police and thieves
As they both point out, the possibility of anyone getting access to the actual command and control firing chain with metasploit is so remote as to be ridiculous, and we’d do much better to worry about tidying up old radioisotopes in Russia, and perhaps not having quite so many nuclear bombs.
My only objection is that we have, in fact, lived through a serious attempt to do just that, immediately after Lashkar e-Toiba terrorists attacked the centre of Bombay in December, 2008. As you might expect, they didn’t try to get control of nuclear weapons from the command line.
Instead, they attempted to use the Internet to influence the political leadership – they placed a call to the Pakistani president’s office, spoofing the calling line identification message in order to give credibility to their effort to pose as the Indian foreign minister. My technical analysis is here; the Indian government’s investigation later showed that the attackers set up a VoIP network with nodes in the US and Austria for their own use.
Presumably the idea was to provoke the Pakistanis into doing something that would destabilise the situation, causing the Indians to respond and thus triggering Pakistani mobilisation for real. The Guns of August, 2.0, with Princip using a Linksys SIP handset.
Clearly, there is still a need for the existing nuclear states to help the new ones establishing solid command and control procedures, including the communications elements that make them work; one of the problems of international crises is that the system to be secured suddenly gets a whole lot bigger, as other systems – in this case the diplomatic/protocol bureaucracy – become closely connected to it.
It’s not the early 80s hackers of War Games we need to worry about – instead it’s essentially trolls, provocateurs, empowered by the technology available to today’s spammer.
It strikes me that the possibility of ambiguous identity is a hard one to grasp; for a very long time, it was safe to say that such a message was unlikely to be a fake, and if it was, it was probably faked by a proxy for the real enemy. Consider the case of 4chan vs. AT&T.
AT&T null-routed the server which carries the bulk of 4chan’s content; everyone freaked; AT&T claimed that a denial of service attack was coming from that IP range. But it was hardly likely that the 4chan crowd, of all people on the Internet, would have been daft enough to launch a denial of service attack from their own machine – DOSs have essentially always been distributed over many, many hacked computers (DDOS, for Distributed Denial of Service) since the first botnets emerged in the early 00s, this being harder to counter, offering much more stolen computing power, and being much more difficult to trace to its source.
A detail in the Ars Technica story explains it all. One of the sources cited mentions “persistent ACK scans” – when a computer wants to start a TCP connection, as used for the Web, to another, it sends a message called a SYN to the receiving party, which if it gets the message and wants to reply, sends a message called an ACK to the address provided in the SYN. If received, the sender replies with a SYN-ACK and then starts transferring data.
4chan was experiencing a DDOS attack itself at the time. Putting these bits together, it’s clear that the attackers were altering the source header in the packets they threw at 4chan to point to a machine somewhere in AT&T’s network, so that every one received generated a further packet thrown at the AT&T machine. This is a classic; it gets you two attacks for the price of one, it conceals your own position, and it brings the possibility that AT&T might go ape and do the job for you. If the first target is especially big, you could also use it to magnify the volume of traffic, in a so-called reflector attack.
It’s surprising and depressing that they weren’t aware of that; no more surprising and depressing, however, than the way so many people have been willing to believe patently false information just because it’s “secret”.