SARAH FERGUSON, PRESENTER: Hello and welcome to Four Corners. As
you watch this program you may be multi screening with your mobile, tablet or
laptop - and if not you'll almost certainly have one of those devices within
reach... Australians are famous for embracing technology, we own more than 70
million internet connected devices. And every one of them is vulnerable to
being hacked. Tonight we'll take you into the world of computer hacking to show
you how weak our cyber defences are against attacks from criminals on our
personal information and at government level international sabotage. Linton Besser's investigation looks at the secretive operations of
the government's cyber warfare fightback... but his story begins at the
hackers' version of the olympic games...
KATIE MOUSSOURIS, CYBER SECURITY RESEARCHER: It's the hottest
that it could be in the United States this week, in Vegas. It's a huge party in
the desert. Literally this town, Vegas, is taken over for pretty much the
entire week by hackers.
PROFESSOR DAVID BRUMLEY, DIRECTOR CYLAB SECURITY AND PRIVACY
INSTITUTE: I think cyber security is a bit like, you know, what we call here in
the US the Wild West. It's really a bunch of independent gun-slingers.
LINTON BESSER, REPORTER: At the height of summer ... tens of
thousands of the world's top hackers have converged on Las Vegas.
GRAND CYBER CHALLENGE ANNOUNCER: What is the Cyber Grand
Challenge? It is the world's first all machine hacking tournament.
LINTON BESSER: These hackers are here to learn new ways to
attack computer networks ... in order to protect them.
KATIE MOUSSOURIS: Hacking is a crime in most countries um
however there are- there are folks who call themselves ah, ethical hackers or
white hat hackers etc and these are folks I- I like
to describe as good people who know how to do bad things um, so you- you know,
you wouldn't consider a ah, locksmith to be a burglar,
but a locksmith knows how to pick locks um, hackers who come to these
conferences and learn how to pick digital locks are essentially the same, same
idea.
DEF CON VOLUNTEER: Track one on your left, track two on your
right, track three all the way down to the end of the hall.
LINTON BESSER: I'm here at one of the world's biggest hacking
conferences in Las Vegas. Everyone has told me to make sure my Bluetooth and Wifi are turned off ... because phones here are routinely
hacked. I'm going to go and check it out.
DEF CON ANNOUNCER: The prize today is $15 per judge...
LINTON BESSER: In a world of internet-connected devices...almost
everything is vulnerable to hacking ... from drones ... to fridges ... even
cars.
CAR HACKING VOLUNTEER: They found you could wirelessly get into
a vehicle. It took them a year and a half to be able to do that research and be
able to figure out that they could get in that car...
LINTON BESSER: Despite the warnings ... a few people at the
conference used wifi to go online ...their logins and
passwords were plucked from mid-air and put on public display. They call it the
Wall of Sheep ... because most of us have been blindly led to trust technology.
DAVID BRUMLEY: I think, I mean obviously technology is
penetrating more and more of our lives. My computer is of course something I
want to protect, but my car is also running a computer. So we look at cyber
security from the traditional my laptop level, to the personal level - I want
to protect my memories, to really the safety critical, such as cars, vehicles
and airplanes. And it's just a growing domain. We should all be thinking about
it.
GRAND CYBER CHALLENGE ANNOUNCER: I'd like to introduce everyone,
to a special part of the Grand Cyber Challenge...
LINTON BESSER: There are so many hackers that have poured into
Las Vegas for the DEF CON conference ... but there's only a few at the cutting
edge.
DAVID BRUMLEY: So here in Vegas we have, you know, over 10,000
people at DEFCON. But if you really want to know who the elite are, you have to
go into a backroom in DEFCON and there you're going to find, you know, about a
dozen teams playing against each other, no more than a hundred people. And
these are really the world's cyber elite. So many people think, you know,
there's this many hackers in the world, but really there's this many who are
really making a difference day to day.
LINTON BESSER: Teams of the best hackers from around the world
are pitting their skills against each other.
LUKE HARRISON, AUSTRALIAN HACKER: The aim is to break into other
people's services in order to capture the flag. We also get to patch ours, so
to fix the vulnerabilities in ours while also trying to hack into theirs.
LINTON BESSER: They're all trying crack the codes that drive
each other's computers.
DAVID BRUMLEY: I think like in any field if you're not following
the trends, if you're not looking to the future, you're going to be behind. And
if in cyber you're putting your head in the sand, you're going to be a victim.
People are going to come after you.
