. Eunjung Cha, A. and Nakashima, E. (2010). Google China cyberattack part of vast espionage campaign, experts say. Washington Post. http://www.washingtonpost.com/wp-dyn/content/article/2010/01/13/AR2010011300359.html.
  16. Gallagher, S. (2015). Researchers confirm backdoor password in juniper firewall code. https://arstechnica.com/information-technology/2015/12/researchers-confirm-backdoor-password-in-juniper-firewall-code/.
  17. Goodin, D. (2015). In major goof, Uber stored sensitive database key on public GitHub page. https://arstechnica.com/information-technology/2015/03/in-major-goof-uber-stored-sensitive-database-keyon-public-github-page/.
  18. Halevi, T., Memon, N., and Nov, O. (2015). Spear-Phishing in the Wild: A Real-World Study of Personality, Phishing Self-Efficacy and Vulnerability to Spear-Phishing Attacks. Available at SSRN: https://ssrn.com/abstract=2544742.
  19. Heartfield, R. and Loukas, G. (2015). A Taxonomy of Attacks and a Survey of Defense Mechanisms for Semantic Social Engineering Attacks. ACM Comput. Surv. 48, 3 (2016), 38 pages.Google Scholar
  20. Hern, A. (2017). WannaCry, Petya, NotPetya: how ransomware hit the big time in 2017. https://www.theguardian.com/technology/2017/dec/30/wannacry-petya-notpetya-ransomware.
  21. Kerckhoffs, A. (1883). La cryptographie militaire. Journal des sciences militaires, IX:5–83.Google Scholar
  22. Kordy, B., Mauw, S., Radomirovic, S., and Schweitzer, P. (2010). Foundations of attack-defense trees. In Degano, P., Etalle, S., and Guttman, J. D., editors, Formal Aspects of Security and Trust - 7th International Workshop, FAST 2010, Pisa, Italy, September 16-17, 2010. Revised Selected Papers, volume 6561 of Lecture Notes in Computer Science, pages 80–95. Springer.Google Scholar
  23. Krombholz, K., Hobel, H., Huber, M., and Weippl, E. (2013). Social Engineering Attacks on the Knowledge Worker. In Proceedings of the 6th International Conference on Security of Information and Networks (SIN ‘13). ACM, New York, NY, USA, 28–35.Google Scholar
  24. Langley, A. (2014). Apple’s SSL/TLS bug. https://www.imperialviolet.org/2014/02/22/applebug.html.
  25. Langner, R. (2013). To kill a centrifuge: A technical analysis of what stuxnet’s creators tried to achieve. Arlington: The Langner Group.Google Scholar
  26. Libicki, M. C., Ablon, L., and Webb, T. (2015). Defender’s Dilemma: Charting a Course Toward Cybersecurity. RAND Corporation, http://www.rand.org/pubs/research_reports/RR1024.html.
  27. McConnell, S. (2004). Code Complete: A Practical Handbook of Software Construction. Microsoft Press, Redmond, Washington, 2 edition.Google Scholar
  28. Melnitzky, A. (2012). Defending America Against Cyber Espionage Through the Use of Active Defenses. 20 Cardozo J. Int’l and Comp. L., pages 537, 566.Google Scholar
  29. Microsoft (2013). Microsoft security intelligence report (msir). Vol. 15, January–June 2013, http://download.microsoft.com/download/5/0/3/50310CCE-8AF5-4FB4-83E2-03F1DA92F33C/Microsoft_Security_Intelligence_Report_Volume_15_English.pdf.
  30. Naraine, R. (2010). Stuxnet Attackers Used 4 Windows Zero-Day Exploits. http://www.zdnet.com/article/stuxnet-attackers-used-4-windows-zero-day-exploits/.
  31. Nasheri, H. (2004). Economic Espionage and Industrial Spying. Cambridge University Press, Cambridge.Google Scholar
  32. National Research Council (1999). Trust in Cyberspace. The National Academies Press, Washington, D.C.Google Scholar
  33. Newman, L. H. (2017). Equifax Officially has no Excuse. https://www.wired.com/story/equifax-breachno-excuse/.
  34. Orman, H. (2015). Encrypted Email – The History and Technology of Message Privacy, Springer, Cham.Google Scholar
  35. O’Sullivan, D. (2018a). Dark Cloud: Inside The Pentagon’s Leaked Internet Surveillance Archive. https://www.upguard.com/breaches/cloud-leak-centcom.
