Archives For cyberattacks

300

While reporting about cyberwarfare and information security has been getting better and better as of late, there are still some articles that posit baffling ideas about how to prevent a massive cyber attack launched by a government. The strange idea in question this time is one which has a good starting point, but ends up imagining cyber attacks as one would imagine a conventional siege, somewhat reminiscent of The Battle of Thermopylae. Rather than envisioning an attack from the cloud able to hit a target out of the blue, it tries to portray network topologies as a kind of unseen battlefield on which one side can gain an advantage by exploiting the landscape…

Cyberspace depends on a physical infrastructure of computers and fiber, and this physical infrastructure is located on national territory or subject to national jurisdiction. Cyberspace is a hierarchy of networks, at the top of which a small number of companies carry the bulk of global traffic over the Internet “backbone.” International traffic, including attacks, enters the United States over this “backbone.” The backbone is a choke point, relatively easy to defend, and something that the NSA is already intimately familiar with (as are the other major powers that engage in signals intelligence). Sit at the boundary of the backbone and U.S. jurisdiction, monitor and intercept malware, and attacks can be blocked.

Technically yes, you can use the main switches where the fiber stretching across the oceans will reach your shores and have a deep packet inspector check the headers of incoming packets to flag anything suspicious. But this really only works for relatively straightforward attacks and can easily be avoided. If you’re trying to inject a worm or a virus into a research lab’s computer, you’ll have to get through an anti-virus system which will scan your malware and compare its bytes to as many virus and worm signatures in its database as it reasonably can. With the sheer amount of malware out there today, these tools are good at stopping existing infections and their mutant versions. However, brand new attacks require reverse engineering and being ran in a simulated environment to be identified. This is how Flame and Gauss went undetected for years and they were most likely not even spread via the web, but with infected flash drives, meaning that efforts to stop them with packet inspection would’ve been absolutely useless.

A deep packet inspector sitting at MAE-East or MAE-West exchange points (or IXPs) would have to work like an anti-virus suite if it is to do what the author is proposing, so it can stop someone from downloading an obvious virus or bit of spyware from a server in another nation or deny an odd stream of packets from China or Iran thought to be malicious, but it’s not a choke point in any conventional sense. IXPs are not in the business of being a traffic cop so having them take on that role could have serious diplomatic repercussions, and aggressive filtering could have all sorts of nasty downstream effects on the ISPs connected to them. Considering that trying to flag traffic by country could be foiled by proxies and IP spoofing, and that complex new attacks would easily be able to slip by an IXP-based anti-virus system, all the effort may might be worth it in the long run and simply cause glitches for users trying to watch Netflix or surfing foreign websites to read the news in another language while trying to prevent threats users can easily manage.

So if creating IXP chokepoints would do little to stop the kind of complex attacks for which they’d be needed, why has there been so much talk about the Pentagon treating the internet as a top national security concern and trying to secure networks across America, or at the very least, be on call should anything go wrong? Why is the Secretary of Defense telling businesspeople that he views cybersecurity as the country’s biggest new challenge and has the Air Force on the job? My guess would be that some organizations and businesses simply haven’t been investing the time and attention they needed to be investing in security and now see the DOD as the perfect, cost-effective way to secure their networks, even though they could thwart attacks and counter-hack on their own without getting the military on the case, perhaps not even realizing that they’re giving it a Sisyphean task. If they know they’re targets, the best thing for them to do is to secure their networks and be aggressive about hiring infosec experts, not call in the cavalry and expect it to stop a real threat from materializing since it simply can’t perform such miracles…

Share

noodly_horror_600

Supervisors at a water treatment facility in Indiana knew that something was wrong when a pump stopped working for seemingly no reason. Their concerns only grew when they checked the logs and saw that improper commands were being issued to the SCADA machine controlling the now broken pump. Even more disturbingly, the logs showed that someone from Russia accessed the machine months before. Obviously this was a case of sabotage designed to test how vulnerable American infrastructure was to a Russian version of Stuxnet. But why didn’t the hacker clean up the logs to hide his point of origin? Could it be a false flag operation? Or did he just get sloppy? Or was there no hacker at all and the logs showed a plant contractor doing his job from a family vacation in Russia, but the DHS simply ran with the hacker story instead based on no evidence of an actual hack taking place and stuck to it even in front of Congress? Yeah, I think the title of this post kind of gives this one away and the link makes the answer even more obvious…

Here are some important questions we need to ask about this incident. Why is an agency that should protect us from external threats immediately going into paranoia mode without doing any proper investigation? Why are taxpayers shelling out tens of billions of dollars on experts who can’t seem to make a few phone calls and publish their first suspicions as facts? Why does the agency which employ them renounce the report for the media but tells Congress that a Russian cyber-army was testing its weapons against American infrastructure? And why are its centers, in which data is supposed to be shared between agencies to act on threats faster, producing little to no actionable intelligence? If the DHS is basically just a piggy bank for anyone who can claim to be a security consultant, why are we footing the bill for it? Why can’t we just beef up existing agencies at a lower cost and have them access each other’s’ systems? And finally, why is it that when these questions are asked aloud do we hear nothing but excuses and talking points?

