The release of The Girl in the Spider’s Web marks a new era for the Millennium Series, which details the exploits of the badass hacker Lisbeth Salander.
Originated by Swede Stieg Larsson, these novels have thrived in their ability to draw readers into a world where the injustices of the powerful are exposed and stifled thanks to heroine’s super hacking powers. There’s no doubt this formula was successful as more than 80 million copies of the original trilogy have been sold worldwide. But the vividness of the unconventional characters and the thrill of the drama was not matched by the authenticity of the author’s depiction of the realities of cyber security.
Salander was often depicted pulling off plausible cyber attacks but in completely implausible ways.
That was supposed to change for the latest episode. Author David Lagercrantz — the first author to take over the Millennium series since Larsson’s 2005 death — a decided to do something different: Get the hacking right.
Lagercrantz consulted a computer security expert with experience compromising high-level systems. The goal was to present realistic hacks in a way average viewers can understand intuitively. This challenge was heightened by making the United States’ National Security Agency one of Salander’s targets.
So can “The Girl” finally be called a real hacker?
Our Cyber Security Advisor Erka Koivunen dug into the novel to give us his read on the technical details and then allowed us to ask him a few questions about what made sense, what didn’t and what would have made this book a cyber classic.
Could Lisbet’s hack of “NSANet” actually happen?
Lisbet is nuts enough to try to hack the NSA and she takes huge risks of getting caught. She appears to be bright, skilled and focused enough to succeed. At least she got in and got material out. Did she go unnoticed? No!
She herself acknowledges that she is making OpSec mistakes — but still decides to plow ahead. The mistakes she makes are not necessarily enough to stop her on her tracks, but they definitely help trace the attacks to her physical location, and connect her online credentials with her real identity. She is reckless enough to not care, which I find human. Amateurish, but human.
The attacking methods described in the book appear to follow the basic Kill Chain model of a targeted attack. She did her due diligence in the form of identifying weak points and possible attack vectors. She did enough fuzzing, testing and debugging to find a previously undetected vulnerability, i.e. a zero day. Good for her. Nothing really remarkable there, but clearly shows some dedication and ability to focus on the objective. She weaponized her tools not only to succeed in getting in but also to evade some of the burglar alarms. She naturally only could guess what kind of detection systems the NSA would employ in their networks. But yes, this shows that she is methodical and experienced.
How about when she got into the network? Did she behave like a pro?
Lisbet also experienced the same confusion that every attacker faces when they eventually get in and start charting the new territory inside the network. She was moving laterally and making inventory of the material available to her. She also took a deliberate risk when she exfiltrated some of the material that she needed to get her hands to. The book never describes how she was able to identify the really interesting stuff out of huge volumes of secrets NSA possesses (there is a mention of keyword searches, however…) and how she was able to fly under the radar for so long (unless all the detection tools that “NSANet” administrators claimed to have been deployed were, in fact, disabled…).
I admit that for the sake of narrative, it was probably not interesting to dive deep into the exact techniques. However, while the book makes a brave attempt to cater for us geeks in terms of dropping tool names, attack techniques and following a plausible attack chain, it sorely misses credibility in the trickiest parts of the attacks: how to succeed to proceed and stay unnoticed in unfamiliar territory.
Showing true tradecraft in that field would have elevated the book into epic must-read in the genre of hacker literature alongside William Gibson’s Neuromancer, This Machine Kills Secrets by Andy Greenberg, Mark Bowden’s Worm, and Ghost Fleet by P.W. Singer and August Cole. The TV hit Mr. Robot also appears to have realism in terms of hacking. And everything that has come out from NSA’s ANT division catalogues is fascinating to read, even if it doesn’t strictly fall under the category of literature. 🙂
Speaking of staying undetected…
For some reason Lisbet decided — once inside the NSANet — to start showing off and play games with the folks at NSA. Interactively. She really *is* nuts. A real hacker would have scripted some kind of “gotcha” message once a way out had already been secured and traces of the visit had been carefully cleaned off the systems.
How about her attempts to cloak her activities?
The book details how Lisbet has tried to hide the true attack origins by utilizing a foreign mobile phone data subscription. There is also a faint mention that she has taken other measures to ensure that her endpoints are not traced back to her identity or location.
