Ukraine Gets Cyberattacked Again

 

First, a little geography lesson.  Ukraine sits north of the Black Sea, bordering Poland, Hungary, and Romania on its west and surrounded by Russia to the north and east.  Like Poland, the Ukraine has been subjugated for much of its history by foreign powers—the old USSR for most of the twentieth century, and even by Lithuania back in the 1400's A. D.  But when the USSR collapsed, the Ukraine gained independence again.  It is the poorest country of Europe, but has rich farmlands, which is one reason why foreigners want to take it over.

 

If you've been paying any attention to world news, you know that Vladimir Putin has been saber-rattling about a possible invasion of Ukraine recently, massing 100,000 troops on the border between the two countries and ramping up his warlike rhetoric.  Russia has been chipping away at the country since at least 2014, when the pro-Russian President of Ukraine, Viktor Yanukovych, lost an election, and Putin invaded the Crimea, the peninsula that sticks out into the Black Sea and separates it from the Sea of Azov to its northeast.  Having succeeded in that, Putin has since been backing forces that have taken over portions of eastern Ukraine, and it appears that he would like nothing better than to welcome the entire country back to the domination of Russia.  So far, the government of Ukraine has had different ideas.

 

As part of Putin's campaign, a war that isn't quite a war, most authorities agree that Russian-based hackers mounted a cyberattack called NotPetya back in 2017.  It was aimed primarily at Ukranian institutions, but it also affected thousands of other systems as well.  The White House later estimated that NotPetya caused about $10 billion worth of damage worldwide. 

 

Now we come down to this week.  On Jan. 15, dozens of Ukrainian government computer systems were infected with malware disguised as ransomware.  An infected computer displayed a demand for a certain ransom to be paid in Bitcoin, but what really happened is that the malware "renders the computer system inoperable," ransom or no ransom. 

 

Microsoft issued a statement saying that they observed these attacks aimed primarily at Ukrainian government agencies and closely-allied organizations, and that they had issued updates that will address the problems.  But in the meantime, the Ukraine is suffering yet another cyberattack which appears to be instigated by Russia, although no firm evidence of the source has yet been forthcoming.

 

To my knowledge, nobody has actually died as a result of the most recent cyberattack on the Ukraine.  But to the extent that the public relies on computer-mediated government services, the consequences of a massive shutdown of government computers can range from the inconvenient to the life-threatening, in government-run hospitals, for example. 

 

In the logic of war, an enemy's assets are always a target, and now that computer networks and systems form so much of the infrastructure of modern life, they have become a uniquely vulnerable target.  Cyberattacks borrow from the fields of espionage, sabotage, and terrorism to create an insidious threat that knows no boundaries.  And defending against such attacks is a responsibility that is widely distributed among both public and private actors. 

 

All these features make cyberwarfare a different kind of thing from conventional warfare, and it is taking time for both military and civilian thinking to catch up to it. 

 

When this topic has come up in the past, I have taken the position that the U. S. military, in any event, seems to have an overly narrow focus on what cyberwarfare might amount to in the future.  While I am no technical expert in this area, I can see that even cyberattacks on U. S. organizations that have been definitely attributed to government-sponsored hackers in China or Russia do not seem to cause much concern on the part of our government, except to provoke warnings to private interests to do their cybersecurity better. 

 

That may make sense if you're a Boeing or a Kaiser Permanente, with entire staffs of IT security specialists.  But especially in the U. S., we have a great many small businesses whose functioning is nonetheless critical to our economy.  Many of them can't afford a full-time IT person, so IT maintenance is handled on an as-needed basis:  if something breaks, the owner hires somebody to fix it, but otherwise deals with things on his or her own. 

 

A supply-chain cyberattack similar to what was used against Ukraine could target a popular piece of software such as, for example, Quicken—something that almost all small businesses use.  With a few keystrokes, such an attack could cause devastation far beyond what we are presently seeing with the Omicron COVID-19 variant, which has done nothing worse than kill thousands of people and cause massive absenteeism, both involuntary due to sickness and voluntary due to vaccine mandates. 