Share

dead cyber spy

Nowadays, if you hack into a company’s servers, the company might hack you right back. No, it won’t wipe your hard drive or infect you with a virus of course. The goal is to figure out who you are and what you’re after, primarily because some of the most advanced hacks over the past few years have been cases of industrial and military espionage. And this is where legal wonks are arguing that the government should step in, lest a company issue a retaliatory cyberattack only to find that its target is actually a foreign intelligence agency. Case in point, Google. After a very sophisticated attack on its servers coming from China and a messy international incident which saw a heated back and forth between the Chinese Communist Party and the company, the tech titan hacked back and found that its attackers were targeting defense and other tech companies with meancingly complex scripts and the group, dubbed the Elderwood Gang, is still at it.

Their easy access to zero day exploits and the coordination equired to pull off their favorite type of attack points to backing from someone who can afford to employ highly skilled programmers and wants to spy on foreign defense and tech contractors, trying to steal blueprints, e-mail, and source code.Basically, what I’m trying to say is that prevailing rumor paints the Elderwood Gang as a part of the Chinese cyber-army long suspected of stealing classified documents from the U.N. and a lot of First World military contractors and government agencies via spyware. As the vast majority of the wired world knows, the United States isn’t exactly a hacking lightweight and it more than likely deploys some very sophisticated spyware and malware of its own. So, say the legal wonks mentioned above, have the Air Force and the NSA tackle sophisticated hackers, not companies that find themselves riddled with foreign spyware. It could’ve come from a Facebook game someone way playing at work and is trying to steal logins to PayPal, or it might be a worm from another government and hacking them back would provoke an international incident which would have to escalate all the way up to the military. But is that a workable approach?

No, not really. Fact is that the vast majority of infections are trying to steal financial information and/or turn your computer into a bot for DDOS attacks. Not only that, but the malware kits used to make viruses and worms are exploitable too. Only a tiny sliver of all the nasty stuff you might catch surfing random sites without some very heavy duty firewalls and strict privacy and browser settings, is actually complex malware from a nation state, and even then you’d have to be a very highly visible defense or tech company since these attacks tend to come from whailing (which is like spear-phishing but targeted to high level executives) and compromised industry message boards, blogs, and forums. Little fries don’t interest the spies much so they quickly lose interest, so it’s really the Lockheed Martins, EADS’, and Northrop Grummans of the world that should be worried, but considering their cozy relationship with the militares of their home states, they can always escalate things when they need to. And since all this is being done in secret, I’d highly doubt that a foreign intelligence agency hacked in retaliation will cry foul. That would just be an admission of guilt and the start of a major diplomatic clusterscrew.

Were we to start reporting hack attempt after hack attempt and infection after infection, we’d so quickly swamp cybersecurity experts at the NSA and the Air Force, that they’d be buried under a massive backlog of things to investigate in weeks while the torrents of reports keep on coming. Antivirus makers already have vast databases that can identify who was infected with what kind of virus and how to remove it running 24/7/365, and can keep up with 99.9% of infections out in the wild. Considering that they’re the primary discoverers of cyber weapons in use, they’re more than up to the job and can do it without defense establishments getting involved in their daily work. And when we take into account the sheer number of random trojans and worms out there, a hacked company has a 99.9% chance of pinging random hacker crews rather than something as threatening as the Elderwood Gang or as sophisticated as Flame or Stuxnet, and even then, no one on the other end will make a peep because doing so would be a lot worse than keeping quiet and let the retaliating businesses get away with it. Treaties and tens of billions in trade may be at stake so it’s best to just let the accusations die down and resume the spying later. So if you get hacked, go ahead and hack back. You’re not going to start any wars by doing it.

