education

, , , ,

Hacking Reno: WebApp Pentesting

, , , ,

Four days in Reno was cerebral overload. 

Attending the Wild West Hack’n Fest presented by Black Hills Information Security, I tried to squeeze as much data into the ole’ brain-box as possible. It’s a small box as far as brain-boxes go, so I’m pretty sure I tore something, and now my personal data is leaking out all over the place. 

The first night there I dreamed I was at a diner and the waitress asked me, “How would you like your brains: Compiled, compressed, encoded, hashed, or salted? When I woke up I discovered I had developed a stutter that lasted most of the day. 

By the time it was all over my brain felt like it had been in a pie-eating contest that never stopped. One of those last idiot-standing contests. Skull stuffed to near bursting and face a slaughter of smeared blueberry confusion. I wonder what drives me. This blog post is the inevitable regurgitation of that cerebral gluttony. 

This is part one of my sloppy attempt at summarizing the 4-day info feast.    

The Nugget Casino hosted the conference. The ringing bells and whirling whistles of the casino floor opened up my dopamine receptors as I walked through the door. The blinking and twirling lights aroused my limbic system which started pumping adrenaline into the mind-mix. My lower brain wasn’t sure if it was supposed to fight, flee, or poop. Casinos have to be one of the apex environments for social engineering. I felt a little like I was about to get on a rollercoaster. Kinda sick to my stomach, kinda excited, I realized the siren song of beer and slot machines were calling to me. I hovered a second or two before managing to gather my withering wits and turn my nose to the scent of nerd and find my flock.

I followed the odor of burnt neurons to the second floor where I heard the enigmatic chatter of cryptologists debating blockchain. My class was in a large conference room that could have fit a hundred people easily, but physically present only ten were seated in front of the giant screen displaying pdf slides of the inner workings of websites. I won’t pretend that I understood everything. In these classes, I often feel like a monkey punching buttons as fast as I can. All the time hoping for a banana that never comes. But at least I keep notes and hope with repetition comes familiarity and competency. 

The very first thing mentioned was situational awareness. 

Be still my sweet martial art heart. He had me at “situational”. I knew no matter how techie this got, the instructor was connected to a narrative I could follow. 

The instructor’s name: BB King. He provided a master’s class in more than just pentesting the delicate membranes between user-input and website interface. This was also, for me at least, a dissection of the complexity of language and its primordial underpinnings. It was a study in the history of technology and communication.

Let me say upfront, I was intimidated by the technical material. I was also very anxious about the travel after being in my Covid bubble for a year and change.  So as was wound uptight. BB’s presents helped melt that away. It felt ok to be in the deep end of the technical pool with BB as the intellectual lifeguard. 

I paraphrase liberally, but he said: One of the keys to mastery of cybersecurity (and life in general) is curiosity. The hunger to know how everything works offers unique leverage. As BB put it, all tools have uses beyond their original design. What can a tool do that it was not intended to do? Ask, what would MacGyver do? For this class, that meant testing the user input fields with a tad bit of sql injection, a dash of URL manipulation, and a smidge of fuzzing.

 BB set up a great VM with Juiceshop and Burpe. He walked us through developer tools in web browsers and the functionality of Burp’s tools to examine websites and by-pass WebApps. BB made multiple rounds around the room to check on each of us individually. He never seemed rushed by the fact that we were stuffing 24-hrs worth of information into 16-hrs. I just tried to keep up as we blew through a dozen labs picking apart the vulnerabilities inherent to the system.

Something that was super valuable was that the class broke down the Top 10 OWASP list into just 3 issues. Not 10 issues. 3 issues. Aside from 1) Malicious Input, there was only: 2) Insufficient Logging and Monitoring; and 3) Sensitive Data Exposure. 80% of attacks are some form of malicious input. The other portion of OWASP is basically people shooting themselves in the foot. 

Midst all that tech talk, BB had a couple of comments about bird songs and body language that really stuck with me. 

The sound of birds chirping, that sound we find lovely and melodic, it’s actually a bird’s warning to other birds. It’s a declaration of territory. I own this tree. This is my branch. Keep your distance. BB added, that the reason humans like the sound of bird songs so much is that the sound informed our ancestors that they were safe in the woods from predators. If the birds ever went silent, if the bird song stopped, then that was a very bad sign. It meant predators were near. Big ones.

