www.wired.com

Stuxnet Missing Link Found, Resolves Some Mysteries Around the Cyberweapon

As Iran met in Kazakhstan this week with members of the UN Security Council to discuss its nuclear program, researchers announced that a new variant of the sophisticated cyberweapon known as Stuxnet had been found, which predates other known versions of the malicious code that were reportedly unleashed by the U.S. and Israel several years ago in an attempt to sabotage Iran’s nuclear program.

...

The new variant appears to have been released in 2007, two years earlier than other variants of the code were released, indicating that Stuxnet was active much earlier than previously known. A command-and-control server used with the malware was registered even earlier than this, on Nov. 3, 2005.

...

The new finding, described in a paper released by Symantec on Tuesday (.pdf), resolves a number of longstanding mysteries around a part of the attack code that appeared in the 2009 and 2010 variants of Stuxnet but was incomplete in those variants and had been disabled by the attackers.

...

In these later variants of Stuxnet, however, only the 315 attack code worked. The 417 attack code had been deliberately disabled by the attackers and was also missing important blocks of code that prevented researchers from determining definitively what it was designed to do. As a result, researchers have long guessed that it was used to sabotage valves, but couldn’t say for certain how it affected them. There were also mysteries around why the attack code was disabled — was it disabled because the attackers had failed to finish the code or had they disabled it for some other reason?

The 2007 variant resolves that mystery by making it clear that the 417 attack code had at one time been fully complete and enabled before the attackers disabled it in later versions of the weapon.

...

Stuxnet 0.5 was very surgical and spread only by infecting Siemens Step 7 project files — the files that are used to program Siemens’ S7 line of PLCs. The files are often shared among programmers, so this would have allowed Stuxnet to infect core machines used to program the 417 PLCs at Natanz.

If it found itself on a system that was connected to the internet, the malware communicated with four command-and-control servers hosted in the U.S., Canada, France and Thailand.

...

The domains for the servers were: smartclick.org, best-advertising.net, internetadvertising4u.com, and ad-marketing.net. All of the domains are now down or registered to new parties, but during the time the attackers used them, they had the same home page design, which made them appear to belong to an internet advertising firm called Media Suffix. A tag line on the homepage read, “Deliver What the Mind Can Dream.”

www.zdnet.com

Iran behind bank cyberattacks, U.S. government officials say

Summary: A former government official says the U.S. believes Iran was behind a spate of cyberattacks on U.S. banks, despite claims from a hacking group that it was behind the attempted hacks.

This film explores the origin of true hackers vs. today's computer criminals by following the adventures of Adrian Lamo and other well-intentioned hackers, who found security holes and pointed them out so they might be fixed, only to eventually be arrested.

Commonly thought of as computer criminals and vandals, a true hacker is an innovative thinker able to 'hack' himself out of a given problem or situation, whether it be computer related or not. Historically, hackers have accounted for mankind's greatest inventions and discoveries and yet have repeatedly been persecuted for their new ideas by the powerful and fearful.

Experts on cyber-terrorism also examine our societal view of the hacker and debate as to whether or not we should recruit and utilize the skills of the helpful hackers to fight future cyber-wars, instead of continuing to punish what we do not understand.

"I think hacking skills are going to become critical to liberty in this country. Because as government and industries start to realize they can use technology to shut people down, to reduce our liberties, the only freedom fighters out there will be hackers.

The next war is not going to be fought with bullets and guns and bombs. It's going to be fought with code. It's going to be fought with technology, with computers. That's how the war is going to be fought.

And if you want want to preserve liberties in this country, I don't think it has anything to do with the second amendment and the right to bear arms, it's the right to bear computers."

- Leo Laporte, TechTV

A massive, highly sophisticated piece of malware has been newly found infecting systems in Iran and elsewhere and is believed to be part of a well-coordinated, ongoing, state-run cyberespionage operation.

The malware, discovered by Russia-based anti-virus firm Kaspersky Lab, is an espionage toolkit that has been infecting targeted systems in Iran, Lebanon, Syria, Sudan, the Israeli Occupied Territories and other countries in the Middle East and North Africa for at least two years.

Dubbed “Flame” by Kaspersky, the malicious code dwarfs Stuxnet in size – the groundbreaking infrastructure-sabotaging malware that is believed to have wreaked havoc on Iran’s nuclear program in 2009 and 2010. Although Flame has both a different purpose and composition than Stuxnet, and appears to have been written by different programmers, its complexity, the geographic scope of its infections and its behavior indicate strongly that a nation-state is behind Flame, rather than common cyber-criminals — marking it as yet another tool in the growing arsenal of cyberweaponry.

Current issues.

UK officials are fearful that China has the capability to shut down businesses, military and critical infrastructure through cyber attacks and spy equipment embedded in computer and telecommunications equipment. The Stuxnet worm is the most famous and best case example of a cyber attack on a network which wreaked devastation having easily compromised conventional software defensive systems. There have been many cases of computer hardware having backdoors, Trojans or other programs to allow an attacker to gain access or transmit confidential data to a third party. Considerable focus and expense has been invested in software computer networks and system defences to detect and eradicate such threats.

However, similar technology with antivirus or anti Trojan capability for hardware (silicon chips) is not available. The computer or network hardware underpins and runs all the software defence systems. If the hardware has a vulnerability then all the energy in defending at the software level is redundant. An effort must be made to defend and detect at the hardware level for a more comprehensive strategy.

Our findings.

Claims were made by the intelligence agencies around the world, from MI5, NSA and IARPA, that silicon chips could be infected. We developed breakthrough silicon chip scanning technology to investigate these claims.

We chose an American military chip that is highly secure with sophisticated encryption standard, manufactured in China. Our aim was to perform advanced code breaking and to see if there were any unexpected features on the chip. We scanned the silicon chip in an affordable time and found a previously unknown backdoor inserted by the manufacturer. This backdoor has a key, which we were able to extract. If you use this key you can disable the chip or reprogram it at will, even if locked by the user with their own key. This particular chip is prevalent in many systems from weapons, nuclear power plants to public transport. In other words, this backdoor access could be turned into an advanced Stuxnet weapon to attack potentially millions of systems. The scale and range of possible attacks has huge implications for National Security and public infrastructure.

Key features of our technology:   - scans silicon/hardware for backdoors, Trojans and unexpected behaviour   - low cost   - very fast result turnaround time   - high portability   - adaptable - scale up to include many types of chip

Further funding is needed for us to progress to testing further silicon chips and to develop better search algorithms which would allow us to detect possible spy systems or vulnerabilities in a greater range of systems.

Currently there is no economical or timely way of ascertaining if a manufacturer's specifications have been altered during the manufacturing process (99% of chips are manufactured in China), or indeed if the specifications themselves contain a deliberately inserted potential threat.

Conclusions.

It is clear that cyber attacks will increasingly be of this nature, having most impact; it is imperative that this issue is addressed as a matter of urgency. We would suggest making hardware assurance (HWA) & hardware defence (HWD), the testing of silicon chips for backdoors and Trojans, and their defence, a greater priority within the National Cyber Strategy. Until now it was not possible to perform such analysis in a timely or cost effective manner. Our technology provides a solution. A variation in this technology could be used as a backstop defence on a computer or network system where it can monitor instructions and possible reprogramming or activation of a buried spy system in a real time environment, thereby preventing Stuxnet type attacks.

Further funding is needed for us to progress to testing further silicon chips and to develop better search algorithms which would allow us to detect possible spy systems or vulnerabilities in a greater range of systems.