December 20, 2016

Star Wars: the Empire state of cybersecurity problems

Business

As you probably know, Star Wars: Rogue One has hit the theaters to tell the story of the Rebellion who steal the plans of Death Star and facilitate its destruction. The majority of viewers think that the movie about the destruction of a space station is just a work of science fiction, yet we tend to view it as some sort of manual about how NOT to secure a strategic object. Let’s view the incident in detail.

So, long, long ago in a galaxy far, far away… A critical infrastructure object, the Death Star, measuring 120 kilometers in diameter and hosting about 1 million of staff (including 25,984 troopers and 342,953 of fleet personnel), was destroyed in the battle of Yavin. Due to this incident, the Galactic Empire sustained considerable losses, including a massive reputational damage, which led to its eventual downfall.

Company profile
Name: The Galactic Empire
Size: 26,000 destroyers + auxiliary fleet
Business: Galactic supremacy
The CEO, Emperor Sheev Palpatine, created his Empire on the shards of the Galactic Republic and the Confederation of Independent Systems, wallow in corruption and civil wars (in most cases the latter were orchestrated by the mysterious Darth Sidious, who turned out to be disguised Palpatine, the Naboo senator and then a chancellor) In the times of the battle of Yavin the Empire had been around for 19 years and was the supreme force in the galaxy.

At first sight, the station fell as a result of an assault carried out by a small group of rebels supported by a limited number of space magi. However, a thorough analysis and reenactment prepared by a George Lucas, a Hollywood expert, proved that the destruction was brought by a sheer negligence of the commanding force and lax cybersecurity measures. And, of course, one of the apparent reasons was the fact that troopers were abysmally undertrained (including their incredibly low shooting skills).

The reasons of the station’s destruction in the battle of Yavin were listed in Vol. I of the retrospective analysis (or, in accordance to the asset number, Vol. IV). Let’s concentrate on this document for thorough analysis..

Epic Fail

After the materials had been studied, the main conclusion was that Empire made a grave mistake, even before the station was commissioned. It’s not about the fact that the station had a critical vulnerability allowing a fighter to destroy the reactor. In fact, that’s quite fine – it would be quite strange if an object of such scale did not have a single vulnerability. Nor is the true reason of the fall the fact that the complete plans of the supreme weapon leak and get accessible to an adversary. Of course, it’s a major fail, but let’s be honest: the ‘security by obscurity’ principle does not work. We’ll skip the respective analysis in this material: researchers from Lucasfilm have just issued a detailed analysis of this incident.

The critical mistake that the Empire discovered the vulnerability only after it was attacked, while the rebels, having spent mere hours on analyzing the plans, managed to find a vulnerability and develop a functional exploit. It’s especially striking since the Empire enjoys much more resources to have executed a security audit and pentested the station.

Darth Vader, The Lord of the Sith, Chief Operating Officer
As I have always said, the ability to destroy a planet is insignificant next to the power of the Force.

Data leak? What data leak?

Ok, let’s get down to details. So, the plans are stolen and are kept on the Tantive IV star vessel belonging to Princess Leia’s family. The ship is detained and searched by the Empire security squad led by Darth Vader. Meanwhile a rescue capsule detaches from the ship and flies away. What should have been the reaction of an Empire duty officer?

Well, at least he should have launched the alarm and alerted his people. But what does the officer do instead? He lets this slip, as there are apparently no living beings aboard and the capsule is not a threat. That draws an unpleasant picture of utterly irresponsible cybersecurity practice. The officer, in fact, has witnessed a data leak carried out via a physical storage device which left the perimeter while the clean area was being searched – but did not understand the situation. This is the problem to be tackled by a series of cybersecurity trainings among the personnel.

Oleg Gorobets, True cybersecurity expert, Kaspersky Lab
All in all, the story of Death Star perfectly illustrates the entire cycle of a targeted attack and some absolutely inadequate cybersecurity practices. Moff Tarkin was quite lucky to have been aboard Death Star when it exploded. Otherwise he would have sat through some tedious talks on a number of unforgivable design flaws in the starship’s systems.

The further Tatooine happenings do not present interest for us in the context of analyzing the Death Star incident. However, they perfectly exemplify the level of criminal activity on the planet. Tatooine farmers, for instance, could be charged at least with cornering stolen goods and unauthorized tampering with the androids’ systems. We leave the question of Full Disk Encryption of stolen droids open.