The key takeaway: you don’t need to know the whole language to decode useful information. We had no idea that the bird song was a warning to other birds, but the lack of its pattern was a warning to us about nearby threats.

Another nugget BB shared: there are 21 culturally universal emotions that can be communicated with body language. Did he say body language? Totally speaking my language. This was when we were talking about encoding information and it made me wonder about the pros and cons of language. How easily things can be misconstrued or miscommunicated. Use the wrong word in the wrong context, things can get ugly quickly. It matters what you put into the system. 

Or simply put for defenders: Input Sanitization matters. 

The first rule of apps is that they are made for people to use. There must be an interaction between the person and a program. Requests are made. Responses occur. Anywhere a user can add information into the system, and possibly poison the ecosystem, that spot is a dangerous place to be short-sighted about security.

Imagine WebApp testing as a tiger sniffing out a good place to execute an ambush. Once the tiger knows where the animals go to get water (information crossing a boundary), they have discovered a vulnerability in both the environment and the prey’s behavior that can be exploited.

It’s now a matter of just watching and learning the patterns. Lying in the tall grass, hiding in wait for the bird song to return and all the little animals think it’s safe to come out again. Or maybe tigers aren’t the best analogy, but I do like tigers a lot. And if you’ve never read Tiger, you’re missing out. 

Anyway, in my case, it means to sit and practice hacking labs taking advantage of cross-user privacy invasion; client-side controls; faulty assumptions; unlinked items; directory indexing; insecure direct object references; and redirect filters. And that was just the beginning. Did I mention, I developed a muscle tick in my right eye? 

By the end of the 2nd day, the stutter was gone. But on the 3rd day, my right eye started randomly winking closed. I think that means my left brain wasn’t completely up and running just yet.

I grabbed coffee, kept my head down, and got ready for round 2. The final 2-days of lectures included: Red Team Automation, Gamification of MITRE ATT&CK, Cracking Cloud Security, Network Defense Modeling, and Offensive Deception. 

Ever read A Scanner Darkly? The protagonist is a detective hunting a drug dealer. Spoiler: the detective discovers he is the drug dealer. Or Fight Club, in which the unnamed protagonist discovers he alter ego is a cult leader of an anti-civilization urban-guerilla terrorist organization. That’s the feeling I was getting. I was two different people. A double agent moving between the good guy and the bad guy until there was no difference between the good and the bad just knowledge, tools, and leverage. It’s not ethics, it’s actions along a barrier. There is attack and defend the barrier.

Cyber is about controlling the flow and the mastery of the space between all things. Even the space and flow between the many minds that make up our minds (A Thousand Brains Theory).

, , , ,

Tribe of Hackers

, , , ,

Tribe of Hackers, by Marcus J. Carey, collects a wide range of seasoned infosec specialists to discuss the cybersecurity world from an insider’s point of view. My favorite question out of the dozen asked is: What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture? Studying the 60-plus answers, I broke them down into three categories that resonate with the self-defense instructor in me:

  1. Invest in awareness

  2. Assume compromise 

  3. Application over theory

There are three common aspects of martial arts all around the world. The basic breakdown of martial arts is competitive (sport), performance (entertainment), and self-defense (mortal danger). Competition can teach you how to fight, but you are always learning to fight with rules. There is a ref, a set time, and a chosen place. Performance is about entertaining a crowd and displaying grace, power, and drama.

The portion of the martial art world we are concerned with here is self-defense.  The training one does for surprise attacks. Nothing fancy, first just learn to cover your groin and face. This is a very good reflex around monkeys and big cats. 

Boiled down, martial arts is situational awareness and the more time I spend studying the cybersecurity field the more I think of it as an offshoot of martial the world. Hand-to-hand and weapon-based systems each have their context for when they are useful.  I like thinking of cyber as the martial art of network conflict.

In the walk-around world, awareness often simply means understand your environment and become conscious of how you make yourself vulnerable. Predators rely on distraction and surprise. The more aware you are, the less of a target you are. Don’t make yourself more vulnerable than you have to be. How big is your threat landscape? The bigger it is, the harder it is to secure and whoever has the weakest perimeter gets eaten first.

