#cyberwars: Harry Potter and the army of hackers (or why hackers are wizards, of a sort)

Cyber Wars book cover This is the second of a series of posts about my book Cyber Wars, published May 2018 in the UK and in the US, which investigates hacking incidents such as the Sony Pictures hack, the TalkTalk hack, ransomware, the Mirai IoT botnet. It looks at how the people in those organisations responded to the hacks – and takes a look at what future hacks might look like. (The first was on phishing.)

Hermione alohomora

When I’m giving presentations about Cyber Wars, I often include this picture in a slide. It shows the character Hermione Granger in one of the Harry Potter films opening a door by saying the spell “Alohomora”. Hacking, I explain, is the search for the spell that will open the door. Not a physical door, generally, but the “door” into the target computer so that you can make it do what you want.

I think that the resemblances go deeper, though. The wizards in the Harry Potter novels are all hackers, in one way or another: they’re using their skills to make something that doesn’t ordinarily happen (levitating feathers, say) occur.

Like hackers, they range in ability, from the most basic “script kiddies” following instructions handed down by their seniors – basically, the classrooms where the first-years learn to incant “wingardium leviosa!” – to the people working at the limits of what’s known, good or bad: think Voldemort and his groundbreaking approach to not dying, or Dumbledore and his research (pre-Hogwarts, I think?) into various types of magic.

Mother and father of invention (and wizards)

This might seem like an overcooked metaphor to you, but there’s an important question in the Harry Potter universe which isn’t directly answered in the books.

It’s this: where do spells come from? And the related question: can you invent new ones? This relates to hackers, because if wizards can invent new spells, then they’re exactly like hackers, who are always searching for new ways to break into stuff – think Heartbleed, Meltdown, Spectre, Shellshock – even as they rely on older tried and trusted methods, such as SQLi and buffer overflows, the “Alohomora” and “Accio!” of the hacking world.

JK Rowling never deals with the question of where spells come from in the books. But this doesn’t mean that she hasn’t left clues or that we can’t tease out the truth about it. Rowling famously plotted everything in great detail, but just as she doesn’t deal with where spells come from, she doesn’t deal with what makes a wizard, well, wizardy.

When it comes to wizardry, it’s evident from the way the capability passes through families, and sometimes drops out of families (as in the case of the Hogwarts caretaker Filch, a non-wizard born to wizarding parents who describes himself as a “squib”), or pops up in non-wizarding families (as with Hermione, born to non-wizarding parents) that it is genetic. Inevitably, there’s been a paper written about this, suggesting it’s autosomal dominant; squibs are from double recessives, and wizards born to Muggles from spontaneous mutations. (Autosomal dominant characteristics are usually described for their bad characteristics – Huntington’s disease, for example. Wizards might differ.)

Cast a spell

So let’s move on to spells. We know that there are lots and lots of spells; the children are taught them, at tedious length. It’s clear too that some adults have access to levels of skill in applying spells that the children can’t perceive; think of the fight (best shown in the film) between Voldemort and Dumbledore in the Ministry of Magic, which for my money is the best sequence of all the films.

But crucially, in Harry Potter and the Half-Blood Prince, we learn that spells can be improved upon. Harry comes across an old textbook for his Potions class which has handwritten notes about how to make various potions; they improve on what’s in the book, demonstrating that you can do better than what past wizards do. Harry then discovers a spell in it that he’s never seen before: a fighting curse, “sectumsempra” (which, if it were Latin, would mean “always cut”), which he later employs to almost lethal effect. When he subsequently tries to use it on a fleeing adult, his attempt is deflected – and the adult sneers at him: “you dare use my own spells against me?”

There’s your proof: in the Harry Potter universe, wizards can indeed invent their own spells. The potential is literally unlimited, bounded only by what they can imagine and find to do. That is, spells are not the same as, say, laws of physics or chemical elements. Spells are human – well, wizard – creations rather than natural phenomena.

In this way, Harry Potter wizarding is exactly like hacking. There, people try to find new ways to get computers to do stuff that nobody had expected. You mean that when you demand more data from the input buffer of a TLS server, it gets read and sent back? Sure – that’s Heartbleed, which seems to have been discovered at least three and possibly four times, if you include the two final times that led to its public disclosure. (One of those pre-discoverers is thought to be the US National Security Agency.) Who would have thought to ask that? Who would have thought to try “sectumsempra” as a fighting curse? (In the book, it says that different versions of the word have been written and crossed out before the final one is left. Which leaves you wondering how the previous versions were tested.) Trial and error plays a huge part in hacking too: trying combinations, trying different things, guessing, intuiting. And if you’re lucky or talented or both, you’ll get results.