LINTON BESSER: Challenges like these draw out skills that are
highly sought-after ... including by the government.
KATIE MOUSSOURIS: The US government you know, basically said
we're in you know just like everyone else on the internet we're being attacked,
we are- our methods of securing everything have not been adequate, we need to
reach out to the- the private industry and find out what industry best practices
are working for them, and actually create more programs that can rapidly bring
in the best and the brightest.
ASH CARTER, UNITED STATES SECRETARY OF DEFENCE: It's great to be
here this afternoon with a few of the dedicated people who defend our networks,
everyday, as well as some of the technologists and
hackers who have contributed to our defence mission by taking part in Hack the
Pentagon.
LINTON BESSER: These are the winners of a Department of Defence
competition ... their challenge was to hack the US military's headquarters at
the Pentagon.
KATIE MOUSSOURIS: That was the very first time that the United
States government allowed people to hack them legally and also ah, paid money
to them, the Secretary of Defence congratulated these hackers, handed them
challenge coins. Basically wanted to talk to them because he's- he's in a
position where he's realised that we can't actually recruit through the normal
methods anymore. We have to reach out to this population and we have to make it
something where they are welcome in places like the Pentagon.
GENERAL MICHAEL HAYDEN, FORMER HEAD NSA / CIA: Let me be very,
very candid, alright? I was a Director of the National Security Agency here in
America, the American equivalent o-of ASD, right? The last 15 years have been
the golden age of electronic surveillance.
LINTON BESSER: Michael Hayden has been the head of both the
Central Intelligence Agency and the National Security Agency in the United
States. He staffed the US Government's elite cyber unit from the ranks of the
hacking community.
MICHAEL HAYDEN: The most sophisticated office at the National
Security Agency is TAO, Tailored Access Operations. It's our, it's our hackers,
it's our cyber espionage folks, alright? We began to rapidly expand that while
I was director, about 2002, alright? [02:48:46] We were bringing in a whole
bunch of very young people and we were taking those young people because they
had the talent, and we were putting on- putting them on our most sensitive
operational activities.
LINTON BESSER: In his youth, Kevin Mitnick
was one of the United States' most infamous hackers. He spent years hacking
major corporations including Nokia and Motorola ... until the FBI caught up
with him.
KEVIN MITNICK, HACKER: Eventually I pushed the envelope so far
that I ended up in federal prison for five years and in fact one year was in
solitary confinement because a federal prosecutor told a judge that not only do
they have to hold me in prison, because I'm such a danger to national security,
but they have to keep me away from the phone and the judge was like a little
bit confused, like why? And the prosecutor went on to say that if we let Mr Mitnick near a phone he could, whistle into the phone and
launch an ICBM.
LINTON BESSER: Today Kevin Mitnick is
a cyber security adviser to top companies. We met him in Melbourne. He says we
don't realise how vulnerable we all are. He's about to demonstrate just how
easy it is to hack into my bank account. In this alleyway he's just set up a
fake wifi network.
KEVIN MITNICK: So Linton's sitting over there think he's really
connecting to Telstra air C3. But what he doesn't know is that he's connecting
to my fake access point. And what we're gonna do is
we're going to take over his computer.
LINTON BESSER: As soon as I logged into it ... he was able to
record all of my keystrokes -including my banking password.
KEVIN MITNICK: And then what I'm gonna
be able to do is steal his passwords, and I'm gonna
be able to inject fake updates, so when he installs them we gain full control
of his computer system. And he'll never know the better. Back when I started at
hacking you didn't have the tools that you have today. Basically you had to
develop your own exploits, systems were not as secure, the reason being there
was a much lower level of security awareness. But now we fast forward to today
and you have tonnes of tools that a high school- a junior high schooler could
download and use to exploit systems.
LINTON BESSER: A similar wifi scam was
behind a fraud shown on this CCTV footage from inside a Westpac branch in
Sydney. It was recorded in December 2014 ... and shows two men setting up a
bank account. In fact, they're members of a criminal syndicate ... and the
account was opened with a stolen identity.
ARTHUR KATSOGIANNIS, NSW POLICE FRAUD & CYBERCRIME
COMMANDER: So that's both of them there, actually producing these false drivers license, which is pretty good high quality
LINTON BESSER: The syndicate they're working for had obtained
people's personal details after they hacked their phones through a free wifi network.
ARTHUR KATSOGIANNIS: They were able to convince the bank they
were the actual legitimate account holder
LINTON BESSER: NSW Police Detective Superintendent Arthur Katsogiannis oversaw the strike force that busted open the
crime ring.