These rules of conduct coincide with cyber defense rules, like limit employees’ access and privileges. There is no reason to increase the overall threat landscape any more than necessary. When you give someone access, you put them at risk of being exploited. Every admin privilege is a target on someone’s back. They will be hunted for their access. Actually, I’m the only one mentioning the hunting of people. Nowhere in the interviews does anybody recommend hunting people. 

According to the professionals, companies building security-minded cultures should start with the low-hanging fruit: multi-factor authentication, complex password policies, and up-to-date patches go a long way. It’s not full-proof, but covering the basics eats recon time and time is money even for criminals. The longer it takes to get inside the more likely they will move on to an easier target. No one is perfectly secure, but don’t be the only guy without a bulletproof vest in a gunfight. I’m paraphrasing of course. There was no mention of firearms nor discussions about kevlar in the interviews at all.

Investing in awareness also means understanding how your assets are vulnerable. Is it really tech that is vulnerable? Or are people vulnerable? Creating a security culture that captures the attention of employees is essential. All the fancy AI interfaces in the world (which I love) aren’t going to save you from an uninterested or emotionally distracted employee. A narrative (mission) that elicits vigilance (situational awareness) is key. Everyone is seeking a “better way” and people, in general, adopt great standards that lead to personal growth. No one actually said people seek personal growth either. I’m reading between the lines and maybe being a little idealistic, but I stand firm on the idea that people want to be heroes.

The second concept: assume compromise, also illustrates martial principles. As in, you don’t get to pick the fight you want. For companies, it means an attack isn’t an if, it’s a when. And, most likely, you aren’t going to see it coming. Predators like to hit their prey from behind, not head-on. Unfortunately, the first hint of attack is often the sight of your own data leaking out all over the internet.  Assume compromise means: “the phone call is coming from inside the house!”, so it’s best to build impact resilience into the system. A panic room, if you will. Again, I’m being a little hyperbolic, but I’m trying to paint a picture. 

For an organization, assuming compromise means exploring postures that increase opportunities to fight as you roll and recover to your feet. Remember, this is close-quarters combat. You don’t get to hold them off at arm’s length. They are already inside your defenses and a strategic counter is required. But, before you can counter, you must locate. Check the endpoints, scan the logs, find the beacons, and isolate. Get good at finding the intruder. Too much time is spent on playing wack-a-mole rather than setting honeypots and canary sensors. That’s right, I’m talking about tripwires and tiger pits.

If you have followed the basics from invest in awareness, then the pathways into the system are limited and your team is straight-up tracking the interlopers. There are only so many endpoints probable. You must be able to detect if you are to defend. Imagine Sherlock Holmes presented with Star Trek’s Kobayashi test. Model, model, model. Test, test, test. Invest in failure, because failure brings insight.  

Lastly, application over theory. As the great fist-philosopher, Mike Tyson once said, “Everybody’s got a plan until they get punched in the face.” Steps 1 & 2 have been followed. Your situational awareness is high and you’ve created not 1 or 2 plans for possible sneak attacks but a dozen. But does your plan work when it’s not your friend throwing the punches? 

Unfortunately, the only way to get comfortable with people trying to hit you is by doing such. It’s not everyone’s favorite pedagogy, but it gets results. Catch a few on the nose, and everybody covers up and starts rolling with the punches. This is another good place to point out, no one discussed punching and kicking people in the interviews.

For organizations, application over theory means regularly attacking their own systems not only internal testing but external testing. It means investing in outside consultants who can give an objective perspective. Test the process and adapt accordingly. Then, test again. This is not a static game of Battleship. The opponent is not waiting for you to come to find them. They don’t have any rules, but they do have limitations. Don’t let experience be your limitation, because experience is the key for both sides. It’s a simple calculation, if you have had more time learning to fight your way out of a corner than your opponent, chances are they make the first mistake when pressured. 

To recap and summarize the guidance from the interviews it goes something like this: 

1) Awareness = What Matters x Why it Matters 

2) Plan for the worse 

3) Test the plan objectively

I really enjoyed reading Tribe of Hackers, and I appreciate Mr. Carey putting it together. There is much more wisdom to parse through in the interviews than I have offered here and I hope my violent paraphrasing and comparison (beat a dead horse) to martial arts doesn’t diminish his efforts or their advice. Carey has other books of interviews specific to Blue Team, Red Team, and Security Leaders.

