In the 1970s, the personal computer market went through an incredible explosion which began with the microcomputer. The personal computer was originally only intended for interactive, individual use as opposed to the existing, but relatively new, mainframe computers that IBM had developed and cornered the market since its inception on 16 June 1911. Computers had seen a steady growth and companies quickly realised the benefits of using computers to undertake regular, daily tasks. As with every single development of computing through the ages, right up to today’s Quantum Computers, no one considered or thought or prioritised security, it was all about functionality: It was very much a case of ‘don’t worry, we can try to secure it later.’ Billions of IOT devices confirm this.

This was very much the case when personal computers were first introduced. The first shipment and batch of personal computers went out without any security whatsoever. Sometime thereafter, an executive considered security and so the next batches went out with a security code, they all went out with the same code, so much for security. IoT devices follow a similar situation today. Security has always played second fiddle to functionality in most walks of life, that is the case in technology. As the saying goes, it is easier to be the first and gain market share, than it is to be the best and stay there. Security and breaches can be dealt with by insurers and others and can be dismissed. It has almost become a ‘cost of doing businesses.’ Until regulators and governance is stricter and demands basic, and fundamental security is adhered to, it will continue to be a subjective situation and breaches will continue unabated as we witness on a near daily basis in the press or on the news.

Steve Jobs launched Apple on 1 April 1976 and managed to disrupt the market almost immediately and pretty much ever since with their innovation, designs, and functionality. After a period, they also managed to get pretty good with security too; however, the agencies had different ideas. One cannot underestimate how revolutionary the ‘Two Steve’s’ were and how they shaped the PC and mobile market back then.

A year later, brilliant cryptographers Whitfield Diffie and Martin Hellman published a paper on the method of exchanging cryptographic digital keys. A year later, Ron Rivest, Adi Shamir, and Leonard Adleman published the first asymmetric algorithm and called it RSA (Rivest-Shamir-Aldeman) which went on to become the gold standard and widely adopted today as is Diffie Hellman. To explain digital certificates and encryption keys, it is easy to think of digital certificates as digital passports providing authentication of both the users and devices and something of an evolution of the Enigma and Lorenz machines used in World War II. The Enigma and Lorenz machines enabled encryption and decryption of messages by using ciphers and authentication and ultimately, the breaking of both machines was later confirmed as saving tens of thousands of lives.

At the same time, the US and the UK Agencies were working on developing Public Key Infrastructure (PKI) to facilitate secure electronic transfer of information. Now, they have the technology; however, they need to ensure that it is secure to ensure authentication of each device and each user with the aim to ensure each party were whom they said they were and to ensure privacy. Of course, such security and privacy relied upon uninterrupted connection. In simple terms, cryptography and PKI binds public keys with respective identities (known to a group such as a GCHQ or NSA). The binding is established by registration and digital certificates that are provided by a Certificate Authority (CA). The level of assurance can be automated with minimum levels, such as a SHA-1 certificate, when in 2011 they were deprecated due to being able to be broken by force and so on. However, unlike the Enigma and Lorenz machines, that when they were deciphered (cracked) by the brilliant Alan Turing (Enigma) and William Tutte (Lorenz), they were decrypted period. Modern PCs and digital machines could simply swap out and upgrade their ciphers and digital certificates and remain secure.

Cryptography and cryptographers for decades was a closed shop of agency’s mathematicians such as Clifford Cocks and James Ellis of GCHQ. Put simply, the agencies had designed PKI from the ground up originally for their own use and did not see the need for the public to understand or comprehend it, and for the vast majority, it was more akin to rocket science in any event, so very few bothered even trying. Due to the continued growth in the personal computers and laptops and digital devices, it was decided in the 1990s PKI was deemed the most suitable protocol to provide security and shared as a Gold Standard for global adoption. It is not clear at which stage the agencies decided to manipulate the digital certificates to enable digital eavesdropping (see Network Exploitation), however remember the agencies enjoyed up to two decades of PKI development before it was used publicly.