(image from Wikipedia)

Butterbeer and layer cake

We can also see that the Potter world is striated rather like the hacking world. At the base level, you have the script kiddies (OK, spell kiddies): carrying out commands without really knowing quite how they work, but pleased with the effect.

Then there are the professionals: people who are using these techniques to get things done, and will occasionally invent their own methods to get around limitations that block them. For the most part, though, it’s the careful refinement of existing processes – think of all those people in the Ministry of Magic doing magic gruntwork. Think too of the commercial hackers rewriting a piece of ransomware to take account of the new defences put up against them.

At a higher level still you have those who are using more sophisticated versions of these skills for personal and political ends. Of course we’re back with Dumbledore and Voldemort. What doesn’t vary, though, is the general requirement to explore the capabilities of the systems involved, and in that you’re talking about the same sort of approach. Creating a Horcrux to defeat your enemies? Developing a virus that will wipe every computer on your target’s network once you’ve exfiltrated all their email, spreadsheets and a number of unreleased films? Pretty much the same process: a certain amount of education, knowledge, research, non-live testing, and then implementation.

One point about this metaphor is that we’re used to thinking of Harry Potter and his ilk as the good guys, the white hats, the nice ones. This is true enough if you think that most wannabe hackers go on to be “white hat” players, defending systems from attack from the Hogwarts first-years. (It’s also disconcerting if you take this approach, because a significant number of systems are hacked by people whose hacking skills are comparable with Neville Longbottom rather than Hermione’s.) When you think of Potter creating “Dumbledore’s Army” in “Order of the Phoenix”, just recast it as a password-protected online hacker forum where a bunch of script kiddies are trading methods to break into commercial systems.

When thinking about real-world hackers, it’s useful to consider that some people are very highly skilled – wizards, almost – and that their ability to use the hacker equivalent of the Imperius spell to subvert systems you thought you could rely on means you might not even realise that they’re inside. Certainly that was the experience recently of Dixons Carphone, which in June said that it had discovered that hackers had been inside its systems since the previous July. Eleven months? That’s pretty dramatic, and embarrassing for those who were meant to be guarding the perimeter, and the inside.

One could go on extending this metaphor: Azkaban prison is like any old prison. The Dementors are the plain old law enforcement, taking away your soul – well, computer – and leaving you as good as dead. House-elves are perhaps Internet of Things devices (which would explain why they occasionally cease obeying us altogether when a hacker comes along and gives them different instructions). Other suggestions of metaphor extensions – for dragons, goblins, and other members of that universe – are welcome.

And meanwhile, although there isn’t any discussion of Harry Potter and hacking in my book, there is plenty about hacking topics. See the links at the top.

#cyberwars: why and how you get phished, and how not to get phished

Cyberwars small This is the first of a series of posts illustrating points from my book Cyber Wars, published May 3 2018 in the UK (and a couple of weeks later in the US), which investigates hacking incidents such as the Sony Pictures hack, the TalkTalk hack, ransomware, the Mirai IoT botnet. It looks at how the people in those organisations responded to the hacks – and takes a look at what future hacks might look like.

Another Monday morning, and an email drops into my inbox.

Screenshot 2018 04 30 10 48 38

Well. That looks serious, doesn’t it? They’ve got my name correct. But you can see (especially on this version, the desktop one) that lots of things are wrong about this email.

Let’s enumerate them:
• the To: address is incorrect (clearly it reached me via a Bcc: address)
• the Google logo is all wrong: the characters are bunched up, rather than evenly spaced. (When I looked at the source code of the email, it turns out this was done in CSS, rather than an image. Designers will commiserate at the kerning failure.)
• the first sentence doesn’t make sense and isn’t grammatical and contains misspellings
• Second sentence capitalises “Email”, which isn’t standard spelling
• Third sentence ends with a comma rather than a full stop
• Fourth sentence (in red) doesn’t quite show what you need to do
• Fifth sentence spells “receive” wrongly, and ends with a comma
• Sixth sentence is stilted and lacks a full stop.

