Tuesday, November 10, 2020

‘Invisible Force’ Graphic Novel Shows the Possible Future of Cyber Warfare


The Army Cyber Institute’s new graphic novel “Invisible Force” suggests that advanced technology such as doctored videos and artificial intelligence could be weaponized by foreign adversaries in the near future.

“Invisible Force” takes place in the year 2030, when a foreign adversary, in this case the fictional nation of Donovia, uses artificial intelligence to undermine the United Nations’ response to a refugee crisis. Refugees fled from Africa to another fictional European nation of Atropia where they are held in a camp, which soon becomes the epicenter of a new strain of a virus.

Donovia works to break down trust between each stakeholder in the story — the public, refugees, military and government — until the truth is so distorted that no party has a clear idea of what is real and what is not. Donovia spreads misinformation that vaccines for the virus are poisoned and create deepfake videos depicting situations that did not actually happen.

“Trust is not something that you can take for granted,” Maj. Jessica Dawson, an assistant professor at the Army Cyber Institute who advised the “Invisible Force” project, said. “It requires work and it requires repair and it requires constant maintenance.”

Dawson said the story’s creators used threatcasting, a process designed to understand and prepare for future risks, to imagine what a future with cyber security issues might look like. In partnership with Arizona State University’s Threatcasting Lab, the Army Cyber Institute created this graphic novel as a “science fiction prototype,” which is a fictional story based on research of projected technological and cultural trends, according to the novel.

Dawson said the team working on the graphic novel could “easily see” a scenario like the one portrayed in “Invisible Force” actually happening in 10 years, along with other similar technology-related scenarios. Deepfake videos are one of the several abuses of technology that Donovia uses in the novel to confuse the public and further erode trust.

This story shows how technology-fueled disinformation and fear can lead to real violence. In its cyber attacks, Donovia manages to create unrest in Atropia. The deepfake videos, such as one showing a bomb in Atropia’s capital, spread on social media and prompted public outcries against the government and its allies, including the United States.

“The ability to create good deepfakes that are going to be able to fool the national security apparatus, those are going to require time to develop,” Dawson said. “There’s a lot of ways in which reality is manipulated right now without going into full-blown deepfakes.”

The key to Donovia’s manipulation is how it uses the post-truth problem, which creates a gray area between fact and fiction. Donovia spreads the misinformation that the virus vaccines are poisoned — which is not true — but the nation did hack into the refrigerated vans holding the vaccines and raised the temperature, thus spoiling the vaccines and making the disinformation about the poison seem true.

In the U.S., the military’s involvement in Atropia becomes a subject of discussion on a clickbait news show that uses outrage from artificial intelligence bots posing as viewers to drive up traffic to the show, willingly spreading misinformation.

“One of the things we know about news and social media space is that a lie will travel further and faster than the truth will,” Dawson said. “When we think about all of the things that are like a little bit of truth wrapped in the lie, you’ve got to be able to acknowledge where the truth is and then point out the fallacies that are around it.”

Dawson said the decline of local news is one factor in the lack of trust between the public, the media and the government. A more localized approach to spreading information and checking the reliability of sources when sharing stories can help avoid more erosion of trust, she said.

“A lot of the things, the ideas and the themes, that we’re seeing in this graphic novel are happening right now, and it could happen to all of us,” Dawson said. “So (we are) really thinking through how do we defend against this? How do we make sure that we build a sense of community so that we’re not going to be as vulnerable?”

The key to Donovia’s manipulation is how it uses the post-truth problem, which creates a gray area between fact and fiction. Donovia spreads the misinformation that the virus vaccines are poisoned — which is not true — but the nation did hack into the refrigerated vans holding the vaccines and raised the temperature, thus spoiling the vaccines and making the disinformation about the poison seem true.

In the U.S., the military’s involvement in Atropia becomes a subject of discussion on a clickbait news show that uses outrage from artificial intelligence bots posing as viewers to drive up traffic to the show, willingly spreading misinformation.

“One of the things we know about news and social media space is that a lie will travel further and faster than the truth will,” Dawson said. “When we think about all of the things that are like a little bit of truth wrapped in the lie, you’ve got to be able to acknowledge where the truth is and then point out the fallacies that are around it.”