Share

Some of my latest posts about cyber warfare seem to have attracted a few eyes, including those of someone who does research in the security field. One pair of the eyes in question belong to Dr. Jan Kallberg, who was kind enough to send me a paper regarding the political side of standardizing security standards and a piece on space warfare strategies which delved into detail about something I mentioned regarding one surprising problem with cleaning up space debris. Considering that standardized communication satellites should be using the same operating systems and therefore, likely to be susceptible to very similar exploits, Dr. Kallberg envisions covert, space-based wars which use hijacked satellites as missiles. Now, mind you, you cannot just grab any old satellite and send it hurling into a covert military asset because you’ll need to change orbits, an ability which is very limited for many spacecraft, and you’ll need to know exactly where this asset is. It’s not at all impossible as demonstrated by an amazing astrophotographer who captured a Keyhole spy sat, but it’s also not trivial. Though, if you can pull it off, chances are that you may actually escape a swift retaliation.

Imagine that you’re a nation with spy satellites scattered around Low Earth Orbit and a rogue communication satellite just careened into one of them. If it was the property of a native company, you could always ask for an explanation to make sure it wasn’t compromised and find some sort of digital trail pointing to foul play. But if a foreign satellite is involved, how exactly do you prove a breach or a deliberate crash? Maybe someone from a rival state paid for the satellite, the company shot it into orbit only for it to sadly spin out of control and thwack a spy satellite from your inventory at 17,000 mph. You’d have to do a lot of digging in a potentially hostile terrain to put together the real sequence of events. But we might be getting ahead of ourselves. First ask yourself if it would be wise to acknowledge the loss and try to retaliate for it since you’d be exposing a secret sat program, and also saying that your orbital assets can be tracked and shot down for as low as $51 million per shot. Yes, it sounds very expensive, but when your multi-billion dollar SIGINT program could be derailed for $250 million or so, it’s a blow to your intended ROI and a devious exploitation of a loophole in the Outer Space Treaty…

Share

So we’ve already seen how some of the more vocal pronouncements about cyber warfare were overhyped by those who think that hackers are nearly omnipotent, and thankfully, more and more skeptics with a good idea of how computers actually work have been published in major publications. One of the promoters of the idea of cyber warfare used for asymmetrical military engagement, Foreign Policy, now has two dueling posts on the subject, one of which puts current examples of cyber war in proper context, and one which tries to spin every act of digital malfeasance as an act of war. Obviously, you know where I stand on the issue and can probably guess that I find few faults with the skeptical column. It does underplay intelligence collection on the web and recurring problems with phishing and whaling for classified information, something which does have a very real impact on military affairs and planning, but otherwise, it’s very well done and researched. And by contrast, its doppelganger seems to mix digital spies, activist DDoS attacks, and what seems to be actual military operations using a computer virus into one huge and scary melting pot of digital gloom and doom.

robot vs. fish

We can’t assume that every major DDoS attack is being executed as an act of war because it’s not. For a long time, these attacks were used to hold certain sites for ransom and occasionally, what looks like an attack is a programming error which triggers internal applications to send way too much data over the wire. Over the last year, it’s also become a form of protest, a means to voice one’s displeasure with the powers that be and do at least something to demonstrate that they’re not invulnerable. So yes, some DDoS attacks could be political in nature, but they’re hardly effective weapons. Take a look at the reality behind the case of the attack on Estonia which was compared to a military blockade of government institutions by the nation’s prime minister…

The well-wired country found itself at the receiving end of a massive distributed denial-of-service attack that emanated from up to 85,000 hijacked computers and lasted three weeks. The attacks reached a peak on May 9th, when 58 Estonian websites were attacked [ simultaneously ] and the online services of Estonia’s largest bank were taken down… It was a nuisance and an emotional strike on the country, but the bank’s network was not even penetrated; it went down for 90 minutes one day and two hours the next.

Would you really claim that an attack that made one major bank’s online dashboard unavailable for three and a half hours over two days was a successful military operation? A similar DDoS attack on Twitter credited to a group of Russian hackers who wanted to silence a Georgian blogger also used to get a lot of traction when a cyber warfare drum needed to be beaten, but the outage lasted just a few hours and did nothing to silence or dissuade the blogger being targeted. Take a look at a much more serious incident when hackers working for a Chinese government project were snooping through Google’s servers for political dissidents’ e-mail. This was a careful, expert attack for political purposes but it was an internal matter rather than an attempt to attack the company or the nation which that company called home. So far, the only real successful example of a well executed act of cyber warfare was the Stuxnet worm. It was written by experts, targeted one specific system to sabotage another nation’s nuclear program, and seems to have achieved its intended goal. A supposed work of a Russian hacker squad to apply their own version of Stuxnet to an Illinois water utility actually turned out to be nothing more than a manufacturer’s employee trying to update the SCADA software from Russia, but it was assumed to be a sinister attack until shown otherwise thanks to the heated rhetoric about cyber war.