Not hate mail, fake mail

Overall, there are all sorts of indications that this is a fake email. It’s phishing: the obvious aim is to get people to reply to it, after which – one can predict – the phishers will respond by sending an email with a link to a page telling the victim to log in. It will be a fake Gmail login page, and once that’s done, they’ll be able to get control of the victim’s email (and lock them out by changing the password), and from there probably any account, possibly including their bank and other utilities. Any account whose password recovery, or password system, passes through that Gmail is going to be compromised.

You might look at that email and laugh, thinking it’s obvious that it’s a phishing attempt – you’d never fall for that. But phishing is a very old technique (want to know how old? It’s in the book, but if “AOL” rings a bell, that’s a clue), and has been refined over the years.

Just as with the “419” scam promising you a huge fortune if you’ll only send over a bit of money, phishing’s practitioners have learnt that a few intentional mistakes can actually increase the chance of success – because the people who don’t spot spelling mistakes or oddities about the From: in an email probably won’t know what phishing is either. (In 419 scamming, they intentionally write in a stilted, naive fashion because the recipient then thinks they are dealing with fools who can be stiffed. The truth is exactly the opposite.)

Sophistication nation

A rather more sophisticated version of that phishing technique is exactly how the inbox of John Podesta, Hillary Clinton’s campaign chairman, was hacked in the 2016 US Presidential election. (The story of that makes up chapter 4 of the book.)

The campaign team monitoring Podesta’s emails weren’t going to be fooled by something like the message above.

But they could be caught by the one that Russian hackers sent, which looked exactly like a standard Google phishing warning.

Podesta email hack

Now that is a lot more sophisticated. And Google does send out “suspicious login attempt” emails.

This phish purported to be from Gmail to Podesta’s inbox, saying that “Someone has your password”. (There was actually a subtle detail – it’s in the book! – that got that past Google’s filters.)

That” CHANGE PASSWORD” link led to a fake login page, where Podesta’s details were entered, and… calamity followed. (And contrary to some expectations, it wasn’t Podesta who entered those details.)

One point worth noting is that this was Podesta’s personal inbox. His campaign inbox? The inboxes of other staff? Those weren’t hacked, because they already had crucial protection: two-factor authentication. The fact that it was Podesta’s personal, not campaign, email that was hacked disappeared in the melée, but it’s a relevant point. The campaign also used another communications method to defeat would-be hackers; that’s in the book, and I’ll deal with it in a later post.

The lesson

Turning on two-factor authentication (2FA) is the single simplest method you can take to improve your email, and general computer, security. Google doesn’t push it hard enough, in my view. A survey of 2,000 adults in multiple countries in May 2016 showed that 70% don’t have 2FA turned on. Yet it’s easy, free, and increases your security enormously; it also reduces the need to worry about getting phished. (You can still get phished if you use 2FA, but it needs more sophisticated work on the part of the phisher.)

This page shows how to turn on 2FA for Gmail. (I’d recommend using an on-device app rather than SMS for codes; SMS can be hacked.) If you use a different service, try a search on 2FA with its name.

In short, 2FA means that you either generate a device-specific password for every device you use, or that you have to authenticate each time you log in your email on the device using your email, password and a “TOTP” – timed one-time password. (It’s a six-digit code generated from a 40-digit number which is in turn generated from a combination of the time when you login, and a “seed” number stored on both the server and your device. If the number generated by the server and by your device agree, then you’re authenticated.)

If you don’t have 2FA turned on, then there is always a risk that you’re going to get phished. You spotted the one above. Will you spot every single one? Remember, they only have to fool you once; you have to defeat them every time. And there are lots more of them than you.

Thanks for reading. And even if you don’t buy the book, please turn on two-factor authentication. Everyone, including you, will be so much happier.

Cyberwars small This is the first of a series of posts illustrating points from my book Cyber Wars, published May 3 2018 in the UK (and a couple of weeks later in the US), which investigates hacking incidents such as the Sony Pictures hack, the TalkTalk hack, ransomware, the Mirai IoT botnet. It looks at how the people in those organisations responded to the hacks – and takes a look at what future hacks might look like.

I also do a weekday roundup of interesting links called Start Up, posted here each day at 0700 UK time; or you can receive it as an email (roughly an hour later). Sign up here. You’ll get a confirmation link before you start receiving anything.

Unsubscribing is as easy as clicking a link, which will put you through to our customer service representative who values your call so much they’ll make you wait 10 minutes listening to 20-second clips of music interrupted with pleas not to go away and then struggle to hear you over the cheap VOIP line provided by a cheapskate outsourcing company which also hasn’t given them any power to actually act on your account.

No, wait, that’s the other people. With my one, you just click the link.