We’d also recommend paying closer attention to R2D2’s developers: what this droid does can be classified as a phishing attack carried out via social engineering methods. The droid plays a short video of the girl, luring Luke Skywalker into granting it admin rights to subsystems, promising to show the full video then. Of course, it never happens. This scheme is more characteristic of phishing porn sites rather than astrodroids. However, it’s not the Empire’s problem.

Critical problems of the critical infrastructure

Let’s go back to the Death Star. It’s said to be a flawless and the most modern empire star base. It’s a critical infrastructure object, the sole of its kind. The Empire has just run a trial launch in the Alderaan system, when a Corellian cargo ship, Millennium Falcon, which has recently been put on the wanted list for breaking out from the blockade of Tatooine, pops up out of nowhere. The initial scan does not reveal living beings aboard, and the record in the logbook says the crew abandoned the ship before the hyperjump.

And what should the commanding force have done? The most logical decision if to use a boarding crew equipped with a scanner to analyze ‘Falcon’ away from Death Star’s perimeter. But, quite the opposite, the crew drag the bogus starship aboard the Empire baseship! So, the Death Star personnel bring an unknown cargo ship into a critical infrastructure object, even though they consider it suspicious. What if it’s a Trojan horse containing malicious droids?

Then, something unthinkable happens. R2D2 – a droid who is well over 30 years old by the time the Yavin incident – without any hassle gets access to the station’ systems and finds the list of prisoners kept in the on-board isolator. The question here: what’s wrong with the authentication policies on Death Star? Not only does the outdated droid access the system, but also gets to the list of prisoners, while the isolator should have an extra security system, much more robust by design. It all looks pretty bad even if we skip the fact that having a prison with dangerous criminals on a secret critical object does pose another security risk.

Yoda, Downshifter, a Public Speaking Coach
If into the security recordings you go, only pain will you find.

Then the terrorists split: Ben Kenobi goes to disable the tractor beam, whereas Luke, Han and Chewbacca head to save the princess. The report proves that the energy system powering the beam is at least isolated, which forces the adversaries to disable it manually. This is, without a doubt, a good thing! However, when Kenobi disables the beam, why doesn’t any of operators receive an alert notifying one of the systems is out of power? A correctly deployed SCADA system should alert operators of any power outages.

Meanwhile, Luke and his accomplices engage into a firefight in the prison. Here I take a moment to bow to an unnamed Empire officer who talked to Han Solo over the intercom. The officer did not believe Solo’s absurd mumblings about self-induced shooting in the prison and the simultaneous reactor leak. He in fact attempted to understand whom he was talking to by asking his interlocutor to identify himself by a personal number.

Then it becomes obvious that not only does R2D2 have access to the station’s data, but he is able to control some of the systems, like the waste disposal system and doors in the waste block. It’s not just a leak – these are ‘full house’ conditions for sabotage.

The outcomes:

In this report, we have enumerated at least five critical security flaws in the design and operations of the object. If just one of these vulnerabilities had been taken care of, the plans of the station wouldn’t have leaked and ended up in the rebels’ hands and Death Star wouldn’t have been destroyed.

Flaw Action
The Empire officers could not prevent a data leak, allowing two droids flee in a rescue capsule All personnel should attend cybersecurity trainings
A ‘Trojan’ starship with hackers on board was brought onto the critical infrastructure object All incoming communications should be limited and controlled by stringent security policies
An outsider droid managed to access the station’s systems, data, and select industrial process controllers A robust multifactor authentication system should prevent outsiders from accessing the systems
A Jedi powered off all tractor beams on the station, ultimately allowing a starship leave Death Star The SCADA system should instantly alert operators of any changes in power systems
Imperial analysts managed to discover the vulnerability when it already had been under attack and could not be fixed The acceptance inspection measures should include detailed modeling of threats (ideally, pentesting)

Expert commentaries:

Evgeny Chereshnev, Head of Social Media, Kaspersky Lab
The Empire is a good example of what could happen to a large enterprise which falls for so-called ‘NextGen’ security solutions. NextGen vendors offered the Empire Death Star – a station which, according to marketing presentation, can destroy planets and assist the Empire in its ‘Galactic Supremacy’ mission.

But a pretty picture hides a ton of problems. This so-called ‘NextGen’ solution is built on a single technology – a cannon, in fact. It’s not enough to ensure efficient protection from all types of threats. An efficient security solution is typically a multi-level, echeloned system comprised of three key components: experts (best people), machine learning (ultimate automation of processes) and expertise (cases, samples, solutions).