For the past decade, I have had this notion that there must be a Cybersecurity Canon: a list of must-read books where the content is timeless, genuinely represents an aspect of the community that is true and precise and that, if not read, leaves a hole in cybersecurity professional’s education. I’ll be presenting on this topic at RSA 2014, and between now and then, I’d like to discuss a few of my early candidates for inclusion. I love a good argument, so feel free to let me know what you think.
Trojan Horse (2012) by Mark Russinovich
Like “Zero Day,” another Mark Russinovich novel I recently reviewed for the Cybersecurity Canon, “Trojan Horse” is a book I’d recommend for casual readers. Cybersecurity professionals won’t learn anything new here, but all readers might enjoy wallowing around in a Tom Clancy-esque story with cybersecurity tech as the main focus.
The story picks up two years after “Zero Day” ended. Main character Daryl is now out of government service and working with her better half, Jeff, in his consulting firm. Jeff gets called in to track down a nasty piece of Malcode that changed the contents of an important UN document regarding the Iranian nuclear program prior to publication. Daryl comes in to assist and the two of them discover that the Chinese are behind the UN attacks. Their investigation leads them to stumble upon the Chinese attempting to deliver a STUXNET Eradicator tool to the Iranians.
STUXNET is the infamous Malcode that the west launched against Iran to prevent the nation from building an atomic bomb. (Earlier in the Cybersecurity Canon series, I looked at “Confront and Conceal,” a nonfiction book dealing specifically with this topic.) In “Trojan Horse,” Spy-vs-Spy-type hijinks ensue and our two heroes find themselves in all sorts of threatening physical situations from Chinese agents and their Muslim proxies. You know, all in a typical day for a geek.
That’s what I like about Mr. Russinovich. He throws a lot of ingredients into the pot, applies heat and stirs vigorously. While readers watch all of these things collide with each other, they also get a good history lesson on some recent cybersecurity issues and learn about some interesting hacks, some we have seen in the real world and others we have not seen but given the current cybersecurity landscape are quite possible.
Recent Cybersecurity History
To sober the audience up a bit, Russinovich talks about the 2009 hacks against unmanned drones in the Middle East. Iraqi insurgents were able to capture video feeds from flying Predators by repurposing a $30 Russian software package called SkyGrabber that was originally intended to snatch music and videos that others are downloading.
Russinovich explains how the Chinese stole the plans for the Pentagon’s $300 billion Joint Strike Fighter jet by hacking into military systems. He also helpfully describes the forces involved in the Chinese Cyber Warfare program, specifically how there are three hacker contingents in the country — the Patriotic Hackers, the Militia and the PLA – and how none report to the same leader.
Russinovich also attempts to describe how STUXNET represents that first real-world example of Cyber Warfare. If you believe David Sanger in “Confront and Cocneal,” the US and Israel have demonstrated that cyber warfare is a viable middle ground option when it comes to diplomacy between sanctions on the one side and bombing and/or occupation on the other.
Just for fun, Russinovich talks about how Jeff and Daryl track down a Malcode author because the hacker placed his home address in the code. This sounds crazy, but this is something that actually happened in the real world. At a TED Talk in 2011, Mikko Hypponen described that very thing.
Russinovich packs a lot of realistic tech into this story. He needles the anti-virus industry for being behind on discoveries of new malware, explains what a keylogger is and then explains how a nation state in the story uses keyloggers to compromise UN officials.
He also talks about the long-standing cyber philosophy of Responsible Disclosure, in which it is fine for researchers to discover vulnerabilities in commercial software but they should not go public with that information until the vendor has had time to fix it. He also talks about how that practice is losing ground to the lucrative market for selling these kinds of things to governments and independent contractors willing to pay large sums of money for just the right Zero Day.
One of the most interesting things in “Trojan Horse” is that Russinovich has devised a scary new piece of Malcode that, if it existed in the real world, would be a spy’s dream come true. The Malcode in question is smart about how its victim operates. It knows that the victim writes position papers using the Microsoft Word program. In this case, a United Nations official is writing disparaging remarks about Iran’s nuclear program. Once the official saves the final draft, he cryptographically signs the document before he sends it to the intended recipient.
Signing the document like that guarantees the integrity of the file. When the receiver opens the document and verifies the signature, the receiver knows that the document he is reading is the same one that the sender gave him. But therein lies the rub. The Malcode understands that process and inserts itself into the seam. After the author saves the document but before he cryptographically signs it, the Malcode alters the document to say something that the Malcode author wants to be said.
I have not seen a piece of Malcode that does this in the real world, but it could be done. Russinovich even gives the Malcode the same “Call Home” design that the famous Conficker Worm used; essentially, generate thousands of random DNS names and systematically try each at random intervals. The Malcode author would place his command and control server at one of those names in the list of a thousand; kind of like hiding in the noise.
“Trojan Horse” is another fun romp in the political thriller genre that places cybersecurity geeks up front as the heroes. I don’t know that I’d call it a must-read for the cybersecurity professional, but it sure is a fun one.