As said in the previous post on the subject, cyber warfare is nowhere near as effective or simple as we’re told again and again by the media, politicians, and self-proclaimed security experts why spread gloom and doom so they can sell their services after driving demand for them upwards. Counting every DDoS attack, and every questionable use of a computer as a precursor to cyber warfare diverts our focus from securing what’s really, truly important to secure, misleading those in charge into thinking that every computer virus should be treated as seriously as an active nuclear warhead ready to go off with no warning rather than prioritizing their assets, and developing cost and time-effective measures to avoid easily discoverable and exploitable flaws in the key nodes of their networks. No system will ever be unhackable or invulnerable, but it can be greatly reinforced in the most important points and surrounded by honey nets and powerful firewalls that filter incoming traffic into tools that can examine the probability that an incoming request is malicious. To do that, we need to be sober about the threats we face rather than chasing down every DDoS protest or rumor of a Stuxnet 2.0 co-opted by vicious hackers working for a special ops team with wild abandon while thinking it makes us safer.

[ illustration by Andre Kutscherauer ]

Share

Generally, if you work with technology for a living, you notice that people have two extreme reactions to all new electronic devices. The first is surprise that they can do anything beyond their expected functions, like gasping when smartphones browsing the web offer to make calls to the numbers one clicks. The other is a belief that the new device can do pretty much anything and everything under the sun, transcending mere bits, bytes and circuitry, and becoming indistinguishable from magic. Unfortunately for us, those now terrified of cyberwarfare seem to have the second extreme reaction, and if you want to know just how paranoid they can get, check out what former bureaucrat and current security consultant, Richard Clarke, says about the possibilities of a huge cyber-offensive in his attempt at a non-fictional adaptation of a Tom Clancy novel. Unbeknownst to IT experts, computers have suddenly gained the power not only to tear through any security measure, but also overcome incompatibilities between proprietary software packages and operating systems, and air gaps, while hackers are now supposed to level playing fields for nations with small militaries with their 1337 techno-wizardry.

While this notion grabs eyeballs, sells books and magazines, and scares the living daylights out of politicians who saw the flick Live Free or Die Hard one too many times, it’s total rubbish. Cyber-espionage is a very real thing and it does happen all the time when hackers or even computer science students recruited by a military adopt common hacker tricks to peer into classified networks. They use social engineering, a widely available packet sniffer like Wireshark, or a custom built one based on the open source library on which Wireshark was built, attempt spear phishing and whaling with employees of major security contractors, or look for any gap in secured networks that may lead to valuable intelligence. But there’s a huge gap between the very real threats posed by hackers looking for information much the same way Anonymous’ Antisec collective carried out a lot of its operations, and being able to just flip a switch and bring one of the largest, best armed, and most wired nations on the planet to its knees in just fifteen minutes like Clarke prophesizes. A review of his book on a top security news blog accurately alludes to the Book of Revelations when describing his visions…

Chinese hackers take down the Pentagon’s networks, trigger explosions at oil refineries, release chlorine gas from chemical plants, disable air traffic control, cause trains to crash into each other, delete all data, including offsite backups, held by the federal reserve and major banks, [and] then plunge the country into darkness by taking down the power grid from coast-to-coast. Thousands die immediately. Cities run out of food, ATMs shut down, looters take to the streets.

He forgot cats and dogs living together and the seven-headed, ten-horned beast ridden by the bejeweled and purple-robe clad Whore of Babylon leading Satan’s digital forces in a charge across Megiddo, but not bad as far as apocalyptic fantasies go. Problem is that all of this simply can’t happen unless the entire nation runs on only one massive command and control system that can be accessed via the web. Considering that the main software package in your office has trouble talking to that of another company, much less every company that works in the same industry as you, you can probably see the problem in this logic. Try and bring down power grids across the country. You can’t. They work in disparate blocks using different SCADA machines which are made by different manufacturers and use different software. The now infamous Stuxnet worm only targeted a single system, Siemens Step 7 and looked for only one type of instruction to disrupt. If the same instruction is a different argument type in Step 8, the worm will be rendered impotent. True, there are vulnerabilities in many of those SCADA machines because the manufacturers often didn’t bother fixing them and their customers do not want to update for fear that their perfectly calibrated systems may break, costing tens of millions in repairs and downtime, but the sheer variety and number of them makes a one-size-fits-all attack impossible.

