Too Much Trust in the Cuckoo’s Nest

Originally published by CXO REvolutionaries.

Written by Kyle Fiehler, Senior Transformation Analyst, Zscaler.

Editor’s note: The world’s first cyber thriller anticipated zero trust more than three decades before it was born. And yes, this article could be a spoiler for some readers.

I didn’t read Cliff Stoll’s seminal classic The Cuckoo’s Egg when it was first published because I was an infant then. But the 1989 work of non-fiction crops up enough in online conversations about not-to-be-missed infosec classics that I thought it was high time I give it a read.

Andy Greenberg called it “the seminal cybersecurity book." It’s frequently mentioned in the same breath as other, more recent classics of the genre like Sandworm and This is How They Tell Me the World Ends. So, over the holiday break, between massive meals and Netflix binges, I tucked into the cyber classic to learn what the fuss was about.

If you haven't read the book or need a refresher, The Cuckoo’s Egg is Cliff Stoll’s first-person account of an astronomer who becomes the manager of the Lawrence Berkeley Lab’s computer systems after his grant money runs out. A $.75 accounting error leads the author on a chase through cyberspace to try to identify a mysterious hacker.

I expected all of the outdated tech references and Cold War allusions I encountered throughout the book. I did not expect to discover how little the typical attack chain has changed since the invention of the internet. Nearly instance by instance, the first hackers wielded the same bag of tricks then as they do today.

Much of what's dated about the book is equally entertaining. “Electronic mail,” as it's referred to throughout, is discussed with reverence.

"What would the CIA need computers for?" Stoll wonders to himself. =

There's talk of pagers, caller ID as a groundbreaking technology, and the NSA not engaging in domestic communications monitoring.

But beyond the charming naivete (in hindsight), there’s incredible foresight and something to be said about how little offensive and defensive tactics have evolved in response to previously unimaginable technical progress.

Hacking like it’s 1986

The four steps of a breach used by today’s cybercriminals to compromise organizations with regularity look much like it did in 1986. In The Cuckoo’s Egg, as in present day, the steps are predictable:

1. They find your attack surface

“The system isn’t the computer, it’s the network,” Stoll writes. Like many of the tech advances in his tale, networks are a mysterious leap with enormous potential for advancing human connectivity and learning with none of the downsides made apparent by experience.

In a precursor to Hansang Bae’s famous quip, “if you can reach it, you can breach it,” Stoll muses that, “If I could reach out and touch the NSA, they could reach out and touch me.” (Law enforcement agencies like the FBI, CIA, and NSA are eventually in touch with Stoll throughout his hunt.)

At one point, Stoll says that to secure one device against “all possible attacks…I’d protect my Unix-8 castle with a one-way moat.” It’s this language – and thinking – proponents of zero trust network access are still trying to retire. The sheen should have worn off by now.

Sadly, routable networks still reliably serve as the way cyber criminals today reliably discover attack surfaces before probing them for weaknesses.

2. They compromise you

Stolen credentials, then as now, were the Achilles heel of initial access controls. In The Cuckoo’s Egg they are unconfigured, misconfigured, written down, and stolen with simple programs. Stoll laments the most secure passwords, those made up of a string of random letters (only letters at this point) are too complicated for users to care to remember. Instead, users write them down in files, which are easily discovered by a hacker with privileged credentials.

In addition to alluding to the need for a password manager in 1986, Stoll describes early, dictionary-based brute-force password attacks that were effective against passwords like “manager,” “guest,” “admin,” and “service.” Password resets are not always forced and, when they are, passwords are often recycled. In a foreshadowing of problems that would plague a nascent IoT industry, some software during this period was even sold with hard-coded passwords.

3. They move laterally

Privilege escalation is central to the hacker’s ability to illicitly access ever more sensitive data in the “MILNET,” the subdivision of the forerunner to today’s internet dedicated to the United States military. In this incident, the hacker Stoll tracks took advantage of a vulnerability in the early text editing software GNU EMACS that allowed him to escalate his status to “super-user.”

Over the course of tracking the hacker, Stoll eventually discovers an exploit Trojan the hacker used to lift passwords from unsuspecting users. From there, lateral movement was a breeze. Stoll explains:

“Often, these network computers had been arranged to trust each other. If you’re OK on that computer, then you’re OK on this one. This saved a bit of time: people wouldn’t need to present more than one password when using several computers.”

Today, trust is more commonly applied to on-network users, but once again the principle holds.

4. They steal your data

Convincing authorities, including his boss at the lab, that copying data from the MILNET is a crime, or even worth taking seriously, is an uphill battle for Stoll throughout the book. None of the information is classified per se, he points out, but when enough sensitive information is pieced together it can reveal secrets.

Data is ultimately what our hacker pursues over the course of the year detailed in this book. It’s what eventually leads to his identification and capture, when Stoll arguably invents the honeypot.

Today, we understand data is a valuable commodity, the source of intellectual property, sales pipelines, and the rest. We also recognize that lures and decoys are a clever way of protecting it.

Networking’s fall from grace

The book’s title is a reference to the phenomenon of brood parasitism, where a member of one species “tricks” a member of another species into raising its young. Manipulating the trust extended to the brood in the same nest is, ultimately, what allows our hacker to move through the attack chain.

In a 30th anniversary retrospective for WIRED, Greenberg recalls asking Stoll about his sole face-to-face encounter with the hacker he tracked for more than a year. Stoll’s main gripe, he remembers, was that his hacker hadn’t put his skills to use making the internet a better place.

The Cuckoo’s Egg is laced with thorny tech issues we’re still dealing with today. It is, in some ways, an eerily modern evaluation of philosophical cybersecurity debates. From the moral culpability of hacking to whether vulnerabilities should be kept secret and exploited or made public and fixed, Stoll’s prescience is often downright creepy.

For Stoll, the presence of hackers on academic networks amounts to being expelled from a digital Eden. He realizes that a technology that promises to facilitate free inquiry and the unfettered exchange of ideas will need to be padlocked and fenced off.

“The whole thing depends on trust,” he writes. “To have our networks as our playground, we have to preserve our sense of trust; to do that, we have to take it seriously when people break that trust.”

With some experts predicting cybercrime to grow into a $10.5 trillion industry by 2025, that trust is long gone. Could networks be next?