Hans Christian Andersen on security technologies

Our Danish colleague spilled a lot of cybersecurity ink in his works.

Storytellers have been trying to instill a culture of cybersecurity in their readers since the Middle Ages. The basic principle is simple: Use the “cases” in folk tales to create real reports. The reports vary in detail, of course, but a careful read reveals a fundamental difference in the presentational approach of each author.

The Brothers Grimm and Charles Perrault may have constructed their tales around cyberincidents, but Hans Christian Andersen paid special attention to protective technologies. It appears the Grimms and Perrault were funded by companies specializing in incident investigation, whereas Andersen worked for a security solution vendor. Let’s consider some examples of his output.

The Wild Swans

The introduction to this fairy tale is pretty standard: A recently widowed king marries a wicked queen who turns out to be a witch — a common euphemism in fairy tales for an insider threat. Despising the young princes, she encrypts them (makes them birds). Curiously, Andersen reveals that the encryption algorithm is flawed — the evil stepmother tries to encrypt them in .big_birds_without_voice format but ends up with .swans.

Further on, the tale describes the princess’s ordeals and some attempts to contact third-party cryptography consultants, but a large part of the story is about how the princess manually writes 11 decryptors — one for each of her brothers.

The tale relates how she weaved the decryptor code out of nettles she harvested from a church graveyard. The mention of the graveyard seems to hint at the C++ programming language (the two plus signs represent crosses), which, not coincidentally, was developed by Andersen’s fellow countryman Bjarne Stroustrup. That is, the princess wrote the decryptors in C++.

But Andersen remains impartial; we see that with the last decryptor, which contains an error, leaving some of the last brother’s files encrypted.

The Princess and the Pea

The fairy tale “The Princess and the Pea” feels a bit like a report on implementing a medieval sandbox-based behavioral analysis engine. Perhaps Andersen wrote it for some specialist periodical, or as a whitepaper on a success story.

In short, the story tells of a prince who has to prove the woman he wants to marry is a real princess. To that end, his mother prepares an isolated, controlled space (in other words, a sandbox), simulating the princess’s bedroom. She hides a trigger in the bed to provoke normal princess behavior, obfuscating the trigger with 20 thick mattresses and feather beds. According to the mother’s hypothesis, a real princess would respond to the trigger even in such conditions, whereas a fake princess would be unaware of it.

Next, the research subject, placed in the bedroom, responded appropriately to the trigger, and thus the prince’s mother issued the verdict: Princess.

Today, we use behavioral-detection technologies to detect malicious, rather than princess, behavior. The basic principle remains the same, however. For example, Kaspersky Research Sandbox analyzes the normal operation of a computer in a corporate network and emulates it in an isolated space to then monitor the behavior of potential threats.

The Tinderbox

In “The Tinderbox,” Andersen writes about a hacker. Simply called the soldier, our hacker uses a kind of communicator called Tinderbox to contact a criminal group of monstrous dogs. The dogs provide him with coins and a communication channel to the princess, bypassing government restrictions. What’s more, they conceal his criminal activities in the real world by physically eliminating unwanted people. In other words, it’s a dark-web tool, and the name Tinderbox is clearly a reference to Tor.

“The Tinderbox” is atypical in some regards, primarily in its choice of protagonist. The heroes of fairy tales tend to be positive characters, or at least they evoke feelings of empathy. Here the central character, far from being a hero, is immoral to the core.

In the course of his extremely short tale, the soldier swindles, robs, and kills an old woman who told him where to get money, repeatedly kidnaps a princess, does away with her parents as well as the judges and the royal councilors, and ultimately seizes power. Andersen clearly wanted to depict the man as a criminal.

Returning to the information security prism, we are not interested in the tinderbox per se, but rather in the measures palace defenders used to pinpoint where and how the soldier makes contact with the princess. The queen (note that, as in “The Princess and the Pea,” it is the woman of the family who is responsible for information security at the palace — that’s how Andersen shows how important the role of CISO was in medieval times) makes several attempts to get a fix on the hacker.

First, she instructs the in-house (in-palace) cyberthreat analyst — a lady-in-waiting — to trace the intruder’s address manually. The lady-in-waiting correctly identifies the subnet the soldier is using, but the complex system of address obfuscation keeps her from determining the precise machine. In other words, to throw her off the scent, one of the dogs marks the surrounding gateways with the same chalk cross as on the soldier’s gateway.

The second attempt is more sophisticated and more successful. The queen embeds an implant in the princess’s client app — a bag of buckwheat groats. During the next communication session, the buckwheat implant marks the intermediate nodes through which the cybersavvy dog redirects the signal to “Soldier’s window” — that is, directly to his Windows-based computer. As a result, the soldier is traced, arrested, and sentenced to death.

Unlike “The Princess and the Pea,” however, this is a cautionary tale, not a success story. A passerby is bribed to deliver the communicator to the condemned man, who enlists the help of the whole canine criminal group; ultimately, the queen’s efforts were in vain.

The Emperor’s New Clothes

Rounding out our selection of Andersen tales about information security technologies is another famous one, “The Emperor’s New Clothes.” The original tale is quite clearly a satirical critical article about cybercharlatans — in this case, vendors who lavish praise on their own next-gen blockchain- or AI-based cybersecurity.

In “The Emperor’s New Clothes,” the king allocates money to develop a full-fledged cybersecurity system, but the contractors just flourish some snazzy blockchain-themed presentations and pocket the cash. The king’s advisers, knowing nothing about the technology and afraid of looking stupid, confirm its great prospects. Later, a young but seemingly experienced pentester notices that the royal protection system is not merely full of holes, but entirely nonexistent.

The cybersecurity industry has moved on quite a bit since Andersen’s time. Modern organizations  choosing security solutions should be guided less by advertising slogans and more by the results of independent tests.

Tips