Hostile governments, criminals and pranksters are relentlessly attacking the Vatican’s computer systems. It may not be long before they breach its defences

Play

The Vatican is under attack from an invisible, ubiquitous enemy. It works through deceit, distraction and derision. Its greatest strength is our own weakness.

Sound familiar? Perhaps. Yet the adversary here is not Satan, but cyber-attackers: a mix of hostile governments, activists, criminals and pranksters.

The most recent attack on the Vatican was in April, when Pope Francis used the word “genocide” to characterise the Ottoman Turkish slaughter of Armenians in 1915. This prompted Turkish nationalists – who vehemently contest this use of language – to launch a “distributed denial of service” or DDoS attack.

At this point, many non-specialists will be tempted to stop reading. One of the biggest problems in computer security is jargon. But just as it should be possible to debate road safety without knowing the difference between a gudgeon pin and a gasket, computer users should be able to understand the dangers they face and how to avoid them without encountering baffling technical terms.

As I explain in my new book Cyberphobia, DDoS is the simplest and crudest form of cyber-attack. Imagine a mob of angry Turkish nationalists flooding St Peter’s Square, so that nobody could get into the basilica or other buildings. Eventually the police and Swiss Guards would restore order. But for a time the normal life of the Vatican would be paralysed.

A DDoS attack is the online equivalent of that mob. Millions of computers make bogus requests for information from a website. The server, the computer which runs the site, cannot cope. Legitimate users can no longer gain access to the information or services they need.

This was not the first time that the Vatican has been subject to this sort of attack.

In what they called “Operation Pharisee”, the group calling itself Anonymous attacked the Vatican website in 2012, knocking it off the internet and posting a message that read as follows: “Today, Anonymous has decided to put your site under siege in response to your doctrine, liturgy and the absurd and anachronistic rules that your profit-making organisation spreads around the world…”

We can expect more such attacks. The Church’s brave but increasingly lonely stance on issues such as euthanasia, abortion, gay marriage, priestly celibacy and the like attracts the ire of “netizens” – the highly individualistic generation who have grown up in a world that distrusts hierarchy and rules, and prizes individual choice above all.

The Vatican will also be on alert for attacks from hostile governments. Turkey is the most recent country to cross swords with the Church, but the row with China over recognition of Catholic bishops is far deeper and more serious. Moreover, the Holy See is the only European state to maintain diplomatic relations with Taiwan. That could lead to sophisticated cyber-attacks (of which more later) or more DDoS attacks of the kind described above.

The latter are trivially easy to organise. Anonymous used its network of activists, along with specially designed software, to amplify its efforts. But a simpler method is to use a network of hijacked computers – a so-called “botnet”. These botnets can be created, but it is easier to rent them. Just as you can rent a crowd of extras if you are making a film, so you can rent a crowd of computers.

The only difference is that the market is on the “dark web”, a part of the internet which is not accessible to ordinary search engines, where the goods and services traded are illegal, and payment is by untraceable electronic cash, such as Bitcoin. You can rent a botnet by the hour, and at whatever size you like.

Most people whose computers form part of this trade are quite unaware of it. Sometime in the past they have opened an attachment or clicked on a link, with the result that their computer is infected. As far as they are concerned, it still works normally. But invisibly to them, it is also taking part in mob attacks organised by criminals and extremists.

This highlights one of the most important points about computer security: it is quite possible to be the unwitting accomplice in someone else’s crime. It is a fair bet that many of the computers that helped knock the Vatican website offline belonged to pious Catholics. They would be horrified to know that their carelessness had led to their computer being part of a network that was used by malefactors. But they would be most unlikely to find out. A well-run botnet does not consume enough computing power from the machines it enslaves to make itself noticeable.

A DDoS attack is crude by the standards of internet mischief and mayhem. It does not steal data, or corrupt it, or encrypt it, so it cannot be used for fraud, theft of intellectual property or to sabotage machinery. It may seem intimidating, but in truth it is not too complicated to deal with. The trick is to notice quickly that you are under attack, and to take precautions: filtering out bogus traffic and bringing in back-up computers to help take the strain. For an organisation the size of the Vatican, that should not be too hard.

The Vatican does not comment on its security, real world or online. But all the signs suggest that its defences against more sophisticated attacks are excellent. A report on the Anonymous attack by the computer security company Imperva (which did not mention the Vatican by name) showed how the attackers had tried repeatedly to breach the website. The attack was originally timed to coincide with Benedict XVI’s visit to Madrid in August 2011 for World Youth Day. Hackers tried to disrupt the event’s promotional website, and posted numerous videos on YouTube and other channels denouncing the Church’s stance on issues such as child sex abuse.

But even the group’s most skilled hackers could not find any weaknesses in the website, which would have allowed them to deface it, for example. This is a credit to the Vatican’s professionalism: many big companies have proved lamentably vulnerable. A technique known as “SQL injection” can allow an outsider to take control of a site simply by typing in a line of code – for example, into a search box, or even into the web browser. On a well-run site, the “escape characters” that give instructions are filtered out.

