Mercury Rising 鳯女

Politics, life, and other things that matter

Malwhere. The attack on Iran.

Posted by Charles II on November 19, 2010

OK, our best ally in the Middle East is now all but openly boasting of using computer malware as part of a strategy of warfare (Broad and Sanger, NYT):

Experts dissecting the computer worm suspected of being aimed at Iran’s nuclear program have determined that it was precisely calibrated in a way that could send nuclear centrifuges wildly out of control.

Their conclusion, while not definitive, begins to clear some of the fog around the Stuxnet worm, a malicious program detected earlier this year on computers, primarily in Iran but also India, Indonesia and other countries.

The paternity of the worm is still in dispute, but in recent weeks officials from Israel have broken into wide smiles when asked whether Israel was behind the attack, or knew who was. American officials have suggested it originated abroad.

So, now, how exactly do we go about getting China to rein in its script kiddies, whether state-sponsored or no, who have been rifling through the Pentagon’s computers?

Completely losing our moral authority is a a very bad development. Probably less bad than bombing a country which constitutes no threat to us, but bad.

Finally, whoever wrote the code included a series of clues as to authorship inside it, and they’re things that Israel’s enemies would be unlikely to think of. So, add to the downside of undermining US leadership the fact that (a) the Israelis get the blame (b) it didn’t work, and (c) it included a bit of hubris of the kind that Whoever or Whatever is in charge of this world loves to punish.

About these ads

12 Responses to “Malwhere. The attack on Iran.”

  1. Stormcrow said

    So, add to the downside of undermining US leadership the fact that (a) the Israelis get the blame (b) it didn’t work, and (c) it included a bit of hubris of the kind that Whoever or Whatever is in charge of this world loves to punish.

    OK, let’s assume for the sake of argument that this little gem was the work of someone,, or several someones, working for the state of Israel.

    Which, come to think of it, does indeed look like the most probable hypothesis.

    Statements (b) and (c) are easy corollaries.

    But how do you get (a)? Since we’re assuming the US didn’t write the damned thing.

    How does this undermine us?

    • Charles II said

      Stormcrow asks, “But how do you get (a)? Since we’re assuming the US didn’t write the damned thing. How does this undermine us?”

      We are generally believed to approve of everything Israel does. How true that is, I don’t know, but I do know that the rest of the world thinks that we are the dog and Israel is the tail. That means that if Israel gets the blame, the US is viewed as the prime mover. If the rest of the world thinks we are authorizing cyber attacks against Iran, there is not going to be much sympathy for cyber attacks–to which we are uniquely vulnerable–against us.

      I also would not bet that this half-assed plan wasn’t concocted in Washington. It sounds like something that Paul Wolfowitz would come up with.

      • Stormcrow said

        If the rest of the world thinks we are authorizing cyber attacks against Iran, there is not going to be much sympathy for cyber attacks–to which we are uniquely vulnerable–against us.

        It wouldn’t help enough to notice, if we stood to gain even more sympathy than we got (and subsequently threw away) after the 9/11 attacks.

        “Cyber attacks” are much more heard about than actually observed in the wild, even after this incident.

        The real problem, IMHO, is crooks.

        I have read some fairly persuasive reports arguing that the closest we’ve really come to being hit by a state-sponsored cyberattack, the perps were private-enterprise crooks whom the PRC outsourced the task to.

        And it surely isn’t very hard to compile a fairly impressive roster of actual victims whose businesses were run into the ground by cybercrooks.

        The US is no more vulnerable to this than any other nation with a modern financial infrastructure. The first reports I read of trojans specifically designed to capture and export bank account data to crooks, came out of Europe, not the US.

        Sympathy is pretty weak tea, measured against the sorts of activities Brian Krebs has been writing about for the last five years or so.

        Prevention, IMHO, depends more on the mental preparedness of prospective victims than any other single factor I can think of offhand.

        Progress in the apprehension and conviction of the crooks seems to be getting it’s best mileage out of some fairly standard sorts of high-end police work. It really hurts my fact to say nice things about the FBI, but these last few years, they’ve been making the business of cybercrime much more risky to its practitioners than I ever thought I’d live to see.

        The worse we can hurt the crooks, the less rival nation-states can resort to them for acts of espionage and vandalism.

        We’re not going to gain (or lose) much more traction by getting people to like (or dislike) us.

        The way sponsor states like the PRC are going to come around, is when they see their local pools of criminal talent as greater liabilities than they are potential assets. And that sort of revelation is largely outside of our influence.