ARTHUR KATSOGIANNIS: That's a good shot of them, shows you how
calm they are. Some of the techniques and methodology used by this particular
criminal syndicate are the use of um malicious software which is ah placed on a
person's computer to take their personal details and account details. They then
port the individual's phone without the victim's knowing to bypass the two
factor verification and then they recruit mules, most of them are international
students or foreign, who go to the banks, open up fraudulent bank accounts
there, take the identity of the victim, then withdraw all their money over a
period of days. It's as simple as that.
LINTON BESSER: The police have arrested almost 50 people in
connection with the crime ... after they stole more than $6 million.
ARTHUR KATSOGIANNIS: Cybercrime poses one of the greatest
challenges to law enforcement this century. No longer do we have that
individual who carries a firearm and wears a balaclava to disguise their
identity. It's a lot more profitable and a lot easier for someone to pick up a
laptop, sit in the comfort of their lounge room behind the anonymity of the
internet and take the bank for millions of dollars.
ALASTAIR MACGIBBON, SPECIAL ADVISOR TO THE PRIME MINISTER, CYBER
SECURITY: Criminals recognised cyber was a great frontier at the very early
2000s, so they've been going at this for 13 or 14 years. What they've realised
with cyber is the cost of entry is very low, the likelihood of getting caught
is still low and they only need to steal a small amount from lots of people to
aggregate a large amount of money.
MICHAEL HAYDEN: Here's what's happened over the past 10 or 15
years. All of us, myself included, businesses, governments, we've taken things
that we at least would keep in a desk drawer or a wallet, sometimes even in a
safe, and we've decided to put them in our phones or to put them in something
called the cloud. And I think we did it indifferent to the dangers we were
creating for ourselves by putting our precious information, where it was
personal or governmental, in locations that were not nearly as safe as they
were when we kept them in the physical domain.
LINTON BESSER: What many computer users don't know is that any
device linked to the internet is potentially vulnerable. A few weeks ago Four
Corners located a website that identified thousands of private hard-drives that
are connected to the web. About 400 of these are owned by businesses and
individuals in Australia. But the vast majority of them are not secure and are
sitting open on the internet. Here ... I'm looking at the files owned by one
man in north-west Sydney ...I can see all of the files in his hard-drive ...
from insurance documents ... to information about his business clients. Hullo
Matthew, it's Linton Besser from Four Corners, how
are you? We contacted the owner of the hard-drive, Matthew Edwards ... who is a
telecommunications engineer. Ok, we'll jump in the car and see you shortly.
Cheers. So this is the home office here?
MATTHEW EDWARDS, BUSINESS OWNER: Yes, absolutely.
LINTON BESSER: Matthew Edwards was disturbed by what we told him
about the hard-drive he was using to store his information. So when we
contacted you Matthew, what went through your mind?
MATTHEW EDWARDS: I wasn't very happy. I was unbelieveable,
initially I thought, I was thinking this has gotta be
some sort of a scam.
LINTON BESSER: What kind of sensitive information was stored on
here ...
MATTHEW EDWARDS: My personal data, as I said it's my, initially
it's all the quotations, I've just been doing and I'm starting a new business,
I didn't want that out
TIM WELLSMORE, FORMER MANAGER, AUSTRALIAN CYBER SECURITY CENTRE
2013 - 2016: It shows how simple it can be to enable the cyber security threat
and by putting infrastructure or computers in your home without giving any
thought to the cyber security threat.
LINTON BESSER: And they've been horrified when we've called
them, I mean they've had no idea.
TIM WELLSMORE: Yeah unfortunately it's the power of what the
internet can enable is great for business and great for enterprise,
unfortunately it's equally as good for the bad guys. Ok so we've got the
attacker one. He came through here. This is obviously the first campaign, came
through and created an incident.
LINTON BESSER: Former Australian government cyber security
official Tim Wellsmore, says it's not just
individuals whose secrets are vulnerable to others. In fact governments and
businesses in Australia are attacked and compromised all the time. Hacking happens
so often there is a marketplace in the dark corners of the internet where
access to hacked computer servers is bought and sold.
TIM WELLSMORE: We also had another victim, and the first
compromise occurred on this system. You could buy one of those compromised
servers for anywhere between five to ten to twenty dollars depending on on where it was and what type of system it was.
LINTON BESSER: I mean that's just staggering isn't it?