 

The fact that nothing like that has happened in the U. S., with a few exceptions, may mean that the way we are doing things is just fine and we don't need to worry about a massive cyberattack that would bring the U. S. economy to its knees.  On the other hand, it may mean that whoever is capable of mounting such an attack is simply biding their time, awaiting the proper geopolitical moment when such an attack could be coordinated with more conventional warlike actions for maximum effect.  I hope it's the former, but I suspect it might be the latter.

 

What am I asking for?  Certainly not for every software app to be government-certified as secure.  At the university where I work, we have experienced a small-scale version of that type of thing, and all it has done so far is to create a lot of confusion and delays in purchasing needed software.  If there are government and military forces out there safeguarding not only their own systems, but those belonging to the public at large, I would at least like to know about it, in a general way.  And because my federal taxes are paying for it, I'd like to know what I'm getting for my money.

 

In the meantime, we can hope that the Ukrainian government has figured out how to defend itself and its citizens from what has to be the worst spate of cyberwarfare endured by any nation so far.  And maybe we can learn some lessons from them:  either good examples if they succeed, or bad examples if they lose and get absorbed into Russia. 

 

Sources:  I referred to the article "Microsoft discloses malware attack on Ukraine govt networks" which appeared on the AP News website on Jan. 15 at https://apnews.com/article/technology-business-europe-russia-ukraine-404c5e751709fba66b31fd512f734d80.  I also referred to a Microsoft blog at https://blogs.microsoft.com/on-the-issues/2022/01/15/mstic-malware-cyberattacks-ukraine-government/and Wikipedia articles on NotPetya, Ukraine, and the Crimea.

Zombie Cameras On the Internet of Things

On Friday, Oct. 21, millions of Internet users trying to access popular websites including Twitter, Netflix, the New York Times, and Wired suddenly saw them stop working.  The reason was that for a few hours, a massive distributed-denial-of-service (DDOS) attack hit a domain-name-server (DNS) company called Dyn, based in New Hampshire.  As I mentioned in last week's blog, DNS companies provide a sort of phone-book service that turns URLs such as www.google.com into machine-readable addresses that connect the person requesting a website to the server that hosts it.  They are a particularly vulnerable part of the Internet, because one DNS unit can handle requests for thousands of websites, so if you take that DNS machine down, you've automatically damaged all those websites as long as the DNS is out of service.

DDOS attacks are nothing new, but the Oct. 21 attack was the largest yet to use primarily Internet-of-Things (IoT) devices in its "botnet" of infected devices.  The Internet of Things is the proliferation of small sensors, monitors, and other devices less fancy than a standard computer that are connected to the Internet for various purposes. 

Here's where the zombie cameras come in.  Say you buy an inexpensive security camera for your home and get it talking to your wireless connection.  If you're like millions of other buyers of such devices, you don't bother to change the default password or otherwise enhance the security features that would prevent unauthorized access to the device, like you might do if you bought a new laptop computer.  Security experts have known for some time about a new type of malware called Mirai that takes over poorly protected always-on IoT devices such as security cameras and DVRs.  When the evil genius who sent out the Mirai malware sends a signal to the infected gizmos, they all start spouting requests to the targeted DNS server, which immediately gets buried in requests and can't respond to anybody.  That is what a DDOS attack is. 

As the victim learns the nature of the requests, programmers can mount a defense, but skillful attackers can foil these defenses too, for a time, anyway.  The attackers went away after three attacks that day, each lasting a couple of hours, but by then the damage had been done.  The attacks made significant dents in the revenue streams of a number of companies.  And perhaps most importantly, we learned from experience that the much-ballyhooed Internet of Things has a dark side.  The question now is, what should we do about it?

Sen. Mark Warner, a Democrat from Virginia, has reportedly sent letters to the FCC and other relevant Federal agencies asking that same question.  According to a report on the website Computerworld, Warner has a background in the telecomm industry and recognizes that government regulation may not be the best answer.  For one thing, Internet technology can change so fast that by the time a legislative or administrative process finally produces a regulation, it can be outmoded even before it's put into action.  Warner thinks that the IoT industries should develop some kind of seal of security approval or rating system that consumers could use to compare prospective IoT devices before they buy. 