  2. Charles II said

    As always, you raise good points, Stormcrow. It’s true that all highly-networked nations are vulnerable to cyber attacks. As one of the richer nations, the US happens to be very highly networked, have a lot of online finance, and have a lot of enemies. Software has a high level of homogeneity. Unlike China, where the government controls the Internet and therefore enjoys some protection from cyber warfare, the US Internet is almost anarchic. And then there’s the point that the US likes to replace human labor with automation. That creates a situation where mischief can be spread to a myriad of places. This report mentions “U.S. transportation system infrastructure, the telecommunications system, nuclear energy plant communications, the water supply IT infrastructure ….’vulnerable servers and gateways controlling the power grid or water/dam flow control.’” as targets. Still, I will concede that the US is no longer uniquely vulnerable. I overstated the point.

    On one point, I think you’re wrong. “Sympathy” is much more important than you seem to imagine in international relations. When people like or admire a nation, they quietly (sometimes unconsciously) work to make things go its way. When they don’t, they quietly obstruct its efforts. Turkey closed its airspace to Israel, as has Saudi Arabia, maybe. Syria may not be able to stop them, but they probably can and would give Iran a head’s up. These things limit Israel’s options and perhaps allow Iran to focus defensive strength sufficiently. If Israel were better liked in the region, it would have more options.

    • Stormcrow said

      This report mentions “U.S. transportation system infrastructure, the telecommunications system, nuclear energy plant communications, the water supply IT infrastructure ….’vulnerable servers and gateways controlling the power grid or water/dam flow control.’” as targets.

      That’s a reference to SCADA, of course.

      The problems with this are …

      (i) Consider the source: “George Heron, founder of BlueFin Security and former chief scientist for McAfee”.

      McAfee, of course, is a major security software vendor.

      And they made their name stink in my personal pair of nostrils back in the days when I was a system admin, when they made provably false statements to “hype the scare” about a Linux “virus” that didn’t amount to more than a laboratory toy. Here is a copy of the original story from 13 years ago, which I just found in cached data during a Google search: MCAFEE DISCOVERS FIRST LINUX VIRUS; SHIPS NEW VERSION OF VIRUSSCAN TO DETECT AND REMOVE BLISS VIRUS.

      The problem is, most of the “facts” McAfee released in this story turned out to be hogwash. They got dollar signs in their eyes, contemplating the virgin market in Linux antivirus software …

      (ii) Even though the vulnerabilities are there, nobody seems to be exploiting them.

      There are excellent reasons why attacks of this sort are poor choices for someone who wants coercively deflect the policy of a rival nation state.

      That report mentions the “plausible deniability the Internet affords”.

      But your victim isn’t likely to bend their policy to your will if they mistake your attack for a simple engineering failure or an act of God. What that means is that you don’t want “plausible deniability”. It acts against your own best interests. You want the exact opposite: you want your victim to bloody well know you did it.

      This is also why crashing any number of servers makes a far less effective act of terrorism then simply using good old fashioned bombs. You explode a bomb, particularly in public, and nobody is going to mistake that for an accident or an act of god or an engineering glitch. It’s automatic guaranteed credibility.

      Charles, when you read reports like this, you need to consider the source. Rule of thumb is that security “suits” have far less insight into the threat landscape than security worker bees have.

      The worker bees were shouting from the housetops about attacks on applications, particularly Java and Acrobat Reader, two years ago.

      These guys were talking about 5 threats: malware, botnets, cyber warfare, mobile device attacks, and crooks. Four of these need about as much insight as predicting the sun will rise in the east. The remaining one is, IMHO, a naked play for fat government contracts.

      OK, attacks against mobile devices were just getting started in 2005. But I did a mass audit of more than 500 servers for botnet clients, myself, more than 8 years before this was even published. And I was not that far ahead of the curve.

      Threat number 3, “cyber warfare”, has still not materialized in any sort of mature form. One problem is the one I discussed above: an attacker wants his attack to be correctly attributed. Another problem is the one Stuxnet ran into: once your attack agent is released into the wild, you no longer control it.

      Even after Stuxnet, we’re not seeing much in the way of “cyberwar”. We’re seeing crooks. We’re seeing espionage. We’re seeing vandalism.

      And we’re also seeing an all out commercial war between security services vendors for what they see as a huge cash cow. That’s been going on for years, too. And they’re not above playing very dirty to get their slice of the pie.

  3. Stormcrow said

    Sigh.

    Forgot to close the “blockquote”. :stupid:

  4. Charles II said

    Stormcrow says, “Forgot to close the “blockquote”. :stupid:”

    Looks ok to me. :-)

    I take your four main points:
    1) the most evident threats at present are from organized crime.
    2) terrorists (or states using terror tactics) don’t want anonymity.
    3) use of malware is risky, since it may affect allies as well as enemies.
    4) security companies hype threats because it’s profitable.

