Raiders of the virtual Ark: DarkHotel hackers, your neighbourhood-friendly government cyber-spies, and everyone else in-between

Photo from Malaysianmeanders.blogspot.com
As debate rages on about our collective cyber security (thanks Eddie!) and fear mongering appearing everywhere we look on the virtual world (Hi there, GCSB agent), we seem to need a little more assurance every now and again about our own virtual practices, especially with the release of the Darkhotel hack from Kaspersky Lab. But where to look, and for what?

The hacking operation known as “Darkhotel” recently uncovered by Kaspersky Lab, a cyber security firm, told of an elite hacking operation that targeted CEOs, senior VPs, directors and top R&D staff, using malware that was spread through public Wi-Fi portals at luxury hotels across Asia.

Usernames and passwords for social media portals were compromised, with victims from Japan, Taiwan, China, Russia, Korea and Hong Kong.

The operation is speculated to have been in operation for at least four years according to Kaspersky Lab.

Such detailed reports should have corporations at the highest level of the international business world buzzing with no small amount of anxiety, and certainly a need to key up their operational security.

Here are some tips from Kaspersky’s website on what to watch out for when travelling:

  • Choose a Virtual Private Network (VPN) provider – you will get an encrypted communication channel  when accessing public or semi-public Wi-Fi.
  • When traveling, always regard software updates as suspicious. Confirm that the proposed update installer is signed by the appropriate vendor.
  •  Make sure your Internet security solution includes proactive defense against new threats rather than just basic antivirus protection.

And in the world of cyber security, where there are a myriad ways to protect data – security is asorely complicated mess and certainly not particularly user-friendly, as journalists working with Edward Snowden found. It’s also something that’s slipped into popular culture. The Newsroom, a television show about journalists created by The West Wing writer Aaron Sorkin, started its last season this week.

In the premier episode, Neal Sampat, the bright-eyed blogger and tech journalist for the fictional news outlet receives a tip-off, with an USB taped inside a toilet and all. Spoiler alert: the USB is filled with classified documents, and at the end of the episode, poor Neal commits an act of espionage against the United States government.

How the tip was passed

But it’s how the tip arrived in the first place that’s the interesting bit – it’s the same way Snowden first approached Laura Poitras, the documentarian behind the recently released Citizenfour. They exchanged some encrypted emails using Pretty Good Privacy (PGP), an encryption method created by Phil Zimmerman in 1991.

The method has been heralded as one of, if not the most, secure way of electronic communication by the cryptography community. To-date, there is no known method to break this form of encryption through either cryptographic or computational means.

Of course, the whole affair sounds rather boring to non-nerds, but the technology (and how both the real-life and fictional events unfolded) is anything but. The shorthand version goes like this – using specialised software, two encryption keys are created to protect your email: one private, and one public.

The two keys operate exactly the way they’re named – one for you and one for everyone else. The private key is kept secure for you personally, while the public key can be given out to anyone that wants to reach you in a secure fashion. The full instructions on how to set it up are a bit long-winded, but definitely worth it in this day and age.

However, PGP is but one cog in the world of cyber security, and as cyber security firms will tell you, it’s a very dangerous place this thing we call the World Wide Web.

So while a very recent exclusive article detailing the actions of the GCSB (insomuch as what they want us to see) seemed to portray a benevolent bunch of rather smart cookies, it never hurts to add on that extra level of security.