TIM WELLSMORE: It's a market driven economy unfortunately. To me
it shows, it's starting to show that the threat really is everywhere. That the
price of of a compromised system of five dollars
probably just shows you exactly how far down the road we are of the cyber
security story.
LINTON BESSER: This year security firm Kaspersky released a
report which said a huge volume of computer servers around the world had been
hacked ... their logins and passwords put up for sale online. Kaspersky then
published a separate list identifying 170,000 computers which may also be
suspect, including thousands in Australia owned by companies, local councils,
law firms and schools. Computers like these can be used to launch what's called
'denial of service' attacks ... where a website is flooded by artificial
traffic, much like jamming a switchboard.
TIM WELLSMORE: There's a there's a lot of computers for sale on
the dark web that have actually been hacked and compromised and are sitting
there waiting to be used for attacks. That marketplace exists and there's quite
a strong marketplace because for these attacks to occur, they don't want to use
their own computers to launch them, they want to use somebody else's that
doesn't look like an attacker and unfortunately there are there are thousands
of these servers or computers out there for sale um that can be used for these
attacks.
DAVID KALISCH, HEAD STATISTICIAN ABS: I would like to firstly
apologise again to the inconvenience that has been caused for many Australians.
LINTON BESSER: Australian institutions have shown themselves to
be woefully unprepared for even basic cyber security threats.The recent Census debacle was a case in
point.
DAVID KALISCH: The ABS took the early prudent precaution of
taking the system down around 7:45pm last night to be assured of the integrity
of the data.
LINTON BESSER: Facing a low-level denial of service attack ...
by an unidentified attacker ... the ABS panicked and took the Census off-line
...
ALASTAIR MACGIBBON: That attack the denial of service attack
easily predictable and certainly was not of a scale or sophistication that
should have caused any significant problems. That combined with a series of
events, at least as we know them at the moment, that end on end led to the ABS
taking the site down, should have been predicted and prevented.
LINTON BESSER: Alastair MacGibbon is
the Prime Minister's cyber security adviser. His job is to roll out an
ambitious cyber security strategy designed to protect Australia from the
growing threats online.
ALASTAIR MACGIBBON: The Commonwealth Government takes these
matters very seriously. The launch of the Cyber Security Strategy in April is
the start of what I would say is the next wave of cyber security capabilities
in this country. A step change.
MALCOLM TURNBULL, AUSTRALIAN PRIME MINISTER: Well good morning
and thank you very much Jennifer. My friends the internet is the most
transformative piece of infrastructure every created...
LINTON BESSER: When the Prime Minister launched the strategy in
April... he made an extraordinary admission.
MALCOLM TURNBULL: The Bureau of Meteorology suffered a
significant cyber intrusion which was first discovered early last year ...'
LINTON BESSER: It was the first time there was official
acknowledgement that a critical Australian Government agency had been
penetrated by a sophisticated cyber attack.The
government didn't say it publicly, but intelligence sources have confirmed to
Four Corners that China was behind the attack ... something Beijing continues
to deny.Four Corners has been told that China's true
targets may have been the Australian Geospatial Intelligence Organisation ...
which provides satellite imagery for sensitive defence operations... and a
high-tech radar system operated by the Air Force.
ALASTAIR MACGIBBON: I would say to you that people who
compromise systems will usually try to find a way to move laterally through it.
If that means through a third party that's what they'll try to do.
LINTON BESSER: And is that the case we saw with the Bureau?
ALASTAIR MACGIBBON: I don't know. I don't know what the
intention of the people that compromised the system was
TIM WELLSMORE: There is a lot of assets in the Australian
government that would be of interest to China and other Nation State actors
specifically why the why the Bureau of Meteorology or as you as you speculated
the AGO was actually ah was a target, there's obviously some sensitive
intelligence information within some of these organisations that would
obviously be to give advantage to other to other
nations to understand those.
MICHAEL HAYDEN: Australia and the United States and other
friendly similar nations around the world ah need to protect their data,
because what you just described to my mind fits the definition of legitimate
state espionage. And look, we have every right to complain about espionage. We
criminalise it when our own citizens do it, of course, alright? But it is what
adult nation states do to one another.
LINTON BESSER: It was the first time there was official
acknowledgement that a critical Australian Government agency had been
penetrated by a sophisticated cyber attack.The government didn't say it publicly, but intelligence
sources have confirmed to Four Corners that China was behind the attack ...
something Beijing continues to deny. Four Corners has been told that China's
true targets may have been the Australian Geospatial Intelligence Organisation
... which provides satellite imagery for sensitive defence operations... and a
high-tech radar system operated by the Air Force.