Certificate authorities (CAs) were selected and can be considered as part of the internet’s infrastructure. CAs were given privileged status as they effectively held the keys (no pun intended) to corporations, governments, and people’s security and privacy. There is a debate on who issued the first certificates, RSA or Netscape, however both issued certificates in the mid-1990s to work with the newly available PKI and to support the ongoing digital revolution. C As sprung up everywhere and digital certificates were issued initially in their millions, tens of millions, and into their billions. Unfortunately, and even though most CAs would flourish, controls and management were lacking (a common theme throughout technology and security) and so many basic mistakes were made with massive implications. The concept was good; however, the management was far from ideal. To this day, CAs make so many mistakes by issuing incorrect certificates, having to find and revoke others that have been found to be used for nefarious purposes or stolen. Certificates can be used for many things and shared across many devices. CAs issued incorrect certificates to the wrong parties and revoking them became a major challenge. As an example, in early 2020, Lets Encrypt issued 3 million certificates incorrectly and had to revoke them, all of them. Digicert was breached in 2020 and both organisations are still unsure of what certificates were compromised, issued, and need revoking let alone where they were all issued. Over the last 25 years, CAs have a questionable track record for being breached themselves, and of course, they are a perfect target for cybercriminals who want access to thousands of clients. They can go undetected as Stuxnet and Sunburst can testify. Certificates in their millions, even billions, provide the security and validity for millions of companies, and billions of websites, often without validity and incorrectly issued. Unfortunately, just like our mobiles and laptops today, a false sense of trust can be created by CAs and assumptions incorrectly made. It can quickly become a single point of failure for most companies, in fact I would go so far as to say, every company and government, have little to no idea of what their PKI estate actually looks like or contains. Digital certificates from various CAs are frequently available on the Dark Web and to give some idea to the reader, a handgun can be bought on the same Dark Web for a few hundred US dollars, a digital certificate, depending on the CA issuer, and class, is usually two to three thousand dollars. A digital certificate with privileges, such as those used in SolarWinds, can cause billion dollar losses and damage. It is imperative that PKI is properly controlled and managed, without it, all other security can be, and is, undermined.

Corporations, governments, every company, and every person have become totally reliant upon PKI and digital certificates for security, often unknowingly, immaterial if they chose to or not. PKI was designed to be the very bedrock of privacy and security and create Digital Trust. This is a term we will hear a lot more throughout the book. Digital Trust was the Shangri-la for all users as their mobile, PC, and later, their laptop would be things they would trust, they could share and document their most intimate feelings, photographs, experiences, and data with and send on. However, others had different ideas and by manipulating the very same PKI that was there to provide security and privacy, they developed and manipulated it to invade, exfiltrate, and undermine both. This situation was actively encouraged by the explosion of social media and mass data collection, more recently and commonly now known as cookies which frequently overstep the mark of data collection unknowingly and are often cited in legal disputes on privacy and GDPR.

Let us briefly consider the difference between a standard digital certificate and a root certificate. The root certificate is often known as the trusted root and sits at the centre of the entire trust model underpinning the entire PKI. This then extends out to TLS and SSL certificates. Every device you buy today comes complete with a Root Store collection of preloaded certificates and their public encryption keys. This enables software and apps, for example to authenticate the device and you, as the new owner. These root stores run under very strict guidelines from major vendors and OEMs such as Mozilla, Google, and Microsoft. Of course, from time to time, these can, like a regular certificate, be compromised by becoming invalid, for example in the same way as a regular certificate. It may require revoking and replacing. A root certificate is invaluable because any subsequent certificate signed using the root’s private key will be trusted. This has been the holy grail for a cybercriminal to ascertain so they in effect can act like the owner and sign certificates at will. You can see how a misconfigured or illegally gained root certificate might be of interest for anyone with nefarious intent. It is often said in the industry that unlike the Turing and Tutte, one does not need to decrypt, one simply needs to find the encrypted keys which provide that elusive Digital Trust and enables plain text to be read, copied, shared, and so on. The job of a cybercriminal has been made substantially easier, not harder, due to the lack of PKI controls and management let alone the woefully inadequate internet facing security which is flagged as a Not Secure in the address bar…

