Differing Perspectives on Cyber Threats
Ransomware is a hot topic pretty much all the time in information security circles. It is (I believe) one of the stronger drivers for better security decisions at companies (“here is public proof on an existential threat for failure”). Ransomware is also pretty uninspiring as an attack, there is no flashy 0day or clever new technique. It’s turning on disk encryption and then charging $300 for the password. Wow. Cool story bro. Despite the importance of the ransomware threat, actual attacks have to be pretty novel to crack the jaded cynical shell and pique the interest on the infosec community. Just such an attack occured.
The city of Johannesburg (pronounced: Jo’burg, or Jozi) was hacked and a load of secret confidential data was exfiltrated (another day another shell, yawn.) The hackers are holding the city to ransom (its not likely they can sell the minutes from a municipal roadworks meeting on the black market.) Unless their demands for a ransom price of 4 BTC (worth between $29k and $36k USD in the last 24 hours) the hackers threaten that they will release the confidential data to the public.
The longest thread was Dr Green discussing ransomware theory.
The facts of the attack are not all that interesting. Ransoms against cities and organisations are nothing new. Yet somehow this story managed to kick off a long debate on Twitter about the future of ransomware and monetizing compromised computers. It’s worth having a read if you’re curious what infosec people think. But I’m actually more interested in what the discussion revealed about how we think about infosec.
different disciplines bring their own POV.
The post that started the discussion. The longest (and most interesting) thread was Dr Green discussing ransomware theory.
Neither I nor Dr Green are speaking “off the cuff” here. Both of us have written about ransomware before:
The question: why does ransomware work?
We ask two cyber security experts to waste their weekend on Twitter. Here are the results!
Ransomware uses blackmail to recruit an agent to act in the interests of the hacker. Ransomware turns “hacking a bank account” from a cyber security problem into a human factor problem. The victim complies with the demands of the hacker. The agent acts on behalf of the principle, following their commands. No need to hack bank security, just tell the agent to send money.
Clearly, the interesting thing here is the shift to human factors, and the power dynamics of the relationship. Therefore the blackmail step is clearly just is an implementation detail.
I look at a situation and pare it down to power dynamics, and find parallel dynamics in other human endeavours (like espionage).
Dr Matthew Green (but, like, not a real doctor.)
Ransomware works because the mechanics of the situation allow for verification of both players cooperating or defecting. The integrity of the process is cryptographically ensured, and empirically verifiable. The risks of defection are known to both sides who can then make informed choices.
- Victim defects: lose data, save money
- Victim cooperates:
- Hacker defects: victim lose money, lose data
- Hacker cooperates: victim loses money, save data
This is a unique property of the ransomware system based on the technical details of the implementation.
For the victim, in the worst case the hacker defecting just causes a single event loss of money. This makes ransomware a relatively risk free transaction because most of the downside is already locked in, there is a chance of another small downside or a complete success.
Other schemes would face different challenges and lack the simplicity of the ransomware solution.
- Easy to implement for an attacker against a generic target.
- Easy to manage for a victim.
These properties probably wouldn’t exist in other attacks.
Who is right?
That is the wrong question. (Although, obviously, I am.)
There is truth in both perspectives. But more interesting than either argument on its merits, is how different disciplines of information security analyze the problem. We both seek to determine what is important, but we use different metrics and toolkits to make that evaluation. I find that really fascinating.
Why this matters:
The take away is that if you ask two infosec people the same question they will say: “it depends”, and then proceed to each provide multiple different answers. Cyber security is a bundle of very hard problems. It is the rare exception when there is just one comprehensive “Correct Solution.”