ALASTAIR MACGIBBON: It would seem appropriate the nation states
would be interested in the defence science area and of course the defence
science area is aware of needing to keep itself secure. The Australian
Government knows it needs to protect these things, it knows it can't ever be
static in how it does those things and will continue to strive to stay ahead of
whatever the threat environment is.
LINTON BESSER: It's here at the Australian Signals Directorate
... that the work of protecting vital national assets is done. But what really
troubles people like Alastair MacGibbon ... is when
other countries use their powers against individuals and businesses.
ALASTAIR MACGIBBON: We believe in a free and open internet. And
that means that you don't use those types of, in a way calling it weaponised
capability against other people's intellectual property or to their economic
wellbeing.
LINTON BESSER: But this is something that China has been doing
over and again against businesses in Australia for some time isn't it?
ALASTAIR MACGIBBON: It's not useful for us to talk about any
particular nation states.
LINTON BESSER: Newsat was once
Australia's biggest specialist satellite company until it was sold off last
year.
LINTON BESSER: Newsat was once
Australia's biggest specialist satellite company until it was sold off last
year. It carried sensitive communications for resources companies, as well as
the military. But its jewel was a 5-tonne state of the art satellite called
Jabiru 1 which it promised it launch over Asia. The company's former IT manager
Daryl Peter said the Lockheed Martin-designed satellite made it a target for
Chinese spies.
DARYL PETER, IT Manager NewSat 2012 -
2014: Their ambitious plan to build a satellite and of course the confidential
design plans for it make it a very attractive target. There are certain
countries where they may not have those available so getting those confidential
designs would be very beneficial for them.
LINTON BESSER: In a meeting called by the Australian Signals
Directorate, Daryl Peter was told the company had been seriously infiltrated by
foreign hackers.
DARYL PETER: They'd been inside our network for a long period,
so maybe about two years. And the way it was described to us was they're so
deep inside out network it's like we had someone sitting over our shoulder for
anything we did. Newsat had been hacked. And not just
by teenagers in the basement or anything like that. Whoever was hacking us was
very well-funded, very professional, very serious hackers.
LINTON BESSER: Newsat's former chief
financial officer Michael Hewins said the company's
IT staff were told Newsat's computers had been so
compromised they would not be allowed to launch the satellite until major
changes were made.
MICHAEL HEWINS, CHIEF FINANCIAL OFFICER NEWSAT 2011 - 2014: They
were told something of the order of, I'm not sure if it's a direct quote, but
that we were a joke, that we hadn't taken seriously what we'd been told and
that our network was as far as they could see the most corrupted they'd seen.
Period.
DARYL PETER: They actually said to us that we were the worst.
Which was, given the organisation it is, it was very scary for me of course
because all the government organisations that of course sometimes do get
hacked, for a small company like Newsat to be the
worst they'd seen, it made me feel like fixing that would be quite an issue.
MICHAEL HEWINS: The process was pretty nerve wracking what was
going on because every day was something you were finding out. It's one of
those things, you know, you can't see the problem and suddenly you open the
door and you go, oh my God, it's like Pandora's Box.
LINTON BESSER: As Daryl Peter investigated - with the assistance
of Australia's cyber spy agency - it became clear to him who was behind the
attack.
DARYL PETER: With the more specialised security tools that we
had we were able to determine the location of the attacks and the majority of
them were coming from China.
LINTON BESSER: And what did ASD say about all of that?
DARYL PETER: They thought that of course it was all very
interesting but it wasn't too surprising.
LINTON BESSER: Why not surprising?
DARYL PETER: China tend to target more government organisations
or organisations in that space there's been a number of publicised hacks by
China.
MICHAEL HAYDEN: Where I'm really concerned and where I think
Australians should be really concerned is the Chinese not attacking the
Australian government or the American government; our governments should be
able to defend themselves. Again, not shame on China, shame on us if they steal
our secrets. It's a really unfair fight though if a nation state like China
attacks private enterprise in Australia again not for legitimate state
espionage purposes, but for industrial and commercial advantage.
DARYL PETER: Given we were up against China, state-sponsored, a
lot of money behind them and resources, and we were only a very small IT team,
it certainly wasn't a fair fight for us, I mean we didn't have any specialised
security skills
LINTON BESSER: One of the cyber world's foremost experts,
Washington-based Dmitri Alperovitch, says Australia
has not done enough to warn industry about online threats.
