Ten years before the Bullseye Breach:
“You asked to see me?” said Fyodor as he entered Ivan’s office in the St. Petersburg government center.
“Yes. My boy, you have been an excellent intern. You have displayed a gift for mastering this new Internet technology and I wish to use that gift.”
“Mr. Tarski, I again apologize for uncovering those passwords. I was merely exploring whether or not I could inject SQL statements into data entry fields in the new city employee administration program.”
“You did shock some people. And forced some programmers to work many late hours removing the vulnerability. But you properly reported the incident and we are all now stronger because of your insight. “
“Thank you.”
“My boy, the world is changing. Not just politically, but technologically. Russia will need expertise such as yours if we are to prosper in this new world. You are the future.”
“You flatter me.”
“I have secured an opportunity for you to study at a western university. You will spend one year at King’s University in Belfast, Ireland. You will return home with a Master’s Degree in Advanced Wireless Communication. You will spend your remaining time in your internship here in St. Petersburg mastering the English language.”
Fyodor stared at Ivan for a few seconds, open mouthed. “May I….?”
“Yes, of course. Sit down,” said Ivan.
“I, I, umm, I do not know what to say. I am stunned!:
“Fyodor, we do not make this investment lightly. And I know this news is much to absorb.”
“Yes. It is. Why me?”
“I, we, believe you have potential to help lead us into the 21st century. We need to keep up with western technology and the only way to do this is train our young people.”
“I am humbled at your generosity!”
“I also have a mission for you.”
“A mission?”
“Yes. I have certain business interests and need the assistance of western experts from time to time. You will master the English language and look for potential business partners while you are studying.”
“What kind of business partners?”
“People who are willing to take some risk in return for profits. People who are not afraid to operate outside of western law.”
“Wait – you want me to find people who will commit crimes?”
“No. Of course not, my boy! It’s just that sometimes certain laws get in the way of creativity. For example, when you penetrated our database. Technically, you broke the law. But no harm was done and I see no need to report this activity. I am looking for people with a similar outlook. When you find such a person – and you will – you will introduce him to me.”
Nine months later and half way into his year in Belfast, Fyodor remembered that conversation as if it were yesterday. He would be grateful to Tarski Ivan for the rest of his life. Or – since he was mastering the English language, Ivan Tarski.
After spending 6 months mastering general networking concepts and the physics behind wireless technology and learning about the differences between local wifi and wireless broadband, a new class in the curriculum was coming up.
This class was a survey of wifi security, followed by advanced wireless security. The course abstract said, “Security with wireless networks takes on extra importance because anyone with a laptop computer equipped with a wireless card and some software can intercept and record entire networking sessions. Once recorded, eavesdroppers can play back encrypted conversations repeatedly, trying different decryption keys to steal passwords, banking information, or any other information of value. This course surveys various tactics to secure wireless communications and explores strengths and weaknesses of different approaches. Wireless security is a rapidly evolving field and students will finish the course equipped to lead their organizations in evaluating and selecting the best alternatives.”
The course looked interesting. Professor Flanagan apparently also brought a colorful background to the course. The rumor was that he worked for the I.R.A back in the 1980s and 1990s and penetrated the first British military wifi network. Perhaps Mr. Tarski would want to meet this professor.
The first day of class erased any doubts when a disheveled man with a greying ponytail, wearing a 5 day beard, faded blue jeans and tattered sweatshirt walked in carrying a coffee mug filled with Irish whiskey.
“My name is Turlach Flanagan”, he said, “and I am to be your instructor for this class. Although God only knows why.”
One student raised his hand. “Professor Flanagan, do ya plan to share any of that whiskey with us?” A few other students laughed nervously.
Without missing a beat, Professor Flanagan responded, “And what makes ya think I’m drinkin’ whiskey, lad?”
“Because we can smell your fumes clear up into the back row,” said the student. The class laughed.
“Well, laddies and lasses,” said Turlach, “you’re welcome to bring your own whiskey if you’re thirsty. I only brought one flask. I don’t give a tinker’s damn what you do in this class, as long as you turn in your work on time. Some of you are probably wondering if the rumors are true – did I help the I.R.A penetrate that first British wifi network? The answer is, yes, I did. And my wife and daughter, God rest their souls, paid with their lives. I should have paid with my own.”
He took a big gulp from his mug and then continued. “So this term, I will teach you how to protect your wireless networks so you won’t be reduced to a blabbering, drunken fool when somebody takes advantage of your loyalty and murders your family.” He took another swig and then asked, “Any more questions?”
Fyodor realized that sentence made no sense, but this professor was fascinating. And half-drunk but somehow still able to function. Fyodor was going to enjoy this class.
Another student asked, “What do you think about the I.R.A. now?
Flanagan answered, “I think the I.R.A is about the equivalent of a pile of dog crap. I don’t care about them anymore, nor do I care about anyone’s politics. I care only about money and Irish whiskey.”
Turlach paused and looked at his mug. “A toast – may we all be in Heaven 5 minutes before the bastards we hate know we’re dead.” He tipped his mug to his lips and drained it.
“And since this school pays well, I will put up with you for a term and teach you what I know about wireless security. Which is plenty. Which is why this university tolerates me. And by the way, the university pays me the same whether you pass or fail, so it makes no difference to me how well you do. If you want encouragement, go sit on your mommy’s lap. In my class, you will meet the real world and all its horrors.”