However, before diving into those, I’m headed to Reno for the Wild West Hack’n Fest. This will be the first in-person conference for me (and possibly a whole bunch of people) since Covid. It’s time for me to meet more of the tribe.

, , , ,

What Holds Us Together?

, , , ,

7 months ago I saw the world differently. 

When it came to technology, I was worried about all the wrong things. For example, is my phone listening to me? Yes. Absolutely it is. But in so many more ways other than just listening to your voice. To appropriately quote the Police, it measures “every step you take and every move you make.” Listening isn’t the issue. 

Whether or not my phone is listening to me isn’t even on my top 10 list of sci-fi-future fucked-up shit I worry about now. We live in a world with an electric heartbeat. Digital pulses and near-psychic interfaces link us instantly to each other. We are caught as much in the technological net as a fly is trapped by a web. But we are also as much on the web like the spider as caught like the fly. Complete and full immersion. Hunter and hunted. Most of us think the internet is an amusement park when it’s actually a hunting ground. IoT (Internet of Things) isn’t a luxury, it’s a hunter’s blind. And is it me or does anybody have a problem with the use of the word “Things”? “Things” sounds like the sequel to John Carpenters alien horror film (probably my favorite horror movie, ever).

Technology has made each of us more powerful and more vulnerable simultaneously. Any one of us with just a little training could create chaos with a few clicks of the keyboard. For instance, I spent last weekend on the Department of Homeland Security’s website taking classes on Infrastructure Control Systems and cyber security. ICS monitor and control systems that often require real-time info and are extremely sensitive to delay, systems in which shutdowns can be catastrophic. Think dams. Think power plants. Think runaway trains. Think nuclear centrifuges. Big stuff that needs to work really well or all the lights go off, shit explodes, glows and fragile ecosystems are destroyed.

After 6-hrs of videos and tests about the Vulnerabilities, the Risks, the Threats, the Methodologies, IT Mapping, and the Consequences of cyber security issues with ICS, I was not optimistic. Nope, I was more like, “Sweet Mother of Burning Circuits, we are in trouble!”  Don’t trust my hyperbole, check out the links below.

Water Plant Hack in Florida-Oh, Florida...

Hackers in Electric Grid-Yep, this is no joke. 

Easy Access Tools-It’s way too easy for the bad guys.

Or go read Sandworm.

But don’t worry, I got a plan to save the world.


Next up: Cyber-Sorcerer-Ninja-Detective


, , ,

Dawn of the Bot Hunter

, , ,

It’s raining and the morning sky is still dark, but the light is slowly shifting from ebony to blue. 

I’m thinking about Bladerunner as I listen to the rain. Harrison Ford narrates my near-future dystopian fantasy as a billion drops per second shower the world. I imagine each drop a malware-loaded bot, a digital armada with greater power than humanity has yet amassed but smaller than an atom, slamming against my firewall. 

Good morning, it’s a great day to hunt bots.

The information security company WhiteOps is the genesis of this daydream. Claim to fame: authenticating trillions of online interactions. The service: determine if it’s a bot or not. 

That’s what reminds me of Bladerunner, the Voight-Kampff test from Ridley Scott’s cyberpunk masterpiece. A digital detective tasked with identifying bots imitating humans. Sounds like another way of saying non-human investigations. So spooky and suspenseful, I’m definitely going to need a trench coat.

Detecting and defending against bots isn’t the future. It’s now. These bots are the new tanks and the next-generation super-cyber bombers. Consider how devastating the German u-boats were to the battles in the Atlantic. Bots are cyber-dimensional submarines exploiting the trade routes of the internet. They are electric ideas driven by algorithms with ambitions. And one of their greatest powers is passing as human.   

WhiteOps has a position open: Threat Intelligence Investigator. That sounds slick enough to me. If there is an AI that loves me, then there will be a bright and shiny circuit-badge with this gig. Just once, I want to unfold my wallet, flashing my ID, and say, “I’m Investigator Twitchell, this is my partner, we’re looking for some bots that were spotted in the neighborhood.”