DMITRI ALPEROVITCH, COMPUTER SECURITY INDUSTRY EXECUTIVE: The
reality is that the Australian government is very well aware of these
activities but they have not really come out and publicly acknowledged it, they
have not done a good job in my opinion educating the public about this threat
and ah, as a result there's a sense of complacency often times amongst industry
because they don't appreciate that even in Australia you can be targeted and
China happens to be your biggest trading partner, there's a lot of reasons why
wo- they would be hacking into your industry, to try to steal intellectual
property, try to get a advantage in trade
negotiations and it's happening very very often and
ah, very little is being done about it.
ALASTAIR MACGIBBON: You must remember it was only in April this
year that the Prime Minister announced the compromises of the Bureau of
Meteorology and of the Parliament House network. They are pretty remarkably big
steps forward in what was otherwise a very very
closed community. You have to give us some time as we work through what can be
said, how it can be said to increase the level of engagement.
LINTON BESSER: In April Dmitri Alperovitch's
firm got a call from the US Democratic Party ... concerned their computer
networks may have been hacked. His staff found something alarming.
DMITRI ALPEROVITCH: He said basically take a look at this, this
is very interesting. I starting looking at the evidence and realised right away
that there's complete certainty in what we're seeing. We found ah a couple of
big whales here and ah, it's a, actors that we affiliate with the Russian
Intelligence Services and ah, one of them specifically with the GRU, the
Military Intelligence Agency of Russia.
LINTON BESSER: What they discovered was a spying campaign
against a major US political party. The last time there was a major bugging
operation that targeted the US Democrats was in 1972, when the Watergate
building behind me was broken into. Now in 2016 the Democrats have been
infiltrated again.
HILLARY CLINTON, DEMOCRATIC NOMINEE: The Russians and according
to the reporting who did this hacking were, it's most likely in the employment
of the Russian government
JUANITA PHILLIPS, ABC NEWSREADER: The Democrats are in disarray
after a damaging email leak
LINTON BESSER: Three months after the hack was discovered ...
embarrassing internal emails from within the US Democrats turned up on Wikileaks and led to the resignation of two senior party
officials.
DEBBIE WESSERMAN SCHULTZ, SENIOR DEMOCRAT OFFICIAL: Good morning
Florida, alright everybody now settle down.
MICHAEL HAYDEN: If this were done by the Russian security
services, and I think there's a body of evidence that that's probably true, I'm
not so sure that the inner workings of a powerful American political party is an illegitimate target for Russian espionage, alright? So
let me just make that very clear. Now, what really makes this interesting is
that it appears the Russians didn't stop at espionage. They've taken the
information, and here's a phrase I would like to share with you, they've
weaponised the data made it public through WikiLeaks, in order to do something
with the American political process. That's really interesting. That's really
new.
LINTON BESSER: It is the United States however - not Russia -
that's been blamed for the most destructive cyber weapon to have ever been
deployed. Stuxnet was a highly dangerous piece of
code launched a decade ago against Iran's nuclear enrichment program. By
secretly causing the centrifuges at the Natanz
facility to spin out of control... hundreds were destroyed before their
operators knew anything was wrong.
KEVIN MITNICK: Well, well Stuxnet was
a piece of malicious code ah, allegedly developed by the United States in co-
in cooperation with Israel. A piece of- of government malware that was
targeting the Iranian centrifuges. The impact was damage, physical damage from
that attack.
LINTON BESSER: Stuxnet marked the
beginning of the cyber wars of the future.
JILL SLAY, DIRECTOR AUSTRALIAN CENTRE FOR CYBER SECURITY: Some
of the literature claims this is the fir- first real documented evidence of
cyber warfare. People will claim that was cyber warfare. So once you have an
example um it can be replicated. Other people will copy it.
MICHAEL HAYDEN: A nation state, had just used a weapon comprised
of ones and zeros during a time of peace to destroy what another nation could
only describe as critical infrastructure. Now, even I with my background
looking upon th-the destruction as an unalloyed good,
even I recognise that's a really big deal. That, I've used the phrase in the
past, um that's a legion crossing the Rubicon. Now th-that's
a legion on the other side of the river now. That's the first time that's ever
happened in human history, and our species doesn't have a history of putting
such weapons back into the sheath after they've been used once.
LINTON BESSER: Just for the record General Hayden, was Stuxnet an operation of the US Government?