Yes, Fyodor thought, this is a man Mr. Tarski would want to meet.
A new video calling service named Skype was becoming popular. Fyodor was eager to try it and he guided Ivan over a telephone call setting up a webcam on his computer and downloading and installing it. Fyodor installed it on his own computer, and within a few minutes, he was looking at Mr. Tarski across the Internet.
“Impressive, my boy!”
“Thank you, Mr. Tarski.”
“You are a graduate student now and will have an important job when you return. Call me Ivan.”
“Ok, Mr., umm, Ivan. Ok, Ivan it is. I have a person you would like to meet.”
“Yes? Someone with the attributes we talked about?”
“Yes. His name is Professor Flanagan. Turlach Flanagan.”
“Excellent. Why don’t we set up a video meeting for, say, next Monday?”
At the next class session, Fyodor stayed behind until everyone left and then approached Professor Flanagan.
“What can I do for you?”
“I am here in an exchange program from St. Petersburg, Russia. The man who sponsored my education here believes it may be mutually beneficial for you to become acquainted.”
“A Russian?”
“Yes. From St. Petersburg.”
“And just how do you suppose your friend and I meet? Shall one of us take a weekend trip across Europe?”
“No. We can use Skype.”
“Skype. Yes, I’ve heard of it. A new Internet video service isn’t it?”
“Yes. And it works well.”
“But the university network is protected by a firewall. Your Skype service will not work here.”
“Yes it will. I have done it.”
“How?”
“Evidently in the same manner as peer to peer music sharing. Use the sky to meet your peer.”
“Ah – the bane of every IT security administrator’s job.”
“How so?”
“Think about it, lad. What do firewalls do?”
T”hey protect networks from traffic trying to gain unsolicited entry.”
“Yes, that’s the book definition. You’ll pass the computer science test with that answer. But what do firewalls really do?”
“They regulate traffic?”
“Exactly. Let’s say my computer wants to send a message to your computer. Your computer is behind a firewall. Does your firewall need a rule to let messages from my computer pass to your computer?”
“Yes, of course.”
“What happens if your firewall has no such a rule?”
“It would block those incoming messages from your computer.”
“Exactly. Now, what if you want to send data to me? You’re still behind your firewall. Your firewall has no special rules allowing me in. And to keep things simple, let’s say I’m not behind a firewall. What happens when you send your message to me?”
“My firewall lets it out and you see it.”
“Yes. Let’s say your message is a question. Let’s say you ask me for the time of day. I send you an answer. What happens to my answer?”
“My computer sees it.”
“Why?”
“Because my firewall masqueraded my question, making you think it came directly from the public side of my firewall. When you send back the answer, my firewall forwards it back inside my private network to my computer.”
“So firewalls know the difference between unsolicited messages and answers to messages?”
“Yes.”
“And without special rules in place, they block unsolicited messages and allow in answers to messages?”
“Yes. Stateful packet filtering. This is basic.”
“Yet it is. So how do peer to peer systems work? How can you share music on your computer – behind a firewall – when your firewall has no special rules allowing anyone to access your music? When somebody wants to copy a music file or call you with this new Skype program, how can this work?”
“I do not know.”
“Most people don’t think about it. And that drives security admins batty. It’s a man in the middle attack. Quite clever.”
“A what?”
“A man in the middle attack. Alice wants to talk to Bob. Mike is between Alice and Bob. Mike pretends to be Alice when talking to Bob and pretends to be Bob when talking to Alice. But Mike changes the conversation to suit himself. Perhaps Alice instructs Bob to deposit money into Alice’s bank account. Mike may change the message to tell Bob to deposit the money into Mike’s bank account.”
“But Bob would know it is Mike impersonating Alice.”
“Depends on how good of a job Mike does, doesn’t’ it?”
“What does any of this have to do with Skype?”
“Skype is the man in the middle. Just like any peer to peer file sharing program that millions of college students use to share music. It’s a man in the middle attack, but you willingly install the software to make it work.”
“How?”
“If you install a peer to peer program on your computer, when you run that program, it reaches out over the Internet and connects to another computer to register your nickname and IP Address. Not a central server, but some other computer with the same peer to peer program installed. So now the peer to peer network “knows” you are online. When somebody wants to access your music library – or call you – they find where you are registered and connect to that computer that registered you.”
“But that computer is also behind a firewall. How do I register with it and how do others connect to it?”
“Astute observation, lad. Nobody knows the protocol details other than the developers and they’re not talking. We speculate a central server farm has to be involved somehow to start the process, even if only minimally.”
“So somehow, I am registered with this peer registration server. How do others contact me?”
“They pretend to be you by impersonating your IP Address. You already have a connection to that computer. It “thinks” you sent the message as part of a conversation already in progress. But you didn’t – your peer did. Eventually, the protocol fools both sides into believing each side started an outbound conversation with the other and the registration server in the middle gets out of the way. And now your peer has complete access to your music library. Or to call you. Or anything else the program wants using this peer to peer protocol.”
“I never thought about it.”
“Lad, somebody will make a boat load of money with this program. I promise ya that. The opportunities for exploit are limitless.”
“Professor Flanagan, you will enjoy meeting my friend Ivan.”
I look forward to it, lad.