Even though it was found that thousands of SCADA machines are not really air-gapped, they were made by different vendors, have different vulnerabilities, and represent only a tiny fraction of all the SCADA machines in use right now. An army of thousands of hackers working around the clock couldn’t do even a tiny fraction of the damage Clarke envisions just because the technology they’re attacking is so disparate and varied. And to hit banking systems to empty out ATMs they would need to attack massive international funds exchange entities responsible for standardizing inter-bank communications, no easy task by any means. To disable GPS, they’ll need to task down dozens of military operated and tracked satellites, and to take down air traffic systems they would need to disable tens of thousands of radar towers across the nation, also operated by a wide variety of software and hardware. I really don’t think Clarke and those who quote his hyperbole realize just how vast our wired infrastructures are and how many millions of targets would need to be hit simultaneously to do serious or lasting damage to them in a very short span of time, many of which would be air gapped and really difficult to exploit. And when the hackers actually bump into decent security and honey nets, they’ll need hours if not a full day or two to find the appropriate zero-day exploit to continue their attack. Again, this isn’t simple stuff.

Sure it’s scary when Antisec rummages through the web and takes down the websites of the CIA and FBI, but you have to keep in mind that most of the sites hit by Anonymous members were targeted with a social DDoS tool which simply overwhelms web servers rather than actually destroying databases or interfering with how a site does business logic on the backend. Big enough websites are pretty much impossible to shut down with this method because their enormous networks could simply absorb the attacks, and tearing down posters for any major government agencies in no way compromises the data they actually keep classified on the internal networks they use in their daily work. The sites that are hit by hackers who do steal valuable information either used very lax security or didn’t update their security tools against new threats, and the hacks were the results of their complacency. For well-maintained and well-updated sites, a hack isn’t a simple matter of using a new script like a lock picker would select a different tool, it’s a slow and steady research project where the gap will be found by trial and error rather than a simple brute attack. No network and no device will ever be 100% safe and secure, but neither is every network an easy target for government hackers on a mission.

Share

Humans have a long history of bad ideas including our attempts to treat the plague with leaches, blaming the mentally ill for being possessed by demons, the Inquisitions, and a whole lot of other things we could spend weeks listing. Among all those bad ideas, we should also count the newly resurrected internet kill switch bill, which was concocted last year by Joe Lieberman and managed to show absolutely zero awareness of what the internet is or how it actually works. It seemed as if Lieberman read something about Chinese hackers trying to get into American servers and acquire some militarily useful intelligence, decided that damn it, he’s going to do something about it, and without consulting anyone with a passing clue of networking, drafted the fanciful notion of some big, red button that the President can press to shut off the internet and stop the hordes of foreign evildoers trying to wreck the nation’s infrastructure from coffee shops in Beijing or Moscow. And just to add insult to injury, the bill actually had sponsors who also seemed to know nothing about the internet and why it’s not just a really long series of winding tubes you can just shut off with a strategic valve on a whim.

You would think that in the wake of Mubarak’s crackdown on internet access and it’s failure to stop Egyptians from getting on Facebook and Twitter, the lawmakers seriously proposing the kill switch idea would consider the fact that it’s impossible to shut off every modem and smartphone in the country and that perhaps, it could be a good use of their time to learn a little something about how internet connectivity works. You can’t place a kill switch on it because by its nature, the internet is decentralized and since we use it so much, we just keep forgetting that it was invented as a military communication tool designed to keep commanders connected in the event of a massive nuclear bombardment which destroys existing communication networks. Try to block signals coming in or out of your country’s networks, and you’ll find that there’s always some work-around and the data packets can either be spoofed to go around your firewalls, or simply take another route to get where they were sent to go. That’s what makes the internet great. But instead of learning the appropriate lesson, the proponents of the kill switch decided to prove that they based their idea on too many action movies

But proponents of the American bill countered that they would never want a shutdown on Egyptian lines. Laws that govern radio and television broadcasts already give the American authorities the right to shut bits of the internet, they argue. The new bill merely clarifies and limits such powers. These would be needed, for example, if hackers took control of nuclear facilities, or were about to open the Hoover dam.

Right, because nuclear reactors, dams, and power grids could be magically accessed online and just like in the movies, pressing keys really fast on your keyboard and hitting a random button with an excited yelp would shut off all power to North America or give you a dashboard from which you could steer a nuclear reactor into meltdown the size of Chernobyl. Now I know that Live Free or Die Hard might have been a fascinating movie, but it’s not exactly a good, reasonable, or even remotely accurate instruction manual on cyber warfare. If you’d like to know what Hollywood thinks computers could do, you should take a look at the Tron sequel’s creative re-interpretation of basic computer science. In the real world, critical infrastructure nodes would more likely be felled by something like Stuxnet, a custom-designed saboteur program intended to subtly disrupt ongoing processes and nudge very complicated hardware to do something it’s not supposed to do. Simply hacking in and hijacking a SCADA machine or an industrial computer, which is very seldom connected to anything other than the device it’s intended to control, is the realm of fiction. All an internet kill switch would do is disrupt the day’s ongoing business transactions while mildly inconveniencing a hacker who’ll now need another proxy or a few spoofed packets to finish whatever he or she was doing.