MICHAEL HAYDEN: What I say to those kinds of questions is, given
my background, it would be irresponsible of somebody with my background to even
speculate as to who may have been up to that.
LINTON BESSER: Cyber weapons like Stuxnet
rely on software flaws or vulnerabilities that hackers use to get into
sensitive systems. They're known, in the jargon of the hacking world, as zero
day exploits.
KEVIN MITNICK: A zero day is a vulnerability that has been
identified ah, that nobody knows about, right. Maybe another researcher could
have stumbled across the same security flaw, but a zero day is something that
hasn't been reported to the manufacturer be it, Microsoft, Apple, Cisco or any
of the major manufacturers out there and then it allows the attacker to
continually leverage that zero day to compromise systems.
TIM WELLSMORE: A zero-day is one of those um vulnerabilities
that have been discovered but haven't been haven't been disclosed to the public
or to the software developer. So therefore it can be used in a weaponised sense
to actually then to be used to attack that system and and
gain a foothold on that system. Zero-days um are common place in in this type
of industry and and they're obviously um quite are
valuable assets.
LINTON BESSER: Incredibly ... there are people who buy and sell
zero-day exploits to companies and governments across the world. The trade in
software vulnerabilities is actually a pretty murky marketplace with many of
the transactions happening underground.Some
say it's the arms race of the 21st Century but it's one where no-one really
knows who's buying these exploits and what they're buying them for.
TIM WELLSMORE: I've seen some prices on the internet which are
quite significant. You know you can pay sometimes in the hundreds of thousands
of dollars, over a million dollars. I don't know if people actually pay those
prices, but I've certainly seen them o-seen them on the internet and on the
dark net, um so obviously if if it's a market demand
and and that's the price they're putting on them
somebody must be paying for them.
LINTON BESSER: This company Zerodium
publishes its price list for zero-day exploits online ...Those which allow you
to hack into an Apple iOS system - used by iPhones - are worth half-a-million
dollars.
KEVIN MITNICK: Basically what a zero day
broker does is when researchers find vulnerabilities in systems that haven't
been reported what they do is they broker a deal between the individual that
found it and a party, usually a government agency that need- that wants to
purchase it.
LINTON BESSER: High-profile hacker Kevin Mitnick
is one of these brokers but he doesn't want to talk about it.
LINTON BESSER: I noticed on your website you said you sell them
to countries and corporations.
KEVIN MITNICK: I can't discuss it sorry.
LINTON BESSER: How can you be certain you know who you're
selling them to?
KEVIN MITNICK: I can't discuss the program.
LINTON BESSER: Can you sit here today and say you're 100 per
cent confident that nothing you have sold has gone into the wrong hands?
KEVIN MITNICK: I could say I'm a 100 per cent confident that I
can't discuss the program with you.
MACOLM TURNBULL: Now while cyber security measures sit at the
forefront of our response to cyber threats, defensive measures may not always
be adequate.
LINTON BESSER: It was only a few months ago that the public was
told - for the first time - that Australia was in the business of cyber
warfare.
MACOLM TURNBULL: An offensive cyber capability, housed in the
Australian Signals Directorate, provides another option for Government to respond.
LINTON BESSER: This offensive cyber capability includes
developing zero day exploits to be used against overseas targets by Australia's
electronic spy agency.
ALASTAIR MACGIBBON: In terms of offensive capabilities, they
would be very very specific and very very tailored activities. We're not talking mass
vulnerability that will infect all of us and that the Australian government
sits on. That would be improper, isn't done and nor should it be done.
DMITRI ALPEROVITCH: Just like any country, um ah, any advanced
country we have to assume that um, they're developing capabilities in order to
both defend themselves and take offensive actions should it be needed in
cyberspace. Really most modern countries now are treating cyberspace as another
military domain in addition to land, air and sea.
CYBER TRAINER: OK, let's start looking at these targets, what
have we got?
RED TEAM ATTACKER: Two targets, the water tower and the power
station.
LINTON BESSER: To prepare for the cyber domain ... this is where
Australia's 21st century soldiers train... a secure facility at the Australian
Defence Force Academy in Canberra.
RED TEAM ATTACKER: Initiating scan...scan complete, chopping
across the database.
CYBER TRAINER: So we've got some options on that first host,
let's start there, Pete that first host on the perimeter, OK, let's try and get
into that, ok so once we've got this foothold, I want you to do a scan on the
DMZ for the pivot, so let's start that scan again
RED TEAM ATTACKER: Initiating scan
CYBER TRAINER: Let's get into it
LINTON BESSER: Two rival teams are competing ... one's on attack
... trying to turn off the power across this imaginary city ...The other team
is trying to defend the city.
