10/1/10

wearing the pants - UPDATED

UPDATE: Stuxnet virus attack on Iranian nuclear programme: first strike by computer?


On a Vancouver stage last Thursday, a young Irish computing expert gave a filmed presentation showing how the world could end with the pop of a balloon. 

That's just great.


We may never know for sure. The odd thing is that Stuxnet, so far, hasn't actually been proved to have done anything. Stuxnet contains a "switch" believed to target one very specific, tailored Siemens system – but no one knows which one, or what the switch is intended to do.
We may never know for sure? That's bullshit. We saw the same thing recently when CNN did a piece on 911 conspiracy theories. Did they examine the theories? No. They went directly to "will this conspiracy theory become like the Kennedy Assassination? Analyzed for generations as an unsolved mystery?" Which of course is a total cop out designed to protect the guilty. See: funny or sad.

Israel has little to gain from denying or confirming anything. It cannot own up to what some see as a monumental act of irresponsibility – the creation of a worm that could attack any sensitive system anywhere in the world. On the other hand, its struggle with Iran is also psychological, and it does it no harm to be thought capable of disarming a nuclear programme without launching a missile.
Eating one's cake and having it too then?


So Bradley Manning leaks a helicopter video to Wikileaks, and he goes on trial for "damaging national security." But a state-sponsored group of hackers writes code that can control infrastructure, and we must assume it will be copied by "terrorists," and what is the response? We may never get to the bottom of it?


^^^^^^^

UPDATE: Iran 'detains western spies' after cyber attack on nuclear plant

Iran has detained several "spies" it claims were behind cyber attacks on its nuclear programme. The intelligence minister, Heydar Moslehi, said western "spy services" were behind the complex computer virus that recently infected more than 30,000 computers in industrial sites, including those in the Bushehr nuclear power plant, appearing to confirm the suspicion of computer security experts that a foreign state was responsible. The announcement also suggests that the attack involving the Stuxnet worm virus, which computer experts believe may have been designed to spy on Iran's nuclear facilities rather than destroy them, has caused more alarm in the regime than has so far been acknowledged.


In remarks carried on Iranian state television and the Mehr news service, Moslehi said Iran had discovered the "destructive activities of the arrogance [of the west] in cyberspace", adding that "different ways to confront them have been designed and implemented". "I assure all citizens that the intelligence apparatus currently has complete supervision on cyberspace and will not allow any leak or destruction of our country's nuclear activities. "Iran's intelligence department has found a solution for confronting [the worm] and it will be applied. Our domination of virtual networks has thwarted the activities of enemies in this regard."

Moslehi gave no details of when the arrests had taken place or whether those detained were Iranians or foreign citizens. (more at link)

AFP describes them as "nuclear spies." "We have always faced the destructive action of these (spy) services and a number of nuclear spies have been arrested," he said."


JPost whistles past the graveyard... (http://www.jpost.com/IranianThreat/News/Article.aspx?id=189934)

Also see a discussion of what might be going on at Winter Patriot blog. Winter himself explains:


A computer 'worm' contains the instruction sequence necessary to propogate itself as well as the instruction sequence that does the damage. The first step significant step in defending against such a worm is reverse-engineering -- converting the "machine code" that the computer executes into "assembly code" which lists the instructions being executed.
And therefore, using a worm as a weapon of war is, in the words of one of my most security-savvy computer-friends, "one of the stupidest things anyone has ever done anywhere". It is, as he put it, "like dropping an atomic bomb, then showering the survivors with leaflets explaining how to build an atomic bomb". He reckons the probability of this worm being revamped and used as an offensive weapon by the Iranians (or terrorists connected with Iran) as 100%. "How could they NOT use it?" he asked. "They're pissed off and they have the code!"
It's all just One Big WTF? at this point.

End update.

^^^^^^^

The Stuxnet worm has people worried. Threats that were once theoretical have become real because it allows the attacker to take control of critical systems like pumps, motors, alarms and valves in commercial systems.