I sent in a resume and cover letter a few days ago. Not just because Threat Intelligence Investigator sounds badass, it does, but also because figuring out what is human online is essential.  

If you find my words dramatic, well then don’t read this report on fraud and definitely don’t read this article on the AI-containment problem. And most definitely don’t read this one about Facebook being a Doomsday Machine with 90 million bots lurking around trying to friend the planet to death.

I hope to hear back from WhiteOps, but if not, I’m still going to hunt bots! 

And once I find them, game on. Ding ding goes the boxing-ring bell, let the match begin. In this corner hailing from 3-dimensional space fighting for humanity and weighing in at 170-pounds of bravado and hyperbole, Jay “The Bot Hunter” Twitchell. 

Well, like my grandfather used to say, “If you’re going to fight robots, you need to go to robot fighting school.” So, before my certificate of completion as a Digital Detective (artistic license with title) arrived, I was already signed up for a 4-day SOC analysis course with Black Hills Information Security taught by John Strand. 

SOC is short for Security Operations Center. It’s where the cybersecurity team responds to possible intrusions into the network. Picture a cyber-war room. Kinda like a NASA launch control room, with a two-story wall covered in screens, flashing red and green lights, maps from missile command, and graphs and dashboards keeping the score of the living and the dead. In the heat of it, sweat flowing from every brow, a dozen people furiously typing on keyboards, faces aglow in the wash of screen light, whispering battle commands into their microphones. 

SOC Analyst Level 1...gets that team’s coffee. Everybody’s got to start somewhere. As a coffee-dog and bot spotter, you let the team know about a flashing alarm and then Level 2 and 3 deal with capture, containment, and neutralization. You survey the network like a bushman on the savannah scanning for evidence of predators’ digital skat, dissecting packets, and looking for paw prints of persistent connections in silicon. 

Information security is totally hunting the hunter, spy vs spy. Just not the fast cars and jet packs, but instead SQL injections and rootkits. And If you're going to hunt down the enemy, you have to learn how to read the threat landscape and appreciate the tactics. To hunt a fox you must become a fox, yes? You need to know the methods so you can spot the signs that you are being stalked. 

John Strand is a great resource for honing cyber-safari skills. John is formerly a SANs institute instructor (15yrs) and runs BHIS, a cadre of devious cyber ruffians. 

A quick summary of the 4-day course:

There is no one product or strategy that is foolproof. Anything, given time and persistence, can be bypassed. The trick is layering the network with enough security gambits that it costs too much time and/or sets off enough alarms that an attack can be prevented or quickly resolved. The idea is to create a layered web. A spider uses more than one string to catch a fly. 

Endpoint analysis and common command-line magic tricks combined with a slew of open-source network monitoring tools and Shazam, you can respond to an incident. Right?   

Hmmm...not so fast. Even a good plan won’t help you if you aren’t used to responding to threats. There are a couple of fun quotes about this,  “Everyone has a plan until they get punched in the face.” and “No battle plan survives meeting the enemy.”

This is why you hire penetration specialest-teams like BHIS, and run attack simulations. If you can’t afford that, then attack your own system and test the defenses. Sounds like martial arts to me. Seeing as how I’ve paid professionals to beat me up most of my life, I totally get this principle. When you're getting your ass kicked isn’t the time to discover you're not ready for an ass-kicking. No one has time to think when they are getting pummeled. It takes practice to learn to roll with the punches. 

And if you're going to pay someone to cyber punch you, John and his team seem like the right kinda people. 

My takeaway from the 4 days: John is a passionate and generous instructor. The class was pay-what-you-can. So, the cost wasn’t an obstacle for the education. And I’ve rarely seen someone outside of a Pentecostal tent so evangelized about their work. It’s great to see that this field can keep a fire alive in the belly. Borders on inspiring.

My favorite quotes from the course were:

“You don’t get paid for the good days, you get paid for the bad ones.”  

and

“You don’t train until you get it right, you train until you can’t get it wrong!” 

To get your own dose of John, listen to this Darknet Diaries podcast where he shares stories about all kinds of penetration testing. One story involves his mother popping shell on a prison system. Below is the podcast and an article from Wired for the extra curious (it’s totally worth it).