RED TEAM ATTACKER: Target one is offline
CYBER TRAINER: Good job, keep watching it ok exploit...ok, take
out the power grid...Ok Red Team power is going down, what I want you to look
at now, do as much damage as you can, we probably don't have very long until we
get kicked out...ok we're starting to lose this one.
JILL SLAY: We're teaching them how to defend um critical
infrastructure networks and we actually teach them what the bad guys might do
in offensive warfare against us so that when they go to work they will be able
to recognise an attack and and to do something about
it.
RED TEAM ATTACKER: The tower should be overflowing.
CYBER TRAINER: Good job Pete
LINTON BESSER: The red team manages to flood the water tower ...
and take out the power grid ...
CYBER TRAINER: Ok that's it, we're out. Good work guys.
LINTON BESSER: It's not as far-fetched as it might seem ... in
December last year ... a major power outage in in western Ukranian...
was attributed to a cyber attack launched from
Russia.
MICHAEL HAYDEN: In the industrial age, okay, electrical power
grids were all always considered a legitimate military target alright? So in
WWII we bombed and destroyed the electrical infrastructure of our enemies Now
we have the ability through a cyber attack to just
shut the grid down.
ALASTAIR MACGIBBON: We've certainly seen essential utilities
targeted in other parts of the world, successfully so. So we'd be churlish to
think that that couldn't happen in Australia. I would say that the Australian
Government and working with our allies offshore has invested in helping educate
the owners of critical infrastructure in how to secure these industrial control
systems to reduce the likelihood of things going wrong. Given the size of the
networks, given the scale of the networks, and the ever-changing nature of
them, it's a bit like the harbour bridge, you start painting at one end and by
the time you finish you start painting again.
LINTON BESSER: In Las Vegas the hacking conference came to a
dramatic close with a major milestone in the evolution of cyber security .
CYBER GRAND CHALLENGE COMMENTATOR: Alright, Welcome everyone to
the first ever, fully automated, cyber security, automated competition, the
Cyber Grand Challenge.
LINTON BESSER: Sponsored by the US Department of Defence a major
new hacking competition has redefined the landscape again.
CYBER GRAND CHALLENGE COMMENTATOR: The winning team will take
home the top prize of two million dollars, we now have seven finalists who will
compete here today using automated systems designed to hunt for vulnerabilities
and search for weaknesses on competitors systems
LINTON BESSER: This team of developers has designed an
artificial intelligence that could take cyber warfare to new levels. It's
called Mayhem.
DAVID BRUMLEY: Right now a lot of the computer security
mechanisms we have are really about a person on a keyboard, and that's just too
slow. So they put out a Grand Challenge - can we have a fully automated attack
and defence system? And that's what this week is about. That's what this
challenge is about, can we build fully automatic robot computers that can hack
and defend against being hacked?
CYBER GRAND CHALLENGE COMMENTATOR: Let's see what's going on
here with the rest of the game.
CYBER GRAND CHALLENGE CO COMMENTATOR: It looks like again, it's
still a very close game
CYBER GRAND CHALLENGE COMMENTATOR: Alright so, Mayhem and Rubeus
are battling for the lead.
LINTON BESSER: These machines on stage are firing off cyber attacks against each other - and they're doing it
without any humans involved.
CYBER GRAND CHALLENGE CO COMMENTATOR: Score board seven, we will
actually see Mayhem overtake Rubeus to take first place.
CYBER GRAND CHALLENGE COMMENTATOR: Alright, let's see scoreboard
seven!
CYBER GRAND CHALLENGE ORGANISER: And now the winner of the Cyber
Grand Challenge, for AllSecure and their Bot Mayhem!
LINTON BESSER: Technology has brought us together in new ways
... but it's exposing us to dangers we're only beginning to see.
KATIE MOUSSOURIS: Well, the internet was never designed to
actually be secure right, so, we're fighting- we're fighting an almost
untenable problem space. We're realising that we've created so much technology,
we've created technology faster than we have the ability to secure it as human
beings.
SARAH FERUGSON: The Chinese government - through its Embassy in
Canberra - has denied it was behind the cyber attacks
in Australia, describing the allegations as nothing but false clich. Next week...a special program from the BBC - inside
the Battle for Britain - how the Brexit campaign was won. See you then.
END