This may get somewhere, and then again it may not.  The reason is that an IoT device that can be used in a DDOS attack but otherwise functions normally as far as the consumer is concerned, is a classic case of what economists call an "externality."

A more familiar type of externality is air-pollution abatement devices on cars:  catalytic converters, the diesel exhaust fluid that truckdrivers now have to buy, and all that stuff.  None of it makes your car run better; in fact, cars can get better mileage or performance if they don't have that anti-pollution stuff working, as Volkswagen knew when it purposely disabled the anti-pollution function on some of its diesel models and turned it on only to pass government inspections.  The pollution your car would cause without anti-pollution equipment is an externality.  The additional pollution that your car causes is so small that you won't notice it.  Only when you add up the contributions of the millions of cars in a city does it become a problem.  But if you don't have anti-pollution stuff on your car, you're adding a tiny bit to the air pollution that everybody in your city has to breathe.  It's that involuntary aspect, the fact that other people are put at a disadvantage because of your action (or inaction), that makes it an externality.

The vulnerability of IoT devices to being used in DDOS attacks is an externality of a similar kind.  When you buy and install a security camera, or rent a DVR from your cable company, and they don't have enough security software installed to prevent them from being used in a DDOS attack, you're raising the risk of such an attack for everybody on the Internet.  And they don't have a choice in the matter.

Historically, externality problems such as air and water pollution have been resolved only when the government gets involved at some level.  When the externality problems are strictly local, sometimes local political pressures can resolve the issue, but the Internet is by its nature a global thing, in the main, although for reasons that are not entirely clear, the Oct. 21 attacks affected mainly East Coast users.  So my guess is that to fix this issue, we are going to have to have national or international governmental cooperation to set some rules and fix minimum standards for IoT devices regarding this specific problem.

The solutions are not that hard technically:  things like attaching a unique username and password to each IoT device and designing them to receive security updates.  These measures are already in place for conventional computers, and as IoT devices get more sophisticated, the additional cost of these security measures will decline to the point that it will be a no-brainer, I hope. 

           

But right now there's millions of the gizmos out there that are still vulnerable, and it would be very hard to get rid of them by any means other than waiting for them to break or get replaced by new ones.  So we have created a serious security problem that somebody, somewhere has figured out how to take advantage of.  Let's hope that the Oct. 21 attack was the last big one of this kind.  But right now that's all it is—just a hope. 

Sources:  I referred to the article " What We Know About Friday’s Massive East Coast Internet Outage" by Lily Hay Newman of Wired at https://www.wired.com/2016/10/internet-outage-ddos-dns-dyn/, and the article "After DDOS attack, senator seeks industry-led security standards for IoT devices" by Mark Hamblen at http://www.computerworld.com/article/3136650/security/after-ddos-attack-senator-seeks-industry-led-security-standards-for-iot-devices.html.  I also referred to the Wikipedia articles on "externality" and "Mirai" (which means "future" in Japanese).

The Sudden Death of Windows XP

Okay, it wasn't that sudden:  Microsoft announced as long ago as 2012 that, as of April of 2014, it was going to end all support of its creaky but still serviceable Windows XP operating system, so it's not like it happened without warning.  And strictly speaking, computers running Windows XP didn't die on April 8, 2014:  they just became instantly vulnerable to malware, hackers, and others who had been kept somewhat at bay by security upgrades from Microsoft.  As it turns out, this includes well-intentioned network managers such as the ones at my university, who now sniff out any PCs on their network still running Windows XP and simply snip them off the network.  But the whole episode has occasioned some thoughts on planned obsolescence, and how different computer technology is from other kinds of technology.