Dawson said the decline of local news is one factor in the lack of trust between the public, the media and the government. A more localized approach to spreading information and checking the reliability of sources when sharing stories can help avoid more erosion of trust, she said.

“A lot of the things, the ideas and the themes, that we’re seeing in this graphic novel are happening right now, and it could happen to all of us,” Dawson said. “So (we are) really thinking through how do we defend against this? How do we make sure that we build a sense of community so that we’re not going to be as vulnerable?”

Sunday, November 8, 2020

Hacker Profile – Kevin Mitnick

This Article First Appeared on Exploitbyte.com

Kevin Mitnick – When the term “computer hacker” is thrown around, most people think of Kevin Mitnick. Back in the 1970s, 1980s, and 1990s, Kevin Mitnick was the hacker. Mitnick used a combination of social engineering and lower-level operating system research to pull off all sorts of outrageous stunts, although the overall harm caused by him is debatable, especially when compared to today’s world of APT attacks and ransomware.

For More About Kevin Mitnick Click Here

Kevin Mitnick and his exploits have been written about in several books, have been made into a movie, and have generated a peculiar subculture of eccentric hacking stories attributed to him that he never did. The government’s own fear of Mitnick was so bad that he is the only U.S. prisoner not allowed to use a phone while incarcerated and kept in solitary confinement for fear that one word or sound from him could launch a nuclear missile. If you’ve ever seen a movie where the protagonist said one word into a phone and then a whole lot of bad cyber stuff happened, that scene germinated from the paranoia surrounding Mitnick.

Kevin Mitnick

I’m including Mitnick early in this book because since those early days of cyber mischief, he has dedicated his life to fighting computer crime, and he is one of the few reformed long-time blackhats that I completely trust. Today, Mitnick has written several books on computer security – works with several companies (including KnowBe4), has his own security consulting firm (Mitnick Security Consulting), has the busiest speaking schedule of any computer security figure I know, was on The Colbert Report, and has even had a cameo on the popular television show Alias. Mitnick’s lessons to the industry have resulted in a stronger recognition of the role social engineering plays in hacking and how to defeat it. After all, if you’re going to stop a criminal, it can’t hurt to learn from an intelligent reformed one.

Kevin Mitnick

I asked Mitnick what led to his interest in hacking. He said, “I was interested in magic as a kid. I loved magic. A kid at school showed me some tricks with the phone, like how to get free long distance phone calls, how to find out someone’s address with just their phone number, calling forwarding, etc. He would go into a phone booth, call someone [the phone company], act like he was someone else, and make something magical happen. It was my first experience of social engineering. It was like magic to me. I didn’t know it was called phone phreaking and social engineering. I just knew that it was fun and exciting and pretty much it began to take over my life. It’s all I did. I was bored with school, and because I was up all night phone phreaking, my grades began to suffer.”

I asked what his parents thought about his hacking exploits. He replied, “Well, early on they didn’t know anything. Or maybe they thought I was doing something questionable on a phone. But my mother must have thought, ‘How much trouble can he get to on a phone besides annoying people?’ But they really didn’t have a clue what I was up to until my mom got an official letter from AT&T informing her that they were turning off our phone service. She was very upset. You have to remember this was in the days before cell phones. Your home phone was your only lifeline to other people. I told her to calm down and that I would fix it.

“I basically socially engineered a phone back into our house. First, I made up a new housing unit. We lived in Unit 13. I called up the phone company’s Business Office department pretending to be someone else and made up Unit 13B. I waited a few days for that new unit to get into the system, then I called the Provisioning department and asked for a new phone to be installed in Unit 13B. I even went to the hardware store and got a B to add to our outside number. I called pretending to be a new customer named Jim Bond from England. I gave them a real previous phone number from England I found along with other identifying information, because I knew they wouldn’t be able to verify any foreign information. Then I asked if I could pick a ‘vanity number’, and they said yes, and I picked a phone number ending in 007. At the end of the conversation I asked if using my nickname of Jim was okay or did I have to use my full legal name? They said I had to use my legal name and I told them it was James. So, I was registered with AT&T as James Bond with a phone number ending in 007, and my mother had her phone back. AT&T got mad about that one when my scheme was finally caught.”