Share

While there’s a lot of talk about cyber-warfare, most examples of it are pretty transparent attempts to censor criticism via relatively crude denial of service attacks, read e-mails of political dissidents, and scare those who own sites and forums trying to recruit new terrorists. Despite the sometimes hysterical fears of assaults through an ethernet cable, some of them so extreme they result in ridiculous legislation, there haven’t been any known attempts to take down critical infrastructure nodes by electronic means. Until now. Tech blogs are abuzz about a worm known as Stuxnet, a terrifying piece of malware that targets computers and software that monitor and control day to day activities of industrial complexes and spreads through infected USB drives, or vulnerabilities in Windows-based networks. Once it finds its intended target, it can override alarms critical for real-time monitoring and insert malicious commands of its own. If the age of cyber-warfare is finally here, this worm is its opening salvo and a sign of some very, very menacing things to come in the foreseeable future.

Stuxnet is a fairly complex worm, about half a megabyte in size and written in at least three languages to do its work: an assembly language used in industrial SCADA machines, C, which corresponds well with assembly languages allowing for faster command execution, and C++, an object-oriented version of C. The worm goes to work by taking advantage of how generously Windows systems parse autorun files and at first, presents a perfectly legitimate certificate for Realtek, which makes audio device drivers. Once the system thinks it’s really dealing with a perfectly legitimate file, Stuxnet pulls a switch and installs a malicious library instead. When it’s in a SCADA machine, it listens to the database queries being executed by a very particular software package, a software package called Siemens Step 7, used in power plants, pipelines, and nuclear complexes. Stuxnet seems to be primarily interested in mission-critical OB35 data blocks, required to manage processes that run at vey fast cycles, things like air compressors, centrifuges, and turbines. And at this point, I’m sure you already see where this is going. This is the kind of worm that could cripple real world targets.

The complexity of Stuxnet, the fact that it had a valid certificate, and used as many as four vulnerabilities which haven’t yet been patched, or so-called zero-day vulnerabilities, raised a lot of speculation and several security experts went on the record to say that Stuxnet may be the work of a government-funded lab. After this notion was first floated, some bloggers tried to connect the dots with a WikiLeaks report to come up with one hell of a conspiracy theory which sounds like a Hollywood blockbuster in the making. According to Threat Level, a rare tip from WikiLeaks’ repository mentions a huge accident at the Natanz nuclear facility in Iran. Where most of the Stuxnet infections were detected. After that accident, Iran lost some 800 uranium-enriching centrifuges, and the head of the nation’s nuclear program suddenly left his post. The alleged culprit? Israel. The proof? An obscure quote about the possibility of cyber-attack against Iranian nuclear plants attributed to a former cabinet minister in an Israeli newspaper. All this is at best circumstantial, especially since we don’t really know all the facts of the matter, but this is plenty for conspiracy theorists. In fact, they would probably consider this proof an airtight report since they’ve build elaborate world-domination plots on much, much less.

But is Stuxnet really the first salvo in a real world cyber-war? It was distributed in a scattershot pattern, drifting from infected USB drives, through vulnerable networks, and trying to make its way to a SCADA machine. This would be a great strategy to conceal the source of the attack, but it’s also very messy and doesn’t guarantee a successful infection of the intended target. And while Iran did bear the brunt of the outbreak with some 34,000 cases, Indonesia and India had roughly 10,000 and 5,000 infections respectively, suggesting that whoever or whatever spread Stuxnet had some ties to these nations. Israel would have little of value to gain by infecting a swarm of SCADA machines anywhere but Iran, and could be far more precise in delivering a worm. As far as we know, neither India nor Indonesia have any nuclear deals with Iran or ship it any vital components. Plus, a tip published on the web about a top secret accident at Natanz isn’t proof that a worm was responsible. All we know is that Stuxnet could potentially be used for industrial sabotage, or trigger an accident. not that it actually did it. Without looking at its source code, I couldn’t offer a qualified opinion on its full capabilities, and I would really rather not speculate without examining the worm firsthand.

Finally, we need to consider the charge that to make Stuxnet work would require a nation state’s resources. It is suspicious that it used four zero-day vulnerabilities and had Realtek’s authentication, something that would require its makers to have access to the company’s private key. It would also require that at least one person behind the worm really understood Step 7 and what calls it made to its database. But none of this points to a government entity per se. Private keys can be stolen, there are forums on dark web networks exchanging the newly discovered zero-day vulnerabilities, and if you want a manual on how to program SCADA machines, you can find in depth tutorials with a quick search. In fact, many developers rely on searches to find the right syntax for system-specific and esoteric commands when they get stuck, so I would be very surprised if these tutorials were hard to come by. Same goes with actual SCADA machines. You could certainly buy one or two and run a number of tests to make sure your worm is stable and behaves as it should. Yes, you would run up a bill for a few thousand dollars, but it’s certainly not a prohibitive investment for a small group of people.

