Desktop version

Home arrow Engineering arrow The dark side of technology


Hacking and security

Software and security are written by individuals working in small teams. For most products, they have target dates by which to deliver and, in a competitive industrial market, the aim is to finish rapidly. If their efforts appear to work, then inevitably they move on to the next project. Rarely will everything they planned be 100 per cent successful, either because they made errors, or the customers want items in the package that they had not considered or included. This is obvious, as with most software packages there are regular updates and replacement versions. The mentality of such software programmers is that they are trying to create, not destroy, therefore by instinct they are not the best placed to consider all possible loopholes and weaknesses in security. This produces a running battle: when security is breached, a solution has to be found. Sometimes systems can run for 20 years before a weakness is noticed and exploited, and this is particularly problematic as it is unlikely that the original programmers will still be functioning in that role, or that they would remember the details of their approach. It may even be that advances in computational power have allowed a weakness to be exploited that was not feasible in the original plan. A perfect security defence is therefore a nice ideal, but totally unrealistic.

Looking at major hacking events reported to the public merely shows that defences of major companies and government agencies are equally viable targets for those who are skilled and determined. In terms of espionage and political disruption, the major nations are all actively operating at the criminal end of hackers (perhaps they believe they are justified in terms of national security). Their efforts may not merely be to gain knowledge, but to sow items of disinformation, change details in documents of other nations or companies, or cause damage and destruction. For example, a software bug introduced into the operation of a Middle Eastern centrifuge used to separate uranium isotopes destroyed the units and set back the programme of developing nuclear power (and possibly weapons). Whilst no nation claimed responsibility, unofficial reports suggest that the attack was organized by maybe half a dozen programmers working for a few months (i.e. a very minor-scale activity).

A 2014 example of access to a Sony Pictures studio main computer indicated the scale of the problems that can occur. The studio was due to release a controversial film comedy about North Korea, and this triggered a politically motivated attack at a more sophisticated level than might have been expected by the industry. After copying the data, the malware destroyed the servers and computers, and wiped them clean, apparently with relative ease. For many companies this could mean total destruction, but it indicates just how vulnerable major industries are, and how little defence exists for individual users. It is probably a reasonable assumption that government computer hackers were involved, and equally that many governments have gained access to computer networks of other nations. The only difference is that in most cases the intruders are likely to be sitting as passive listeners, rather that exposing their electronic moles. The listener approach means they have access to planning and, in the event of a conflict, can then destroy enemy communications from within. The spying methods are more subtle than the Big Brother scenario of 1984 but more intrusive than could have been imagined at the time of writing it, since the events were set 30 years in the future, before the potential of computers and electronic communications had been appreciated.

An example of a very simple politically driven intrusion into our electronic communications was made at the end of 2015, when a concerted attack was made with a modest number of automatically dialling smartphones. The activity spike this generated was some ten times greater than all the other Internet traffic. Overloading specific targets has also been noted on numerous occasions, both before and since that example. The real concern here is that such actions may only be practice exercises prior to a wider-scale attempt to cause the Internet to crash from a general overload.

I have also read that modern missile guidance systems are now so complex that the entire control chip is often fabricated in one country, which need not be the one that plans to include it in their missiles. The opportunity to have software sleeping in the chip that could redirect the missile if it were used against a target friendly to the chip maker is all too obvious to me. The situation seems remarkable, if true. However, the precedent of a NATO country selling missiles to South America, without changing the technology that informs radar signals it is a NATO missile, caused considerable damage to a NATO power when the missiles were used against them (i.e. they assumed it was not targeted at them). So the later missile coding story is also feasible.

Understanding the technology one is using is absolutely essential. A related missile example occurred during the use of a guided missile attack. The problem appears to have been that the satnav coordinates were set for the enemy target, but the operator did not notice a low- battery warning on the device. The voltage fell lower and the technology of the missile then automatically reset the coordinates to the local site. Once the delivery system was activated, it then accurately exploded at the new location, and destroyed the command post.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >

Related topics