    However, I would counter those (perfectly correct) points with these:
    1) military action very often follows routes established by criminal activity (e.g., using drug smuggling as a means to fund the arming of Chiang Kai Shek’s armies). As long as a criminal activity may have a military use, it enjoys a (not so-)mysterious immunity to being resolved.
    2) in military action, as opposed to terrorism, states may want anonymity. If they do not want anonymity, they can (as happened in this case) smirk in public.
    3) there’s always “collateral damage” in war. As long as it’s disproportionately borne by the enemy or by people one doesn’t care about, military minds are not concerned.
    4) doctors make money off of you being sick. Their advice should be taken with skepticism, too (hence the second opinion). The fact that a vendor is touting his wares does not make the wares worthless. It just means we should be skeptical.

    I think that the military use of malware, as it seems that Israel may have done in prosecuting its campaign against Iran, is potentially destabilizing. In this case, it could involve direct action, such as commissioning a terrorist attack against Israel.

    But I am actually more concerned about the fact noted in point #1. Does the rise in malware simply parallel a rise in military uses of malware? Is some of that criminal activity being used to generate the funds for, in Oliver North’s phrase, off-the-shelf foreign policy? Is the reason we can’t seem to get our act together in countering malware due to the military insisting on protection for their “good” malware, making it harder to write effective software?

    Stuxnet may have inflicted negligible collateral damage (and probably negligible damage to its target), but it distracted security efforts and added its little piece to Net congestion and diminished computer performance. Such efforts could be brought to a much larger scale by, say, the US and China engaging in a covert Cold War. Stuxnet is a bad precedent.

    • Stormcrow said

      Well, you’re right about Stuxnet being a bad precedent – but only to the extent that it was perceived to be successful.

      I think the weight of opinion seems, right now, to be that it was probably a waste of effort.

      But I can bring more direct insight into one of your concerns.

      But I am actually more concerned about the fact noted in point #1. Does the rise in malware simply parallel a rise in military uses of malware? Is some of that criminal activity being used to generate the funds for, in Oliver North’s phrase, off-the-shelf foreign policy? Is the reason we can’t seem to get our act together in countering malware due to the military insisting on protection for their “good” malware, making it harder to write effective software?

      In a word, no.

      The evolution of malware has clearly been forced by direct financial incentives for its authors.

      Four or five years ago, there were companies in the PRC whose business was the crafting of custom malware, for sale on the black market. “Companies”, as in, possessing a fixed and dedicated place of business.

      The reason I know this is because I had the opportunity to listen to a talk given by a guy from iDefense, who was given a guided tour of the premises of one of these outfits. Yeah, by the folks who worked there. The existence of fixed facilities, of course, forces me to conclude that they had the protection of the government of the PRC. So they really couldn’t care less about what this exposed to an American. And, like most techies, they were proud of their work and wanted to show it off …

      But places like this wouldn’t exist except for the black market.

      And if that particular shop is still in business, it’s only because they’ve changed with the times.

      These days, the bad guys don’t buy exploits. They buy point-and-click exploit creation kits, priced in the four figure range. Some of these offerings feature service contracts, technical support lines, and internal trouble ticketing systems to pinpoint bugs and track their correction.

      All of this would have leaked, badly enough to reveal complicity, years ago, even if it were under the aegis of the CIA. To say nothing of more transparent arms of the Federal Government. The black market would have seen to that. If for no other reason, simply because that same black market is one of the FBI’s favorite points of leverage, when they go after these people in order to put them behind bars.

      The Air Force has some excellent in-house hackers. I’ve worked with a few of them myself. But their whole methodology is 180° removed from the cybercrook community. They’re experts at penetrating systems. But they don’t have the sort of expertise the crooks need to have, because they don’t need it.

      The crooks are, above all, experts in manufacturing either trust or fear or both. Because, even today, most of their attacks need the victim’s cooperation.

      There are other, and quite massive, systematic, philosophical, and toolset differences I could list out. But that’s the one that comes to mind first.

      • Charles II said

        Stormcrow says, “In a word, no [paraphrasing: no connection between malware and the military]. The evolution of malware has clearly been forced by direct financial incentives for its authors.”

        I greatly respect your experience, Stormcrow. But I have to say, if there is no military involvement in malware, it would be very surprising.

        To start with, we have the fact of Stuxnet. So a military (or intelligence) agency has all-but-publicly confessed to engaging in malware distribution.

        Second, you mention financial incentives. We have a pretty clear idea of how those work in drug smuggling. The smuggler takes the weapons down, for which he gets paid. On the way back, he can– without any formal involvement by the US government– fill the plane with drugs. Since the government will give him passage, uninspected, it’s all profit.

        On the other hand, if the government wishes to conceal its involvement in covert activity, it can mark up the weapons and/or accept foreign donations as did happen in Iran Contra or (this has not been proven to have taken place in Iran-Contra) use drug profits. The concealment comes because the costs of the weapons are covered and there’s no need for an expenditure line item.