So in other words, nothing in this screams about a need for government involvement. That said, Stuxnet does indicate that whoever built it knew a good deal about SCADA systems, understood low-level vulnerabilities in the targeted Windows systems, and had a decent budget. The very fact that it exists should be disconcerting, and points to potential acts of industrial sabotage, espionage, or both, on a level that hasn’t been seen so far. And I could certainly imagine a corporation in control of a Stuxnet strain sabotaging its competitor’s plants, and holding them hostage if it decides to play rough with a particularly reviled executive. Though why Iran had such a huge rate of infections is going to bug security experts for a very long time to come and I’m afraid that until a few intelligence agencies decide to come clean about Iran’s nuclear program, we’ll have little evidence to say anything decisive about it. Meanwhile, we should be looking for, and worrying about, Stuxnet 2.0…

Share

Just when I think that politicians can’t be any more disappointing than they are today, and there’s nothing they could do to make themselves look even more clueless and inept, Joe Lieberman manages to come up a bill so utterly brain dead, it’s hard not to shudder in fear that we actually reward this kind of ineptitude with public funds and expect people like this to effectively run a nation. What’s so amazingly ridiculous about Lieberman’s proposal? It would give the executive branch the authority to throttle, filter, and even disable the internet to the entire nation under the excuse of national security. Ever worse, the bill has actual co-sponsors, despite being written by someone who apparently seems to think that the internet is “just a series of tubes,” and you can just yank on a valve and shut the whole thing off. To actually shut off internet access, you’d need to cut all those undersea communication lines shown in a comprehensive illustration appearing on the Guardian

True, you can slow down and even disable internet access by setting up a firewall which could block a search query, or even access to certain sites. But you determine access rights by IP addresses, more specifically, IP address ranges associated with a particular country. Anyone see the weakness in this strategy already? Let me to give you a hint. The data exchange protocols we collectively know as the internet and the web were built on networks originally designed to coordinate military commands. They’re built with redundancy in mind and a blocked range of IP addresses isn’t actually that big of a problem. By manipulating your IP address through a proxy, you could circumvent even a national firewall. Even if all those immense, $500 billion undersea cables traveling to and from your country were cut, you could get still get satellite-based web access and use a proxy to get on the web. In other words, it’s utterly impossible to shut down the internet for those who have a clue as to how computers and computer networks actually work. Any action to slow down or shut off web access is a problem only for casual users rather than the people from whom you’d actually want to protect your assets.

We’ve already discussed how unrealistic it is to militarize the web as we know it to track down a squad of foreign hackers before they strike despite the rosy picture being painted by some defense contractors, and Lieberman’s proposal seems firmly stuck in the territory of misconceptions and ignorance. Maybe if he had a chat with someone with a working knowledge of the networks used by the internet rather than someone like Michael McConnell, he wouldn’t have produced something this ridiculous. Or maybe he would anyway since it seems that while we’re appointing charismatic and talkative know-nothings to leadership positions, they start convincing themselves that they’re actually experts, as shown by studies into the subject, and don’t need the advice of those who actually do understand the technical concepts in question. So now, his bill is being used by an Australian media outlet to justify its government’s own growing interest in internet filters, and being trotted across right wing blogs where the narrative is warped from an example of Lieberman’s, Rockefeller’s and Showe’s collective ineptitude and as another disturbing sign of dangerous ignorance in Congress, into a story of how Obama supposedly wants to censor the web to silence Tea Party activists. I’d say to expect a full on paranoid rant from Glenn Beck on the subject any day now…

My guess is that this bill will die a horrible death without even being considered to be worthy of a vote, but just the fact that it was even conceived to give fodder to conspiracy theorists and took a dip into the territory on par with the rationale behind the Great Firewall of China, should be disturbing. We have a senator who hasn’t a clue what he’s doing writing legislation that could profoundly affect one of the most tech-dependent nations in the world and chairing the Homeland Security committee, and we expect the nation to be safe and adequately deal with real threats? For some reason, I really don’t feel any safer with “experts” like this in charge…

Share

Wired’s Ryan Singel is weary about Michael McConnell’s sales pitch for cyber-weapon capabilities. According to his post on the Threat Level blog, some of the plans he’s been proposed to the NSA could be used for a massive crackdown on the open internet and the kind of espionage many paranoid computer users feared as web access spread over the last two decades. Now, everything with an operating system and internet access could be used to spy on you at any time and any place if the government thinks it has a problem with you, with all due thanks to McConnell and his employer, Booz Allen Hamilton. But while there’s some truth to the notion of having your computers and smart phones snitching on you when someone presses a key, to make all this happen as Singel details is a lot tougher than it sounds and what he calls the open web can still fight back.