It could, technically, make factory boilers explode, destroy gas pipelines or even cause a nuclear plant to malfunction. The virus targets control systems made by German industrial giant Siemens commonly used to manage water supplies, oil rigs, power plants and other industrial facilities.

In the last day or so we learn that Stuxnet has successfully penetrated China, extensively, as well as Iran.

"This malware is specially designed to sabotage plants and damage industrial systems, instead of stealing personal data," an engineer surnamed Wang at antivirus service provider Rising International Software told the Global Times. "Once Stuxnet successfully penetrates factory computers in China, those industries may collapse, which would damage China's national security," he added. Another unnamed expert at Rising International said the attacks had so far infected more than six million individual accounts and nearly 1,000 corporate accounts around the country, the official Xinhua news agency reported.

Graham Cluley, an expert on viruses, said the sophisticated code may have been written by an insider at Siemens.

The worm may have been written by someone with detailed knowledge of Siemens' computer systems, Graham Cluley said on Friday. Speaking to Computer and technology news website, V3, Cluley said the person may possibly be a current or former employee of the German industrial giant whose control systems are widely used to manage industrial facilities such as oil rigs and power plants. ...Another expert on the issue, Mikko Hypponen, chief research officer at F-Secure, told V3 that based on evidence he'd seen, the worm looks like a government attack.  "If you look at the level of difficulty and complexity behind Stuxnet, it has to be a government effort," he further explained.
Go here for a ten slide technical explanation of how the worm spread.

Yesterday we learned who might be the likely culprit: Israel.

"So let’s assume that using Stuxnet, Israel has indeed launched the world’s first precision, military-grade cyber missile. What are the implications?"
We thing the primary implication is that a military attack on Iran has now been foreclosed as a viable option. It can't be justified anymore. Security has already been breached. Furthermore, the Stuxnet worm takes control over the control systems and can even, theoretically, cause an explosion.



"We have never seen anything like this before. It's the most complex piece of malware in the history of computing. What the thing does, is actually it's designed to blow something up, it's as simple as that. The virus is a cyberwar weapon."



Curiously, Langner also said not to worry, because obviously the worm is so specific that it hit its target.

Stuxnet itself is no longer a cause for concern, he said. "Don't worry about Stuxnet any longer," he said. "Obviously it hit its target. It is so specific it won't attack anything else."
OK, well, maybe we misunderstand because we are not getting the "obvious" part. Forgive us for being obtuse, but did something large in Iran explode that we failed to notice, like a power plant or something?

We are not so sure about his conclusion, because now China has reported big problems with Stuxnet. Maybe Stuxnet wasn't finished after all?

Maybe, in light of the new special romance between Israel and China, what seems possibly obvious to us is that Israel maybe just explained to China who is wearing the pants?

We get the point, if that was the point.

"Nothing says theocracy like a biblical reference in your terroristic cyber attack." ~ Penny

Langner says this will lead to copycat activity.

But now that it's out there, other people will try to replicate it, he warned. "Everybody will be able to study exactly what Stuxnet does and how it is done," he said. "So we must assume that Stuxnet will now act as a template for any kind of hackers, organized crime, terrorists in order to study how it can be done. "Stuxnet is history," he said. "We need to work on what will come next."

Yes, we can see that part happening, too.

 

19 comments:

malcontent said...

The scenario has happened before btw, in the less high tech world of 1982.

http://en.wikipedia.org/wiki/Siberian_pipeline_sabotage

kenny said...

Shutting down the internet may be the only option. It'll be for our own good. Re-open it after all these pesky malware infected blogs and alternative news sites are eliminated.

INCOMING!!!!!!! said...

FYI AP

http://www.computerworld.com/s/article/9130080/Expert_Hackers_penetrating_industrial_control_systems

I think Kenny's thoughts have mileage.

A. Peasant said...

incoming & kenny -- it seems like they would like to conflate the real problem of state-sponsored hackers into infrastructure control systems with regular people emailing and surfing the intertubes.

good link incoming, coming from well before all this happened. noting how jay rockefeller seems so prescient.

veritas6464 said...