Darknet Diaries - 67: The Big House (google.com)

(Darknet Diaries is my favorite podcast)

How a Hacker's Mom Broke Into a Prison—and the Warden's Computer | WIRED

I signed up for another course in March: Active Defense & Cyber Deception. I also enrolled in BHIS’s Cyber Range where you can build your cyber skills and supposedly compete for a position on the BHIS team. I also bought a t-shirt. I know it’s not quite a trench coat, but it’s a good start for the newest bot hunter on the block. Watch out, robots. I’m coming for you.


,

Sandworm

,

The Solarwind hack is all over the news. How bad is it? Hmmm. Say you’re at the grocery store and some random person walks up to you, hands you an envelope, and then walks away. You open that envelope and inside is a picture of your young child asleep at night taken from inside your child’s room. There is a timestamp at the top of the picture. According to the time and date, this picture was taken last night. Someone snuck into your house and took that picture while you were there. They could still be there. I’m simplifying things of course, but you get the picture.

Sandworm is an excellent history primer for current events. But before we chat about the present, let’s take a stroll back in time. A time just a little while ago that already feels eons past. And answer the question: why did I get into cybersecurity?

End of Summer 2020, Portland, amidst other trials, suffered from the forest fire smoke. On the radio, NPR reported the air was toxic. Those traveling from homes for necessities were specters in an ochre haze. All of us foragers under a road-rash sky. The sun a blood-orange orb dragged across heaven into the howling darkness of night where megaphones and sirens sounded across the river coming from the protests at the Federal Court House. The civil rights activism hadn’t let up for months. The news reported the feds responded with tear gas, rubber bullets, and unmarked vans snatching people off the streets.  

Things looked bleak when I started Bootcamp. And it wasn’t just Portland. Much of the world seemed on fire and headed to hell as well. Honestly, the whole planet was feeling a wee bit dystopian. I made a mental apocalyptic checklist: Global pandemic (check), financial crisis (check), social unrest (check), runaway wildfires (check), and expanding authoritarian rule (check, double-check).  

Part of me wanted to believe that things really couldn’t get worse. After a run of bad luck the world was going to get a break, right? Ummm…not likely. In fact, I felt we were actually on a break and things were going to get weirder. But I am biased.

Quick insight about me. I grew up in the South with Christian narratives of many interesting persuasions. The most mentally potent versions blended Pentecostal absolutism, evangelical exaltations, and rapture debates. Yes, there were rapture debates. As a senior In high school, I worked at a Christian radio station. My role was to review and identify possible links between biblical prophecy and international events in the news. These “threat assessments” were for a news report designed to inform those concerned with calibrating their rapture clocks. I was entrenched, mind and soul for a long time. It’s the kinda thing that sticks with you.

So, that End-Time part of my mind had the sneaky suspicion things could easily get tougher, weirder, or just plain worse. If there was anything I learned in the sweet arms of the church it was that there is always enough room to fit the devil.  

My faith was renewed by the patron saint of cyberpunk, Sir Mr. William Gibson. Since starting school, when I slept, Neuromancer danced in my dreams. Why cybersecurity? Because if I’m going to be stuck sitting on my ass in front of a screen watching the world burn and crumble, then I damn well need to figure out a way to interact rather than eating popcorn and binge-watching movies about the end of the world. Look out your window. It’s surreal for real.

How do you handle the end of the world? Get a new job, and I needed something amazing to do. Something that offered a sense of control. Maybe even a little bit of agency, Something that I can do to make my family and friends safer without buying a gun. 

With cybersecurity, I imagined, I could punch people on the other side of the planet with a digital fist. It was/is energizing to be in school again. Juiced! My brain feels like it’s on steroids. The metaphor is literal. When I flip open my laptop it feels like I am going to train at the martial arts school. I mean you are learning how to fight with a keyboard. Dare I say Kung-fu Console training.

Anyway, it felt like the world was getting kicked around and I could hear the ghost of 80’s heroes calling to me. In the back of my head, the opening phrase to the Last Starfighter video game was looping: “Greetings, Starfighter. You have been recruited by the Star League to defend the frontier against Xur and the Ko-Dan armada.” (My wife thinks I should mention this to my therapist). I know I’m not really saving the world. But who knows, their time left yet.

