A spotter’s guide to cyber spies

The first recorded cyber hack was in 1986, but there’s certainly been a fair few since then. Clifford Stoll, an astronomer at the Lawrence Berkeley National Laboratory in California, couldn’t understand why there was a 75 cent difference between two sets of digital accounts. In trying to unravel this mystery, he eventually discovered that Dutch hackers were being paid by the KBG to steal from the lab’s computers.

“That was 30 years ago, and very little has changed,” said Chris Ensor, the deputy director for the National Technical Authority for Information Assurance at GCHQ, Britain’s communications intelligence agency.  Speaking in Bristol on the third day of Civil Service Live, he explained that while computing has vastly improved, the underlying principles of cyber-hacking are the same as they were back then.

In the first stage of a cyber-attack, the hacker hunts for a weakness in your IT. “They’re looking for holes,” be that in your software, hardware or connection.

“Once they find a potential way in, they’re thinking about delivery,” he continued. “I can connect to your computer and start using your computer without you knowing – by sending an email, PDF, word document or spreadsheet, and inside that document there’s a way of exploiting a particular vulnerability in your system.” Indeed, “you may be pulling your hair out if you haven’t got USB access at work, but the reason you haven’t is because that’s a way of getting into your system.”

In the exploitation phase, hackers seek to duplicate and exploit your ability to control and access information – so they lay the groundwork by deploying software that collects your passwords when you enter them. And if it gets to that stage, it’s very difficult to spot, because viruses can use your own passwords to turn spyware or anti-virus software off, preventing detection. As the private sector has found out to its cost, the aim is often to steal intellectual property.

Given these risks, it’s crucial that officials install updates and “patches” designed to plug vulnerabilities. There is a booming black market in selling data about software’s weaknesses, Ensor noted: a hacker can earn up to $250,000 for information about a single hole in a piece of Apple software, for example. The key vulnerabilities used to be in operating systems, but in these days of auto-updating software, cyber-hackers are more likely to seek entry through applications instead.

Simple tips can often help, Ensor noted. For example, don’t use administrator accounts for day-to-day use, and instead set up a user account with limited powers – then, “if you’re compromised as a user, [a hacker is] limited on what [they] can do.”

The day on which a software vulnerability is first found by a hacker, when it remains unknown to the rest of the world, is called a “zero day”, Ensor explained. “If you read about Stuxnet, for example – the thing that allegedly went out to stop Iranian [nuclear] enrichment – there were about four zero days, which is gold dust.” This time is so valuable because “nobody knows about them, there are no patches for them, so you can do a huge amount of things in a zero day.”

It’s crucial, therefore, to keep software constantly updated – but some government IT contracts have prevented this. In some cases, Ensor said, the original procurement teams mandated the precise version of a browser that must be used by a department, preventing vital upgrades. Departments are now using contract breaks to change this, he added.

It’s vital to prevent information being stolen, Ensor argued, because these days “information is all-powerful”. Indeed, critical infrastructure is so IT-dependent and so interconnected – taking down the telecoms network could take down the electricity network, and visa versa – that our vulnerabilities are as broad as they are deep. The principles of cyber-hacking may not have changed much since the late 1980s, but the work of preventing them is becoming ever more important.