Hey Campo,...Perhaps the Mexico Gulf Oil rig explosions were dual purpose; destroy the ecology and therefore the food chain of the region and also, test the industrial IT bomb. Didn't both those rigs explode inexplicably?

veritas

A. Peasant said...

hmm. that could be Veritas...

Anonymous said...

Will China trust Israel?

How clever are the Chinese?

- Aangirfan

A. Peasant said...

are you being coy Aan? ; D

i certainly hope china does NOT trust israel. i would expect they do not. maybe israel stepped in some doo doo this time?

Anonymous said...

From your link, AP-
"But Moslehi said intelligence agents had discovered the "destructive activities of the arrogance (Western powers) in cyberspace, and different ways to confront them have been designed and implemented."

"I assure all citizens that the intelligence apparatus currently has complete supervision on cyberspace and will not allow any leak or destruction of our country's nuclear activities."


I wonder if some of that "complete control" includes throwing out all Windows software from the nuclear facility at the very least

It's pretty easy to understand some of "the arrogance (Western powers)" in the face of this.

veritas6464 said...

Hey Campo,...I have just had an epiphany, of sorts; the Forex company I was working for a couple of years ago was looking at creating its own technical analysis software, so I was tasked with sourcing codes and code makers, programmers etc. During this research I received News (approx April 2004) from a colleague in China about the Chinese government pouring a “further” squillion bucks into the 'open source' Operating System Developers: Linux. The result the Chinese government was hoping to achieve was a totally SECURE, independent intranet (hermetically sealed) protocol for data and communications sharing INSIDE CHINA; the working title for the OS then was "Red Flag". This OS was to be based in ‘Red Hat’.

Google it, also, I will pursue this further and let you guys know - my problem with my epiphany is this, if they were serious about 'Red Flag OS', with millions of those US dollars they have in a big red sock under their bed, spent on R&D; did they complete the project? If so, why are they vulnerable to a web-based 'Windows' virus?

Mmmm, something's not right with this whole stuxnet picture.

What I do feel is that a lot of otherwise sceptical truthers are of the opinion that somehow Russia and China will be our saviours. Tiananmen Square anyone? Chechnya?

Maybe I just don't get it, I really don't trust anyone on the Government Bus, I don't care whose language the destination itinerary is written in.

veritas

P.S. DOH! Well, in the time it has taken me to scribble this comment: I have found some really deflating info’ already...

http://www.linux.com/archive/articles/146867

http://www.builderau.com.au/blogs/syslog/viewblogpost.htm?p=339270827

http://www.operating-system.org/betriebssystem/_english/bs-redflag.htm

Anonymous said...

ISRAEL?? Well I NEVER! I'm sure as soon as those aliens come to take over planet Earth that pesky little problem will go away toot sweet! For our own good of course.

A. Peasant said...

Veritas -- from the middle link:

"Today, the Chinese government uses a version of Windows that includes its own custom cryptography software. In Beijing, where many of the workers avoided Red Flag Linux and used a pirated version of Windows instead, the government has taken inventory of pirated software and forked over cut-rate licensing fees to Microsoft."

so i guess they weren't too serious about that red flag. looks like greed won out over prudence.

as for china and russia as potential heroes, i'm not sure that is what the hope is. for myself the hope is that they will not roll over like the US has. we can't have any more big countries in israel's bag. the world can't afford it. it's sort of like rooting for the team that beat your team in the playoffs, and who are now playing the ny yankees.

A. Peasant said...

James -- that second link V left has the answer to your question, at least re: china. no telling if the iranians were so stupid.

saladin -- yah i forgot about the aliens! they'll fix everything. ; D

malcontent said...

The programming software runs on a windows pc. The operator panels attached to the various industrial machines usually run Windows CE as well. Infections and subsequent propagation of Stuxnet on these machines through at least 3 published vectors makes it a swiss army knife of the software environment.

