As we never tire of saying, fairy tales are thinly veiled reports on information security. And it wasn\u2019t only the European storytellers who tried to warn their descendants about cyberthreats \u2014 they were equally prescient in the East. For example, Scheherazade, the protagonist of the classic 1001 Nights, kept what can only be described as a daily infosec blog with video podcasts. True, he had an ulterior motive for doing so \u2026<\/p>\n
\u2026 but today we\u2019re looking at some cases added to Scheherazade\u2019s blog<\/a> much later, in the 18th century: in particular, the incident known as Ali Baba and the Forty Thieves. Even those who don\u2019t know the story are surely familiar with the magical phrase, \u201cOpen sesame!\u201d<\/p>\n Indeed, the entire plot is built around the idea of using a password to protect against unauthorized access. But that is far from the only information security tip in the fairy tale. It\u2019s just the most obvious.<\/p>\n Here\u2019s a quick story refresher: A gang of robbers hides some loot in a cave that can only be accessed using the password open sesame. The protection mechanism harbors a number of serious flaws.<\/p>\n At the very start of the tale, the leader of the thieves stands at the entrance and shouts loudly: \u201cOpen sesame!\u201d Several issues are immediately apparent. First, the password is too simple. Second, there is no two-factor authentication \u2014 or even a username!<\/p>\n Even worse, the password is transmitted over an open channel. Ali Baba, who is collecting firewood nearby, inadvertently overhears the robber. In fact, it\u2019s only out of curiosity, with no malicious intent, that he later tries the password. When the cave opens, however, he enters the cave and expropriates some of the treasure inside.<\/p>\n On his return home, Ali Baba gives the gold coins to his wife to count. She tries to do it manually, but there are so many she loses count and instead borrows a measuring instrument from her sister-in-law, the wife of Ali Baba\u2019s brother, Kasim.<\/p>\n Some translations specify kitchen scales, some say that it was a pot of some kind, but it\u2019s not a weighty detail, so to speak. What\u2019s important is that the curious Kasim\u2019s wife smears the bottom of the instrument with honey (suet in some translations) to find out why her relative needs it all of a sudden. And when it\u2019s returned, lo and behold, a gold coin is stuck to the bottom \u2014 which means that her sister-in-law was using it to count gold!<\/p>\n Even a cyberdunce can see that the author is describing a spyware module integrated into a legitimate product. Kasim\u2019s wife provides a device (under the Measure-as-a-Service model) and spies on the activity of the client. The clear moral of the story is: Use tools from trusted sources \u2014 and check them for vulnerabilities and malicious implants.<\/p>\n What happens next seems a little far-fetched to me. Ali Baba confesses everything to Kasim and tells him the password. The latter enters the cave. Inside, he manages to forget the password (which is also needed to get out), gets trapped, and has his head chopped off when the thieves find him there. The marketing message is clear: \u201cDon\u2019t lose your head over a forgotten password,\u201d or something along those lines.<\/p>\n I suspect that back in the day, this part of the story contained a product pitch for some ancient password manager used by Sasanid techies, but the original message has been erased through endless retelling. To compensate, we\u2019ll insert our own: Kaspersky Password Manager<\/a> securely stores passwords and other confidential information.<\/p>\n\n But let\u2019s be-heading back to the story. After Kasim fails to come home, his relatives take off to look for him. Ali Baba goes back to the cave, finds his brother\u2019s body, and takes him home for burial.<\/p>\n In the process, the reader is shown another example of a pitiful password policy: The robbers don\u2019t change the password after the incident. The exact reason isn\u2019t clear. It might be plain negligence, or the initially ill-conceived architecture of the authentication system.<\/p>\n At the same time, it\u2019s possible that they simply don\u2019t have administrator rights. If they hijacked the cave (they\u2019re thieves, after all), they probably have only a user password. The real owner would\u2019ve taken his admin credentials to the grave.<\/p>\n Because Ali Baba wants to keep the story secret, he can\u2019t bury a corpse with a severed head. So he and his brother\u2019s widow, plus her handmaid, Marjaneh, do all that they can to obfuscate what\u2019s going on. Marjaneh makes several trips to a pharmacist for medicine, making it seem that Kasim is getting sicker and sicker, and eventually reports that he has died a natural death.<\/p>\n In the meantime, she brings a cobbler to the house to stitch Kasim\u2019s body back together. Moreover, she blindfolds the cobbler and leads him on a circuitous route so that he doesn\u2019t know where he is.<\/p>\n The robbers, trying to source the information leak, close in on the cobbler. Promising him gold, they too blindfold the old man and force him to retrace his steps to the house.<\/p>\n This example demonstrates that even if you work with contractors over a secure encrypted channel, sensitive information can still leak to intruders. Perhaps Marjaneh should have signed a nondisclosure agreement with the cobbler.<\/p>\n One of the gang members marks the gate of Kasim\u2019s house, where Ali Baba now lives, and returns with his associates that night to slaughter its occupants. However, the cunning Marjaneh spots the sign and marks the gates of all of the other houses on the street in exactly the same way, thereby foiling the attack.<\/p>\n Essentially, Marjaneh turns the street into a kind of network of honeypot<\/a> hacker traps. In theory, it works as follows: intruders in the network mistake one of the honeypots for the target, start to attack it, and thus reveal their intentions and methods. In the time it takes them to realize their error, experts from a government cyberresponse unit swoop down and stop the attack.<\/p>\n All that remains is the question of how ethical it is to use the homes of innocent users as honeypots. In any case, no real harm is done; the robbers spot the ruse in time and call off the attack.<\/p>\n The captain of the thieves decides to take personal charge of the attack. He acquires 40 huge jars (a possible reference to .JAR \u2014 the Java ARchive file format), two filled with oil, the rest empty. The jars with oil are there to fool a superficial scan; the robbers hide in the empty ones.<\/p>\n With this cargo, he shows up at the house of Ali Baba. The plan is for the captain, disguised as an oil seller, to charm his way inside as a guest with the intention of releasing the robbers later, when everyone is asleep.<\/p>\n On the whole, this is a description of an infrastructure attack using malware hidden in containers. Because the scanners at the entrance do not check inside the containers, the threat sneaks through the security perimeter. The insider captain then activates the malware.<\/p>\n But Marjaneh again saves the day by overhearing a thief in one of the jars. She checks each container, determines which of them contain bandits, and then pours in boiling oil, thus eliminating the threat. In other words, even back then she had a tool for scanning the contents of containers. Our Kaspersky Hybrid Cloud Security<\/a> solution has the same technology \u2014 only 1,500 years more up-to-date.<\/p>\n In the end, justice prevails. The leader of the thieves is killed; Marjaneh marries Ali Baba\u2019s son (who appears out of nowhere at the end of the tale); and Ali Baba remains the only one with the password to the treasure-filled cave.<\/p>\nPassword transfer through an insecure channel<\/h2>\n
Spyware module<\/h2>\n
Forgotten passwords<\/h2>\n
Never-changing password<\/h2>\n
Attack through a contractor<\/h2>\n
Honeynet<\/h2>\n
Containerization<\/h2>\n
The moral of the story<\/h2>\n