An even easier way to break into a computer is by impersonating the people who have access to it. To take a real-world analogy, it is like stealing a policeman’s uniform. Stealing credentials – a password and login – is best done by infecting your victim’s computer. If you can see what he has on his screen, and get a copy of everything he types, you have a good chance of impersonating him.

This seems to have been part of another attack on the Vatican in 2012. It involved a “keylogger” – a program which simply records every keystroke made on a computer and then sends it discreetly to its mastermind. The program concerned had the innocent-seeming name admin.hlp, and was hidden within a legitimate file in the Italian version of Windows, called amministrazione.hlp. The keystrokes were stored in another innocuous-sounding file called userdata.dat.

Getting this file on to a Vatican computer might seem a daunting task. But in fact it is simple. The two easiest ways to infect someone’s computer are through email: by persuading them to download an attachment or to click on a link. The attachment or web page will both seem anodyne. But they will give the attacker access to the user’s computer.

Again, innocent people can be unwitting accomplices in this. Their email accounts can be potent weapons in the attackers’ hands.

Imagine that you are a Catholic functionary who regularly emails the Vatican. If attackers get hold of your email account, they can send innocent-seeming messages which will certainly be read by the addressee in the Curia. After all, they are used to getting messages from you. The attackers can delete the message from your “sent” account, so as far as you are concerned, it never existed. But the damage is done.

The central problem in computer security – whether for the well-defended Vatican or the humble ordinary user – is that the internet was designed for academics wanting to share research material, with underlying assumptions of good faith and trust. Now that it has become the central nervous system of modern life, these design flaws make it highly vulnerable.

To see the problem, it may help to compare the internet with another network: international air travel. It would be impossible to fit a bogus part to an airliner in the way that attackers can infect a computer, because the aerospace industry and its customers take security seriously. Every part of the design, manufacturing and maintenance process has safety as a priority. Mistakes are rigorously scrutinised. Carelessness can mean dismissal, bankruptcy or prosecution.

Yet hardware, software and networks are not built to these standards. We accept computer crashes in a way we would never accept plane crashes. This did not matter in the days when computers were confined
to universities and hobbyists. It matters a lot now.

How does an ordinary computer user know that admin.hlp is a dangerous file, but that amministrazione.hlp is legitimate? Installing anti-virus software and keeping it up to date helps somewhat. But sophisticated attackers refine their products to make sure that they get past these sorts of screens.

The most difficult cyber-attacks are those that involve third parties. However good your own computer security, you can always be vulnerable via the weaknesses of others.

A simple and crude example of this came in 2010, when attackers exploited a weakness in Google’s search engine with the result that anyone searching for the Vatican was directed to pedofilo.com (Italian for “paedophile.com”) as the first result. Google quickly resolved the problem, but it highlighted the fragility of our online identities and reputation.

Most people assume that Google, Wikipedia and other sources of information are reliable, just as they assume that an email has indeed been sent from its purported source. But this level of trust is quite ill-suited for our dealings on the internet. Attackers – whether they be spies, hooligans, criminals, pranksters or activists – prey on our gullibility. They can try to harm our reputation, steal our secrets or extort money from us. We are only a click away from these threats, and we are without the protection that past experience gives us in our real-world dealings with strangers. We know instinctively what to look for in a stranger – appearance, smell, diction, gait, attire and the context in which we meet him. On the basis of all these subtle clues, we then decide how to interact with him. On the internet, all we have is a two-dimensional screen, perhaps with some tinny sounds coming from the computer’s speakers.

The internet tests some of our deepest assumptions about how civilisation works: how our online persona relates to our real selves, how we behave when we believe we are anonymous, what we really mean by privacy, and how far we are willing to sacrifice safety for convenience. These are questions for lawyers, politicians and sociologists – but also for theologians. Pope Francis has never used a computer himself. But he might wish to ask some of the Church’s keenest minds to look at these issues.

The Vatican’s defences (as far as outsiders can tell) have so far proved to be largely solid. But the guardians of its computers and networks will have to run in order to stand still. The central point of my new book is that our dependence on the internet is growing faster than our ability to defend ourselves. Attackers are looking at vulnerabilities on smartphones, both as ways of stealing data and of infecting other devices.

The “Internet of Things” – hooking up equipment and gadgets to the internet in order to make them more responsive and efficient – is growing with, as ever, innovation and convenience trumping security.
Any one of those internet-enabled devices can, once infected, be used in an attack.

The internet has given the Church unparalleled means to get its message across. But it has also given its foes unprecedented ways to attack it.

Edward Lucas writes for The Economist. His latest book, Cyberphobia (Bloomsbury £20), was published on August 27

This article first appeared in the Catholic Herald magazine (11/9/15)

Take up our special subscription offer – 12 issues currently available for just £12!