  36. O’Sullivan, D. (2018b). The RNC Files: Inside the Largest US Voter Data Leak. https://www.upguard.com/breaches/the-rnc-files.
  37. Peterson, A. (2013). Why everyone is left less secure when the NSA doesn’t help fix security flaws. Washington Post, online: https://www.washingtonpost.com/news/the-switch/wp/2013/10/04/whyeveryone-is-left-less-secure-when-the-nsa-doesnt-help-fix-security-flaws/.
  38. Pfleeger, C. P., Pfleeger, S. L., and Margulies, J. (2015). Security in Computing, 5th Edition. Prentice Hall.Google Scholar
  39. poperob (2014). What is a specific example of how the Shellshock Bash bug could be exploited? https://security.stackexchange.com/a/68184.
  40. Rashid, F. Y. (2013). GitHub Search Makes Easy Discovery of Encryption Keys, Passwords in Source Code. https://www.securityweek.com/github-search-makes-easy-discovery-encryption-keys-passwords-source-code.
  41. Rescorla, E. (2003). Security Holes… Who Cares? In Proceedings of the 12th Conference on USENIX Security Symposium - Volume 12, SSYM’03, pages 6–6, Berkeley, CA, USA. USENIX Association.Google Scholar
  42. Rid, T., Buchanan, B. (2015). Attributing Cyber-attacks, Journal of Strategic Studies, 38:1-2, 4-37.Google Scholar
  43. Saltzer, J. H. and Schroeder, M. D. (1975). The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278–1308.Google Scholar
  44. Schneider, F. B., editor (1998). Trust in Cyberspace. National Academy Press, Washington, DC, USA.Google Scholar
  45. Schneier, B. (1999). Attack trees. Dr. Dobb’s Journal of Software Tools, 24(12):21–29.Google Scholar
  46. Schwartz, A. and Knake, R. (2016). Government’s Role in Vulnerability Disclosure: Creating a Permanent and Accountable Vulnerability Equities Process. Discussion Paper 2016-04, Cyber Security Project, Belfer Center for Science and International Affairs, Harvard Kennedy School.Google Scholar
  47. Scott, C. R. D. (1999). Territorially intrusive intelligence collection and international law. A.F. L. Rev. 217, 46.Google Scholar
  48. Shirey, R. W. (2007). Internet Security Glossary, Version 2. RFC 4949.Google Scholar
  49. Shurmow, D. and Ferguson, N. (2007). On the possibility of a back door in the NIST SP800-90 dual EC PRNG. CRYPTO Rump Session, http://rump2007.cr.yp.to/15-shumow.pdf.
  50. Smith, R. (2012). A contemporary look at Saltzer and Schroeder’s 1975 design principles. IEEE Security and Privacy, 10(6):20–25.Google Scholar
  51. Spitzner, L. (2002). Honeypots: Tracking Hackers. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA.Google Scholar
  52. Stallings, W. and Brown, L. (2014). Computer Security: Principles and Practice. Prentice Hall Press, Upper Saddle River, NJ, USA, 3rd edition.Google Scholar
  53. Stoll, C. (1989). The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. Doubleday, New York, NY, USA.Google Scholar
  54. Voydock, V. L. and Kent, S. T. (1983). Security mechanisms in high-level network protocols. ACM Computing Surveys, 15(2):135–171.Google Scholar
  55. Weissbrodt, D. (2013). Cyber-conflict, cyber-crime, and cyber-espionage. 22 Minn. J. Int’l L. 347.Google Scholar
  56. Wheeler, D. A. (2017). The Apple goto fail vulnerability: lessons learned. https://www.dwheeler.com/essays/apple-goto-fail.html.
  57. Wortham, A. (2012). Should cyber exploitation ever constitute a demonstration of hostile intent that may violate UN charter provisions prohibiting the threat or use of force? 64 Fed. Comm. L.J., pages 643, 655.Google Scholar
  58. Zetter, K. (2015). A Cyberattack has Caused Confirmed Physical Damage for the Second Time Ever. https://www.wired.com/2015/01/german-steel-mill-hack-destruction/.

Copyright information

© Springer Fachmedien Wiesbaden GmbH, ein Teil von Springer Nature 2019

Authors and Affiliations

  1. 1.Uni BambergBambergGermany

Personalised recommendations