First off we need to start with what a cyber war actually entails. Basically, it’s the use of specialized software to mine top secret data from other nations, lock down your targets’ crucial websites and infect crucial automated systems which control key nodes in infrastructure as a prelude to a bombing run. In a world which relies on a myriad of computer networks, being able take those networks down within a few seconds is a major strategic advantage many countries want to have. So to sell his wares, McConnell decided to go on a scaremongering spree with the grim message of America’s seemingly inevitable loss on the digital battlefield without his help, something that doesn’t sit well with Singel, especially because what’s being advocated is technology to track down anyone of interest to the NSA much faster and easier than it can now…

The Washington Post gave McConnell space to declare that we’re losing some sort of cyberwar. He argues that the country needs to [adopt] a Cold War strategy, one complete with the online equivalent of ICBMs and Eisenhower-era, secret-codenamed projects. Google’s allegation that Chinese hackers infiltrated its Gmail servers and targeted Chinese dissidents proves the United States is “losing” the cyberwar, according to McConnell. [ ... ]

[Cyberwar proponents will] point to Estonia, where a number of the government’s websites were rendered temporarily inaccessible by angry Russian citizens. They used a crude [and] remediable denial-of-service attack to temporarily keep users from viewing government websites. Some like to say this was an act of cyberwar, but if it that was cyberwar, it’s pretty clear the net will be just fine. None of these examples demonstrate the existence of a cyberwar, let alone that we’re losing it.

And this is a very good point. The reality of the matter is that the United States isn’t actually losing a cyber war, but has been actively preparing for one and some experts believe that it’s top hackers could wreak all sorts of havoc with their current arsenal. While certain infrastructure nodes are vulnerable to external threats, it simply isn’t true that the Air Force has been asleep at the wheel while China racks up a cyber army. It’s also very disingenuous to point to Russian nationalists hacking websites and blogs they find so offensive or what happened in China with Google as evidence of an actual war. After all, the Chinese hackers tried to get into a number of e-mail accounts of Chinese dissidents rather than American defense execs while Russian cyber soldiers were crudely censoring foreigners whose opinions they didn’t like. There are real attempts to peek in on military secrets by adapting and improving common phishing and ID theft routines you could find in your spam folder at any moment. This kind of international espionage is a constant threat but just because there’s someone who needs to slap a “cyber war” label on it since e-mail is involved, it doesn’t become one.

There’s also a major problem with McConnell’s appeal to turning the internet into an on demand geo-locator, one that should calm Singel’s fears. While cell phones have a GPS and your IP address could be used to get a fix on your approximate location (provided you didn’t mask it or alter it to hide yourself), all the data is stored on privately owned networks of the corporations that provide the services. To access this information, the NSA needs to get legal approval and if a company refuses to cooperate, a judge has to be involved. During a cyber attack by a professional team, chances are that the hackers are well shielded behind dummy IPs and left their smart phones turned off somewhere far, far away from their war room. All the technologies McConnell pitches as vital in a cyber war aren’t going to work by magic and there will be plenty of ways to fool them, just like there are ways to fool existing methods of tracking someone on the web. This is why the open web would stay open for the foreseeable future. Figuring out where people are with a custom app looks cool in movies and helps to move the plot along, but it’s a real mess in the physical world.

Buying into hype from defense contractors out to tap into the nascent cyber warfare market would only give the DOD the ability to inaccurately track quite a few Facebook posts and web searches while those who could do serious damage hide from view. Even if the NSA manages to cajole wireless companies and ISPs into giving them a tap into their customer databases, their power is restricted to the U.S. while hooking up to a company in China to monitor potential threats would be met with a polite suggestion to forget it and go away. Having to go through terabytes and terabytes of useless data on a daily basis from one country or looking for one e-mail in a sea of tens of millions sent every hour for a potential attacker who might be halfway around the world and who can’t be tracked until it’s too late due to the limits of the NSA’s reach and shielded IPs is hardly what you’d call an efficient way to wage a cyber war. Tracking down would-be cyber soldiers and terrorists is a task that’s going to require real world resources, informants, agents, spies and police agencies working in concert with all the nifty tracking gizmos and scripts being just one of many tools in their investigative arsenal.

Share