To expand my understanding of the cyber-landscape in which I dream of doing battle I read Sandworm

The title is from Frank Herbert’s Dune. Dune is a science fiction novel from the late 1950’s.  I studied the book as part of a focus on messiah narratives in science fiction. Loved it. David Lynch made a movie of Dune in the 80’s and a remake is scheduled next year by Denis Villeneuve (directed Arrival and 2049, the Blade Runner sequel).  

Sandworm references the leviathan worms that rule the desert planet known as Dune. And for our cyber history purposes, it represents a group that is responsible for possibly the most costly cyberattack to date.

Sandworm is riveting. Who are the good guys and bad guys? It’s murky. But one thing is for sure, nerds rule the world now. Maybe they have ever since Oppenheimer, but these nerds aren’t splitting atoms, they are creating code, combining with python, and developing whole new paradigms without making people evaporate inside of nuclear clouds

This first is a story of nations hacking nations. From there it gets complicated fast. A couple of disclaimers about the book. If you are paranoid at all, do not read this book. If you have a hard time getting to sleep because you wonder about government and shadow governments, do not read this book. If you wanna have a whole bunch of reasons why you should learn as much about cybersecurity as possible, do read this book. Your country may need you.

Let’s look at the broad strokes: 

1) In general, it would appear every nation is spying on every other nation as much as they (or we) can get away with. Anyone who has the power to listen is. Some nations are doing more than just listening, they are analyzing and influencing. But honestly (sarcasm),  most of this shouldn’t bother us since we signed away our privacy by using social media. Oops. No judgment, I’m included on that list.

2) Now little guys, countries with tiny little armies, who could never win a toe-to-toe can get digital leverage by hiring or training a few hundred evil nerds to hack. You don’t need all the overhead anymore when you can create an army of a trillion bots made out of people’s smart fridges. A revolution with crushed ice.

3) Arguably the most immediate danger is industrial sabotage, causing catastrophic failure to highly sensitive and critical structures. Like, say, power grids. There has been evidence of intrusion into these systems for some time, well before Solarwind.  No one has made a move but everyone is wondering who is going to push the button first.

4) The US government has a plethora of smart people working for them (probably the smartest people ever assembled in history) and, historically speaking, they/we might have a little “Han Solo shot first” issue as far as technological warfare goes. It all depends on how you look at it. 

5) Spoiler: Russia is Sandworm and has been (and probably still is) digitally terrorizing Ukraine. Ukraine is target practice for destabilizing the EU.

Ukraine is where Sandworm cut its digital teeth, but they were just breadsticks before the buffet. Now with the Solarwind breach, Russia is done looking at the menu and ready to order the all-you-can-eat-data-plan meal.  In this particular case we are really worried they have seen all our secret recipes and now can they make better-fired chicken than we can. That would be my no jargon way of describing it.

Not to worry though, Russia isn’t trying to make better chicken/take over the world. Running a world is way too difficult. They just want to cripple all global authority structures and do backstrokes in a wave-pool of political chaos. 

5) There are many private players who hold the proverbial Firewall. Every day hacker is keeping an eye on the electrical-wire of things and companies with good hearts and good intentions trying to protect us physically and digitally. And then there are mercenaries and institutions that are actively disrupting and disturbing the minds and hearts of citizens around the world with an array of hacking methods.

6) It is very difficult to tell who is doing what.

7) Basically, world war has already broken out and is being fought online. It’s a battle for data that every nation and corporation in the world is playing. Make no mistake, this isn’t a game. It is war, just a new kind. Fewer bullets, but lives are still on the line. When you shut down the electricity to a hospital, people die (particularly in the middle of a pandemic). Unlike past wars fought for territory and material resources, this war is all about controlling information and obscuring perception. 

To win this war, you don’t need to defeat your adversary, you just need to distract and confuse them. Erode trust, destroy certainty, and you nurtures unrest. Why is unrest the goal? It’s a whole lot easier to sneak in and rob a bank (or a government) when the cops are busy dealing with protesters outside.  

Next, enough government nation-states, it’s time for the hacktivist. It’s time for you to discover the Cult of the Dead Cow.