Inside the mind of digital attackers: Part 1 — The connection
John has a target: name, country, brief context, and maybe the email address or website. John has been given a goal: maybe eavesdropping, taking a website offline, or stealing intellectual property. And John has been given constraints: maybe he cannot risk detection, or he has to act within 24 hours, or he cannot reach out to the state-owned telecommunications company for help.
John is a government-backed digital attacker. He sits in an office building somewhere, at a desk. Maybe this is the job he wanted when he was growing up, or maybe it was a way to pay the bills and stretch his technical muscles. He probably has plans for the weekend.
Let’s say, for the sake of this example, that John’s target is Henry, in the same country as John. John’s goal is to copy all the information on Henry’s computer without being detected. John can get help from other government agencies. There’s no rush.
The first thing to realize is that John, like most people, is a busy guy. He’s not going to do more work than necessary. First, he’ll try to use traditional, straightforward techniques — nothing fancy — and only if those methods fail will he try to be more creative with his attack.
The second thing to realize is that John has three options for how to proceed. He can target Henry’s phone or computer, he can target Henry’s connection to the Internet, or he can target the server that Henry uses to store data. Between those three routes — Henry’s device, connection, and server — Henry is only as strong as the weakest link.
Let’s say that John decides to target Henry’s connection to the Internet. This can be an easy method if John knows people who work in certain areas of the government — after all, governments usually control the physical infrastructure of the Internet, and they can use that control to manipulate connections. For example, there are global technology companies, such as Finfisher, that have been reported to provide surveillance equipment and software to governments around the globe. Let’s say that the government in John’s country has installed FinFly ISP into the infrastructure of the national internet.
Here’s what John does. With the help of the ISP where FinFly is installed, John finds out where Henry’s computer is located. Next, John feeds that address into a program like FinFly ISP. It’s configured to automatically infect anything that Henry to downloads from the Internet. Now John waits.
That afternoon, Henry gets an email from his mother. She’s sending him some photos from their recent family vacation. They’re real photos. It’s his real mother. And she’s sending them over a service (perhaps an older email provider) that uses HTTP, not HTTPS.
Aquick digression. HTTP is how most traffic on the Internet is sent. It’s like using a postcard — any digital router can read the contents as they forward the message towards its destination. HTTPS, meanwhile, is encrypted traffic; many browsers indicate when HTTPS is active by showing a green lock icon in the address bar. HTTPS is like using a sealed envelop — no digital router can read the contents in transit.
Since Henry’s mother sent the photos over an HTTP service, it was like sending a postcard. The government-run Internet Service Provider read the contents, and with technology like FinFly it actually edited the postcard in transit. The version that Henry receives has the real photo, but it also has some extra code attached to the file. That code contains an “exploit” that takes advantage of bugs in the software Henry will use to view the pictures, and injects a virus into his computer.
Unfortunately, Henry doesn’t realize any of this. He downloads the photo and opens it in a slightly outdated version of a common photo viewer. He sees the photo. And, though he doesn’t realize it, the virus activates.
Meanwhile, John gets an alert — he’s in. Now John can turn on Henry’s microphone and camera at will, or copy all of Henry’s files, or record every key that Henry types. John can get all of Henry’s passwords. See every website Henry visits. Share it with the secret police. And John did it very easily. That’s a good day in the life of a digital attacker.
Now, let’s say you’re Henry. What could you have done to make John’s task harder? The best answer is to use HTTPS, rather than HTTP — when you’re sending sealed envelopes rather than postcards, it’s much harder for the government to tamper with them in transit. If you were worried about this sort of attack, you could install the HTTPS Everywhere Browser Extension to make sure you’re automatically using HTTPS whenever possible. Or, even better, you could even use a VPN service like Psiphon or a browser proxy like our own uProxy to route all your Internet traffic through a neutral country, and automatically encrypt all of it between that neutral country and your computer. It’s like having a Post Office box in a foreign country, and having all your mail forwarded to you from the PO box inside locked safes.
Of course, if you took those precautions to protect your connection to the Internet, John might move on to another attack. The server, the connection, and the device are the three big areas of risk; if he couldn’t breach your connection, he could try your device or your server instead. Or maybe John would scale back his goals, focusing on passively intercepting and listening to as much of your traffic as possible without trying to get you to download anything.
But we’ll save all that for future installments. Subscribe here to be notified whenever we post.