I realized at this point in our interview that he hadn’t mentioned anything about computer hacking. He was only talking about phone misuse. I asked how he got into computer hacking. He replied, “There was a kid in high school who knew I was into phone phreaking, and he thought I would be interested in a new high-level computer science class the school was offering. I said I wasn’t interested at first, but the kid said, ‘You know, I hear the phone companies are getting into computers.’ And that was enough for me. I had to learn about these computers.

“I had to go to the instructor of the class, Mr. Kris, and ask him if I could join it because I didn’t have any of the necessary prerequisites (which at the time included advanced mathematics and physics) or grades, which had really begun to suffer from my lack of sleep due to phone phreaking. Mr. Kris wasn’t sure about letting me in so I demonstrated my phone phreaking to him by telling him his unlisted phone number, and those of his kids. He said, ‘That’s magic!’ and let me into the class.

“Our first assigned program was a FORTRAN program to calculate Fibonacci numbers, which I found too boring. I had actually gone to the local university, Northridge, and tried to get computing time on the computer there. They had the same computers and operating system. But I couldn’t get more than five minutes of time on them. So I went to the computer lab leader and asked for more time. He said that I wasn’t even a college student and shouldn’t be here,
but he also saw how interested I was in computers, and to encourage me he gave me his personal logon account and password to practice with. Can you believe it? Those were the type of days around computers then.

“I ended up learning about low-level operating system calls. This was stuff they were not teaching in my high school class. At the high school, we all shared a modem that used a dial-up handset and a modem coupler. The modem stayed up all the time, and people would log in and out to access the terminal and modem. I wrote a low-level program that stayed active in the background and recorded everyone’s keystrokes as they typed, including their logon names and passwords.

“When the day came for Mr. Kris’s students to show him how many Fibonacci numbers their class-assigned programs had calculated, I had nothing. Mr. Kris admonished me in front of the class about how he had let me into the class and taken a risk and I had nothing to show for it. Every eye in the class was on me. I said, ‘Well, I’ve been too busy writing a program to capture your password and your password is johnco!’ He said, ‘How did you do it?’ I explained it to him, and he congratulated me and told the whole class I was a computer whiz. He wasn’t mad at all. This was perhaps a very bad first ethics lesson for me to learn.”

I asked Mitnick what a parent should do if they see signs that their kid is doing malicious hacking. He offered, “Show them how to hack legally. Channel their interest into legal and ethical opportunities, like going to computer security conferences and participating in ‘capture the flag’ contests. The parent should challenge the kid by saying something like, ‘So, do you think you’re good enough to be in a capture the flag contest?’ The parent can socially engineer the kid, and the kid will get the same fun and excitement but from a legal way. I just got through legally hacking a company today, and it gave me the same thrill as it did when I wasn’t doing ethical and legal things. I wish they had all the legal ways to hack that they do now. I wish I could go back in time and do it differently. You know the only thing different between illegal and legal hacking? The report writing!”

I wondered how Mitnick, with experience on both sides of the fence, felt about the government’s right to know something versus an individual’s right to privacy. He said, “I think we all have a huge right to privacy. In fact, my latest book, The Art of Invisibility, is all about how someone can keep their privacy. I think it’s very difficult to stay private against someone like the NSA or government with unlimited funds. I mean if they can’t break your encryption, they can just use one of their many zero-days and break into your endpoint, or buy a zero-day. For $1.5M you can buy an Apple zero-day, for half a million you can buy an Android zero-day, and so on. If you’ve got the funds and resources, you’re going to get the information you’re after. Although in The Art of Invisibility, I think I have a way that will even work against them, but it’s very tough to do and involves a lot of OPSEC stuff. But it can be done in a way that I think even the NSA or any government would have a tough time defeating. I understand a government’s need to know in certain cases, like terrorism, but they want to see into everything and everyone. And if you are being watched, you change your behavior, and that means you have less freedom. I don’t think you can have freedom without privacy.”

I ended our interview by reminding Mitnick that we had briefly met once before at a security conference many years ago where he was going up to talk as the headliner after I did. As he passed me he realized he needed a USB thumb drive to get his presentation to the dedicated presenter laptop up on the stage. I had one in my pocket that I offered. He almost took it, but after reconsidering it a few seconds, he declined and said he didn’t trust anyone else’s USB key. A few people around us chuckled at his paranoia. After all, you couldn’t get infected by a USB device—or so everyone generally believed at the time.