Staying on that theme for just a moment, and to elaborate upon what a valid certificate on an internet facing domain provides: It provides Authentication of the domain’s certificate owner and the website and means, the removal of a Man in the Middle attack, it also ensures all data is encrypted. This is a critical distinction, and that the data has integrity, in other words, you have Digital Trust. If however, a certificate is invalid, you have none of these. You may be on a Shadow site as was used in the recent BA breach which had some 400,000 people buying and paying for flights to cybercriminals and not BA. I will go into more detail later; however, this single distinction and critical issue is a major factor as to why cyberattacks, both in terms of frequency and scale, have escalated from a few million dollars in the 1990s to an estimated $6 trillion by the end of 2021. Cybercriminals are targeting insecure domains with invalid certificates continuously in their attempt to find opportunities to hijack the domain, gain command and control (C2) and then, ultimately gain enterprise access. If this sounds familiar it should do as this is exactly what happened at last month’s (December 2020) disclosure of the breach at SolarWinds that is believed to have commenced in March 2020. By identifying insecure SolarWinds domains (and there were over a dozen to choose from as our report confirms) the adversary hijacked a domain, stood up to their own domain www.avsvmcloud.com which has subsequently been re-seized, and gained full enterprise access and privileges. Once this was achieved, they were able to laterally move and use SolarWinds digital certificates, lace them with Malware (Stuxnet style), and have them distributed to unsuspecting clients. The clients often had automated downloads from SolarWinds due to the existing Digital Trust (assumptions) and the updates, as normal, only to then be breached. Digital certificates and PKI form the very foundation of security and is overlooked and ignored at one’s peril. The agencies actively discouraged and dissuaded companies and governments of the importance of certificates, PKI, and internet facing security at massive costs and as such, they are frequently overlooked, ignored, and neglected. Whilst companies are busy chasing so-called sophisticated attacks, no one is controlling or managing their certificates or PKI, the foundation of all their security. Lessons to be learned and lessons continually being ignored…

There are certain events in one’s life that you will never forget. Where you were when Lennon was shot or when Martin Luther king spoke on Capitol Hill or the day Mandela was released. The event that will always stay with me was the afternoon of 11 September 2001.

I had just finished playing an enjoyable game of golf in a vendor tournament. The sun was warm on this beautiful afternoon and the setting was stunning on the East Sussex Golf Course. I walked in from the 18th green to order and enjoy a drink with my colleagues before the after-dinner event. Upon entering the Club House, I was confronted by a huge TV screen showing, what clearly appeared to be Steven Spielberg movie. There on the screen were two towers that looked like the movie Towering Inferno. I then realised it was live and the towers were in fact the World Trade Towers in New York. I recognised them as I had visited them twice previously and knew them and their location. Strangely I could not help my mid second guessing and calculating how many people might be inside. I felt sick to my stomach and could not stop watching in total disbelief. Many months later and upon reflection, I can understand why so many in the US intelligence felt so exposed, and that the day was among the very worst in the US Intelligence history. The date was 11 September 2001, a bright Tuesday morning in New York.

Four passenger airliners had departed from north-eastern US airports bound for California and were individually hijacked by a total of 19 al-Qaeda terrorists. Two of the planes, American Airlines flights Nos. 11 and 175, crashed mercilessly into the North and South towers of the World Trade Centres in Lower Manhattan. The first impact left a gaping hole around the 80th floor instantly killing hundreds of people both inside the building and passengers on the plane itself. It left those above on higher floors up to the 110th totally stranded and cut off without any way, or indeed hope of finding a way to safety. As evacuations of the tower on lower floors commenced, it was initially considered to be a one-off freak accident. Hundreds of emergency workers were running towards the scene of the accident as it was deemed at the time. Just 18 minutes after the first crash, a second live broadcast showed a second plane, flight No. 175, appear and seemingly turning sharply towards the South Tower. It hit the tower around the 60th floor again instantly killing hundreds of people and trapping hundreds more people above. In under an hour and 42 minutes, both 110 storey towers totally collapsed killing nearly 3,000 people and injuring over 25,000. 343 firefighters and 72 law enforcement officers were killed. No one can ever remove the images or footage we witnessed that day. We were totally powerless to do anything about it. Hindsight is a wonderful thing and if it had been known as a terrorist attack, those in the South Tower and those running up to help others in the North Tower, different decisions may have been made.