All the published exploits that Stuxnet used have been patched by M$ except one. There are 2 basic problems for the victims to overcome, first is access to the patches for the pc's and the second is updating of the operator panels from the respective manufacturers to immunize them from re-infection.

Since you can't trust either source for these remedies if you are in Iran, you are simply up shit creek.

For that matter, who is to say the patches won't include a new backdoor for future exigent circumstances? Even open source Linux can be poisoned by serruptitious insertion of code that is quite difficult to spot.

Anonymous said...

Even open source Linux can be poisoned by serruptitious insertion of code that is quite difficult to spot.

But it can be seen. And remedied (should it ever get past a security scan) with complete confidence because nothing is hidden. That is the point.

Dealing with Windows, you are reliant upon known liars and are you unable to check on what they tell you because their code is all hidden. What's the point in that?

And that is not a rhetorical question.

malcontent said...

JG the Linux poisoning I am referring to is the insertion of a buffer overrun to the source code image you compile that would only be detected through a scrupulous source code audit and ongoing code comparisons to ferret out coding changes that may be as simple as the addition of a space or a slash in an existing function. Even Norton can't save you from that.

As for using Linux with these products, it isn't quite ready for primetime yet as evidenced from the Siemens site directly.

http://www.automation.siemens.com/WW/forum/guests/PostShow.aspx?PageIndex=1&PostID=178565&Language=en

There are some things you can do without windows if you read through the thread but you still have areas of your development and ongoing operations that will require a windows pc to touch your precious SCADA network.

JG, I do get your point all too well. CodeRed and Nimda viri helped M$ to see the light of subscriber model software markets by ensuring that any PC connected to the Internet would be a dead duck if the owner didn't have access to updates. You need to be in their good graces to keep your machine useful to you. Forever.

Keep sending your money to M$ and everything will be OK. End of Life for Windows 2000 last June means no more patching for that platform and if you use it then you have to buy new software...

Send more money.

Anonymous said...

Thanks for your response, Malcontent, and for the link. The Siemens engineer says (after his attempts) that 'Step 7" will run with Linux but has problems with the USB PC Adapter.

Another engineer on the forum says that it will run with Linux but requires a custom programme and there are other suggestions.

However, why choose a systems controller for a nuclear power plant, (which is under threat from aggressive foreign powers) that requires Windows with all its backdoors and susceptibility to virus' and Windows Explorer?

If there are no non-windows control systems available, then design one. The risks are too great. Plus, there's a ready made market out there for one.

So why would you (Siemens) design a critical piece of control system that has these vulnerabilities in the first place?

Paying for ongoing patches is the least of the problem. The problem could well be an awful lot of people getting killed or irradiated. Patches are designed in response to someone somewhere being attacked. They are by nature "after the fact".

A source code audit, as you say, will show up any discrepancies. This can be done before the programme is run, though. Once a discrepancy is found, then it is the engineer's job to track it down. It may be tedious but it can be done and most importantly, it can be done pre-emptively. You don't have to wait for the bomb to go off to find out if there was one lurking there as you do if windows is used.

Windows is a huge ongoing security nightmare. It seems crazy to me to go anywhere near it.

malcontent said...

I guess it boils down to whether or not you are in good standing with the international corporations or not at the time of crisis. With them or against them.

Like current law enforcement strategists they don't really care so much what happens so long as they can see the instant replay and make us feel like it won't happen again.

Undocumented features are not just for criminals after all.

Anonymous said...

For those that might be interested, there is some excellent background material on Siemens and their involvement with cryptography and Iran in the past here-

Cryptogate, Seimens and Stuxnet

legal mumbo jumbo

Disclaimer: The posting of stories, commentaries, reports, documents and links (embedded or otherwise) on this site does not in any way, shape or form, implied or otherwise, necessarily express or suggest endorsement or support of any of such posted material or parts therein.

Fair Use: This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit to those who have expressed a prior interest in receiving the included information for research and educational purposes. If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner.