This Week in Cyber
Cybersecurity is a nascent field, but it still has significant anniversaries. Welcome to the latest installment of This Week in Cyber where we look back on major events that have impacted information technology and cybersecurity. This is more than just an historical exercise. Looking back at historical events can help us understand where cyber has been so we can understand where it is headed.
Let’s take a look back at the last few weeks in history and its significant anniversaries.
June 9-13 1997: Eligible Receiver
In the summer of 1997, the U.S. Department of Defense networks were easily compromised in only four days using only public hacking tools. The attackers gained root access into Pentagon machines, allowing them to perform account misconfiguration, block and steal secret communications, and even deliver personal taunts on Pentagon computers. Luckily for American security, this was only a drill.
Members of the National Security Agency’s “Red Team” led the attack to expose Pentagon network vulnerabilities. The NSA Red Team posed as North Korean and Iranian attackers as part of the exercise and targeted the military’s phone, fax, and computer networks. The attack, while it required nearly four months of intense reconnisense and preparation, was alarmingly easy. Numerous defense computers were insufficiently secured and often lacked any security at all. Many computers were armed with passwords like “ABCDE” or “12345.” The Red Team used spear phishing, dumpster diving, and other social engineering tactics to wreak havoc the Pentagon machines and servers.
The war game served its purpose. The overwhelmingly ease and destruction pushed the Pentagon and NSA to invest in information security initiatives.
June 17, 1997: DES Cracked
Speaking of government failures, in the same summer of the same year, the U.S. Commerce encryption standard, Data Encryption Standard (DES), was cracked. DES is a symmetric key that is only equivalent to a 56-bit key, meaning it is relatively weak and vulnerable to brute force attacks.
DES’s vulnerabilities were exposed in 1997 through the RSA Security-hosted “DES Challenges” series that encouraged security researchers to crack DES. The first researchers succeed by building a server that controlled thousands of computers that attempted DES’s all possible key combinations. The key-cracking system took 96 days to crack DES. Today, with modern supercomputers, DES can be cracked in a matter of a few hours.
Stronger encryption algorithms, with longer encryption keys such as 3DES and AES, have since replaced DES.
June 2010: Stuxnet
The most extensive physical damage caused by a cyberattack was caused by Stuxnet, a malicious, and now infamous, computer worm reportedly developed by American and Israeli intelligence agencies. Beginning in 2009 and continuing until 2012, Stuxnet aimed to sabotage Iran’s nuclear program by targeting the country’s nuclear centrifuges. For years, the cyber weapon covertly gathered intelligence about Iran’s nuclear program, compromised the programmable logic controllers (PLCs) that operated centrifuges and gained control of the equipment responsible for enriching nuclear fuel. After compromising the PLCs, the worm issued commands that increased the rotational speed of a site’s centrifuges, causing them to spin out of control and destroy themselves. Over the course of a few years, Stuxnet destroyed a significant portion of Iran’s nuclear centrifuges.
Since the use of Stuxnet on Iran’s nuclear facility, governments and criminal hacker groups have adapted and reused Stuxnet’s code on more unsuspecting targets, causing the physical effects of the incident to ripple ever further. Variants of the worm have infected systems in Israel, Palestine, Saudi Arabia, Egypt, Sudan, and even parts of Europe and North America.
Crack Open Your History Books
Every practitioner knows that the future of innovation in security and technology is built on both breakthroughs and break-ins from the past. As these snapshots demonstrate, events in history can have monumental impacts on the world we live in today and the world to come. Be sure to subscribe at the bottom of the page to check out more of This Week in Cyber in the weeks to come.
Slate News, “Inside ‘Eligible Receiver’: The NSA’s Disturbingly Successful Hack of the American Military."
Eli Biham and Adi Shamir, “Differential Cryptanalysis of DES-like Cryptosystems,” Journal of Cryptology, 1991.