The third plane, flight No. 77, crashed into the Pentagon leading to the collapse of the building on the west side, and the fourth plane, flight No. 93, was originally headed for Washington DC but crashed into a field in Stonycreek Pennsylvania after passengers thwarted the hijackers. It is virtually impossible to know how one might react in such situations, self-preservation, outrage, or anger and striking out. The fact is, sadly, three of the Terrorists’ missions succeeded in the eyes of al-Qaeda by causing massive damage and fatalities at the very heart of the US and only one was not. The US acted quickly and announced a ‘War on Terror.’ They started by invading Afghanistan to depose the Taliban and hunt down Osama Bin Laden among many other activities including cyberwarfare. Meetings in the Situation Room were obviously vocal and fraught at the time, what action could be taken and how could one achieve justice, possibly often masked as revenge.

As mentioned earlier in the previous chapter, security always plays catch up and this awful event was no exception. Airports became awash with scanning machines as a prerequisite including people. Possibly more importantly and more secretly, President George W Bush called his teams of senior intelligence groups from the NSA, CIA, FBI, and others together to agree how they could utilise and manipulate, Computer Network Exploitation (CNE). The objective was to attempt to capitalise and digitally eavesdrop on digital communications to and from the US to and from known countries and suspected terrorists that they believed harboured further terrorist cells and organisations. The first program was simply titled The Terrorist Surveillance Program (TSP) and was headed by the NSA. TSP would go on to enable the secret digital eavesdropping and tracking of billions of calls and emails made by, and received by, millions of US citizens over the coming decades. TSP would go on to become a blueprint of what would follow. However originally it was part of the President’s Surveillance Program which in turn came under the overall umbrella of War on Terrorism. The TSP was initially designed and sanctioned that at least one party in the communication was not a US citizen and that may have the original agreement and parameters; however, this was quickly changed and more than likely, abused.

As digital communications became more widespread, the newly found method of gathering data en masse became too easy and Network Exploitation became global. That was for every country and potentially, every person. If you used a laptop, a phone, or a personal computer, chances are that your actions and your calls could be monitored, and the data gathered for further and future analysis. Big Brother was very much alive and barely anybody knew at that stage and even if they suspected, it would be impossible at that time to realise to what extent. I will not go into detail here of the warrantless surveillance controversies that followed. Many such programs operated without judicial oversight, none the less, such programs existed following the 9/11 attacks and in the main, for what seemed to be justified. It has repeatedly been said that 9/11 caught the Intelligence agencies napping, it would not happen again, could it? A great source of further specific information can be found in the excellent book, The Shadow Factory written by James Bamford.

On 6 June 2007, TSP was renamed and became known as PRISM. PRISM was now under judicial guidelines and rules or so it was stated. It was supposed to only gather intelligence if one party was not a US-based citizen. Much controversy has been witnessed and claims made that this was not strictly adhered to. President Bush had to review the program every 45 days and the intelligence committees, House of Representatives, and Senate were briefed on numerous occasions. No note taking was allowed or external confirmation that the program even existed; however, it most certainly did as was revealed by Edward Snowden, and it was far reaching. The agencies had new capabilities and they were certainly not afraid to use them, even if, and when, that meant bending the rules. The adage of do not bother asking for permission, ask for forgiveness if you get caught, and cite plausible deniability was very much in play, many were contractors for that reason. What the NSA reali...