        In malware, one can imagine something similar, with plenty of plausible deniability by using criminals to do the production and distribution.

        On one point, though, history clearly contradicts you. You say: “All of this would have leaked, badly enough to reveal complicity, years ago, even if it were under the aegis of the CIA.”

        The precedent of Iran-Contra is clearly against this. The effort began probably under Carter, but certainly was in full swing by the early 80s. It involved millions of dollars and lots and lots of weapons, including highly-controlled weapons like TOWs, being shipped all around the world, even to an enemy, Iran. The enterprise only came to light in late 1986 because cargo handler/smuggler Eugene Hasenfus survived the crash of his plane by the unauthorized use of a parachute. Even so, had it not been for relentless reporting by brave reporters of the mettle of Robert Parry and congressional probing by John Kerry, and hard-nosed prosecution by Lawrence Walsh, the American people would have no clue what happened. Even so, large parts of the program have escaped revelation, and most of the American public doesn’t really understand what happened.

        The point is that a massive enterprise–far more massive than a little malware production–remained a secret for about five years, and only came to light through the combination of an accident and energetic reporting and investigation.

        I do respect your experience.

        I also trust my gut.

        So: we will see, assuming we live long enough.

  5. Stormcrow said

    I assume you’ve heard the news by now.

    Bruce Schneier wrote up the attack in his blog Monday: RSA Security, Inc Hacked.

    And today, the other shoe dropped: Hack Obtains 9 Bogus Certificates for Prominent Websites; Traced to Iran.

    If the attack on RSA was state-sponsored, and if it was crafted in Iran, this tells us that Stuxnet may have started a real cyberwar, whether it was intended to or not.

    The authors of these pieces aren’t really making anything more of this than is really there. The entire concept of “certificates” is based on a trustworthy authority, and that authority has now been penetrated, to real effect.

    It gets better, because certificates can be replaced much more cheaply than, say, 25 million RSA SecureID keyfobs.[ ed: Maybe this link?] If the token seeds for those things have also been compromised, fur is going to fly.

    And billions of dollars are about to go swirling, even if no direct exploitation of this takes place.

    (1) Almost everybody who wants to securely authenticate over untrusted public network links uses two-factor authentication.

    (2) RSA is the 800 pound gorilla of two-factor authentication. Like Cisco, with network hardware. RSA dominates this market, with an estimated 75% market share. At least, up until Monday they did.

    This raises the question of just how wise it really was to piss the Iranians off.

    Israeli idiots, perhaps with the help of American idiots, start with an attack on a piece of Iranian infrastructure in no way really critical to Iran. And Iran (most probably, at the time of this writing) replies with a hard swift kick to the IT gonads of the entire industrialized world.

    And oh chocolate jesus, here we find ourselves again, fighting outside of our weight class.

    • Charles II said

      Thanks for the update, Stormcrow. I missed this bit of news.

      Yes, this is the kind of havoc that can be sown if states get involved in cyberwarfare.

      And, now that a state has helpfully pioneered the way, the criminal gangs about which you quite justifiably expressed concern will doubtlessly become interested. Being able to spoof Bank of America’s web page could be quite profitable.

      The world is enormously dependent on the Internet. If it were brought down, how large of a hit would world GDP take? I would WAG 10-20%. We need to take care of it, and part of that is states taking a leadership role in saying that Internet abuse, whether by criminals, by spammers, by recreational hackers, or even by states seeking a military advantage, is impermissible. Then, of course, taking steps to punish and prevent such abuse.

      I don’t know what the answer is. I do think that centralization of authority tends to lead to complacency, sloppiness, and eventually, mass failure.

      • Stormcrow said

        Being able to spoof Bank of America’s web page could be quite profitable.

        No question whatsoever about that, because this is actually a fairly classic M.O. by now.

        Phishing. Been going on for at least 7 or 8 years now; I saw my first “bait” email while I was still working for WaMu.

        The crooks have moved on to better scams with bigger payouts, for the most part. No bank officer in her right mind is going to use email for unsolicited communication with customers anymore. Which isn’t to say they don’t ever do it; some of them aren’t in their right minds.

        As for our taking the lead .. IMHO, that ship sailed at least a decade ago. Sigh.

        Sorry about the link; it should have been to the Wikipedia page on SecureID, SecurID – Wikipedia, the free encyclopedia.

        I wrote that update up in far too big a hurry, otherwise I’d have thought to simply exploit the Firefox addon Redirect Remover, which I added to the mix about 18 months ago. Cleans out that nasty crap Google chose to replace ordinary links with, like they’d never even thought up the notion to begin with. :)

Sorry, the comment form is closed at this time.

 
%d bloggers like this: