Quiet cryptologist Bill Duane's war with Beijing's best

AusCERT In March 2011, a suspected-to-be-Beijing-backed hacking unit infiltrated security giant RSA, successfully subverted its SecureID product and hacked top American defence contractor Lockheed Martin.

That attack left Bill Duane stressed and exhausted. Duane is a quiet cryptologist who co-developed the SecureID token. As the attack became apparent, he moved out of home and into a hotel across from RSA's office, to fight what would become a personal battle with an elite Chinese hacking unit.

Those long hours were needed because the breach is one of the most significant in history. The hacking unit known as PLA (People's Liberation Army) Unit 61398, or to the intelligence industry as Byzantine Candor, Comment Crew, and APT 1, operated out of a shabby building in the outskirts of Shanghai and excelled in plundering highly-secure US firms.

The hacking team was split into formal divisions including wings charged with maintaining acquiring access into hacked systems, lateral movement, and identifying and exfiltrating huge data sets.

Duane as a SecureID co-developer played a central role in the breach response.

"I have never worked so hard, under so much stress, and with so much at risk," Duane told the AusCERT security conference on the Gold Coast.

"At one point I was working every day of the week, 18 to 20 hours a day, sleeping in a hotel for a couple of hours across the road from work.

"The strongest thing that was driving me, I'm slightly embarrassed to say, wasn't the customers or the stock price, but was that if I failed my fellow employees would be out of work and that would affect food on their tables and their kids going to school."

The Chinese hackers learned of Duane's involvement and began targeting him. They did this despite that the distinguished engineer having virtually no online presence, no photos indexed by Google, no social media accounts, despite a tech sector career spanning more than four decades.

"They came after me personally with malware attacks on my netbook when they realised what I was doing," he says. "I popped up on the radar screen and [my anonymity] was destroyed."

He says the PLA hacking unit switched from its state of stealth, with infrequent command and control pings and careful lateral movement, to "smash and grab" after they realised they were detected.

"It opened up the arena of advanced cyber attacks that I had never really understood," he says.

The security pro urged the rapt AusCERT audience to treat their internal networks as "dirty", and to consider that any effort that makes life easier for staff and partners also simplifies an attacker's job

"No organisation can muster the defence against these attackers," he says.

Security administrators must also understand and reduce their exposure to the dangerous pass the hash attacks in which admin credentials can be plucked from memory. ®