I n 2007, the Germans decided that listening in your phone conversations wasn’t enough. They bought a Trojan software from a company called Digitask. The Secretary of the Interior seems to have accepted that they’ve been installing this Windows-only software on machines. The Trojan can record what you’re typing, turn on your microphone and listen to what you’re saying, and turn on your computer’s camera and take photographs of you.
Hackers from the Chaos Computer Club found the Trojan, analyzed it, and published the results to the Internet.
This is only terribly exciting because a government has been caught doing something that tons of script-kiddies have been doing for more than fifteen years.
What’s far more exciting is the virus that refuses to go away in America’s drones. The virus is just sitting there, recording the keystrokes of the people flying America’s drones into Afghanistan and God alone knows where else. Wired broke the story a couple of days ago. In a twist that’s worthy of a Jeffery Archer short story, the people tasked with protecting the US Air Force’s systems found out about the virus when they read about it in Wired. It has to be said, at least they’re reading the right sources
All of this, in the two weeks since this column started.
Our increasing dependence on technology is not a bad thing — India has it’s own drones program and uses UAVs (Unmanned Aerial Vehicles) for various purposes. We know more, can do more, communicate more, in less time and for less money than ever before.
The missing bit from this assembly seems to be an understanding of security, not because people don’t know or think about it, but because they often do so from a traditional top-down perspective. That’s a paradigm that fails more often than not.
Let me give you a simple example: the password is the first line of defense in any digital system. For years now, we’ve been encouraged to create passwords with a mix of upper and lower case alphabets, symbols and numbers, with the assumption that gibberish like AzQ53* is more secure than, let’s say, “Honey I’m home.” Now, we believe this is more secure because it makes no sense to us as human beings. But, for a computer, neither password makes any sense — it’s just a collection of alphanumeric characters. Adding spaces actually increases the entropy of a password, making it harder to crack using traditional brute force/rainbow table methods. And since remembering a sentence that makes sense to me is easy for me, I actually create far more secure passwords than abc123 or 123456 — the two most popularly used (and most easily crackable) passwords in the world.
But a keylogger, like the one installed on the Drones, makes this a moot point: no password is secure if it is recorded when you’re entering it. That’s the reason HDFC Bank’s netbanking solution offers you a screen based keyboard that you can use with a mouse to “type” in your password. Ah, but screen recording Trojans will manage to figure that one out as well. Which is where HSBC Bank’s key fob comes in. Every time you want to log in to their bank’s website, you need to press a button on a little hardware device they send you separately. The device generates a number that needs to fed in, along with your password. This is called two-factor authentication. And you can implement it on your own site as well, for free, using Google Authenticator.
Systems become more secure when you start to make the weakest parts of the chain stronger. And the weakest part of the chain is always the guy who thinks he knows everything about security — oh, that’s me in this case.
Till next week, watch out for a drone headed your way, controlled by a shadowy terrorist. If we’re very lucky, the Germans will have installed a Trojan on his Windows laptop.
Disclaimer: I have an HDFC Bank account, my wife banks with HSBC, and I used Trojans on unsuspecting victims on ICQ’s chat network once upon a time. To have their CD trays open and close made more than one person believe in the Ghost in the Machine.