However, she realizes that she makes an OpSec fail by staying at her own flat, served by Telenor mobile base station. She also appears to treat her flat as a safe house, counting on the fact that no one knows she lives there. In real life, her address would have been a waving red flag not only to law enforcement officials and SIGINT organizations but also to the criminals seeking to find out where “Wasp” directs her operations.
There are also many references to encrypted communications tools for mobile phones. While these tools definitely provide communications secrecy they also show up on a SIGINT radar like a sore thumb. This is reflected in the book — the hackers were closely monitoring Millennium and were reading its information systems like an open book. Until they started — on Lisbet’s orders — to retrofit more secure systems in place. For an eavesdropper, it was clear that something was up – even if they weren’t able to read the contents. (Metadata is strong on this one!) It is the same story that the old HUMINT officers tell from Cold War times: imminent military attacks were believed to be (and often were) preceded by staff staying up late (with the intelligence headquarters office lights lit up) and ordering pizza out from the nearby restaurants.
How about the novel’s depiction of data deletion?
The book suggests that Frans deleted his life work by removing a single large file on his laptop. The laptop was then stolen by the gansters who were not able to recover the file. Yet they saw that the file was missing.
The book tells us the laptop contained the only copy of the secret. No backups? Anywhere?
Deleting secrets is difficult. There is a consensus that there is no other sure way other than physically destroy all the devices that ever contained the material. And yet, Frans simply pressed delete. Maybe he was using a secure delete that would overwrite the stuff several times with random nonsense. Maybe. Everyone who has ever attempted that would know that it takes ages and requires preparations other than simply pressing delete.
Furthermore, the laptop was obviously connected to the Internet as the AI grid was accessible over the net. It cannot have been an impossible task to obtain a copy of the secret prior to the killing. Given that Frans was one of the most sought-after persons in the cyber security, his laptop would have been easy target. The secret was sitting in a file system of the laptop instead of on a tamper-resistant detached storage unit.
Are there any glaring examples of amateurish cyber skills?
What can I say about the gangsters? It looks like they were booting up the professor’s stolen laptop and sifting through the file system. Hardly a professional way of conducting forensics when what you are looking for is the world’s only instance of a super-secret file that you are in a hurry to salvage before the author of that file decides to destroy that.
How would you stop Lisbet if you were the NSA or a similar organization?
In the case of Bradley Manning and SIPRNet, most of the security controls designed to either prevent or reveal attempts to search for, acquire and exfiltrate sensitive information were turned off. This in a global network storing material classified up to SECRET. In Edward Snowden’s case there were supposed to be controls in place to limit the users’ ability to elevate privilege and conduct any privileged operations once elevated. Except that at least in Hawaii facility there weren’t, which Snowden knew well as he was one of the privileged admins. This in a global system storing material up to (and beyond?) TOP SECRET!
So, if even the best, brightest and most well-resourced organizations that should know (and do know) better fail, is there a way to stop Lisbet?
Our auditors tell they have never failed to get through the security controls. They may face obstacles here and there but there is always an unpatched system or poorly configured service that is exposed enough for the attacker to take advantage of for malicious purposes.
Whenever you design your defenses against particular kind of attack scenario, the attacker will seek to find a way around that. You may be – as a defender – in a position to write a rulebook. Don’t be, however, surprised to find that the attacker will cheat.
So, stopping, identifying and catching a lone renegade with an attitude should be doable, no matter how bright she is. She might get in, but you will find traces of what happened (or is about to happen) if you harden your network and care to look for signs of intrusions, or anomalies in lack of warning sirens blasting off.
What then if the attacker throws whole teams of HUMINT and SIGINT specialists with a multi-year project plan, vast budgets and sci-fi tools at your business? What if they already have “owned” your cloud provider, your upstream ISP, your IT integrator and your business partners? And what if you have failed to set up or enforce even the basic security controls?
What’s left? Luck.
F-Secure invites our fellows to share their expertise and insights. For more posts by Fennel, click…
April 18, 2018
The absence of regulation is what has resulted in the innovation of software we see today.…
September 13, 2017