As it turns out, I have a dog in this fight:  an old Dell laptop in my research lab that runs a number of applications I use in my research, and its operating system is Windows XP.  The applications all run with expensive hardware I have accumulated over the years as funding intermittently became available.  One such item is a high-speed camera that cost about $15K new when I bought it a decade ago with a combination of grant and department money.  Another is a $10K spectrometer that I happened into after I met my department chair in the hall one day, and he asked me if I knew of a good way I could help him spend ten thousand dollars real fast.  The software for these items will not run on anything other than Windows XP, and the laptop is so old I don't think I can upgrade the operating system to Windows 8 in any case.  I have a little grant right now, but I've obligated most of the money toward other items and there's nothing left for software or hardware upgrades. So what's an impoverished researcher to do?

I wasn't the only person caught with my operating system down on April 8, by the way.  One estimate (www.netmarketshare.com) says that about a quarter of all PCs are still running Windows XP here over a month after the drop-dead date, so I'm sure there are millions of computers out there in the same slowly sinking boat that my laptop is in. 

In a lot of ways, the end of XP support resembles the old Y2K scare that those of us old enough to be computer-savvy in 2000 can recall.  Because programmers dealing with the limited memory in mid-20th-century computers didn't always take into account the possibility that their software might still be running on Jan. 1, 2000, they sometimes wrote dates in a way that would make the software bomb if you tried to keep them running past Dec. 31, 1999.  Fortunately, the turn of the century was highly predictable, and despite certain fringe elements who predicted a digital Armageddon, nearly all software had been successfully upgraded by New Year's Day on 2000, and the big Y2K scare turned out to be a bust.

Similarly, judging from the cricket-filled silence on the Internet concerning any dire consequences of the end of XP support after April 8, I think things have not turned out to be as bad as some people thought.  Still, I can't connect my PC laptop to the internet without getting it squelched by IT support now, and if anything goes wrong with any of the software or hardware it runs, I may find myself up a creek.

Those involved in the computer and software industries rarely think in terms of indefinitely lengthy stretches of time, although I will give Microsoft credit for announcing the end of XP support so far in advance, and sticking to their commitment.  Every design of an engineered product is an act of faith:  the designer rarely knows exactly who will use the design, how they will benefit, or how long the design will be useful.  The business model of software companies is a constant scramble to issue upgrades and new products, and in a competitive global economy, it can't very well be otherwise.  But in the rare cases that a thing shows unexpected fruitful longevity, it seems that there is a kind of nobility or merit attached to that fact that most engineers rarely recognize, having been trained in the philosophy of "old = bad, new = good" from their college days. 

I recall the story of a mechanical animation stand and camera that begin its existence back in the 1920s, and was used to make some of the earliest animated cartoons.  The same stand was still in use in the late 1990s for commercial film production, because the mechanical standards of 35-mm film had not changed in all that time. 

Animation stands are junk now, rendered that way by the advent of computer-generated images (CGI).  And motion-picture production companies that have switched to all-digital production find that it costs them a bundle simply to keep a movie on the shelf, because all the software and memory standards associated with the huge pile of digital information that goes into the movie are constantly changing, and it's a full-time job for several people just to make sure that the movie is still in shape to be played from month to month.  It brings to mind the words of the Red Queen in Lewis Carroll's story Through the Looking Glass and What Alice Found There:  "Now here, you see, it takes all the running you can do, to keep in the same place.  If you want to get somewhere else, you must run at least twice as fast as that!"

Those who have the resources to run twice as fast have long since upgraded their old PCs (or not so old PCs) to Windows 7 or 8 or 13 or whatever the latest version is, and will continue to keep up with the times.  And those of us who haven't, will just have to deal with the situation any way we can. 

Sources:  The online journal Computerworld carried a debate as long ago as December 2012 at http://www.computerworld.com/s/article/9234316/Experts_question_Microsoft_s_decision_to_retire_XP in which experts differed as to whether Microsoft would really stick to their announced deadline, as they in fact did.  Some good advice to those who can't afford upgrading from Windows XP appeared in PC Pro's online edition at

http://www.pcpro.co.uk/features/387022/what-to-do-if-you-re-still-on-windows-xp-should-i-upgrade-from-windows-xp.  The statistic about the percentage of PCs running Windows XP is available at http://www.netmarketshare.com/operating-system-market-share.aspx.