About Me

Bay Area, CA, United States
I'm a computer security professional, most interested in cybercrime and computer forensics. I'm also on Twitter @bond_alexander All opinions are my own unless explicitly stated.

Sunday, September 26, 2010

Cyberwar, revisited

When I started this blog just two months ago, the news was all about "cyberwar" and the threats of it.  I posted my take on the issue, which was essentially that although espionage happened, there wasn't really much that would be considered "war".

That was before the worm called Stuxnet hit the news (although after the main infection hit).  Stuxnet (officially W32.Stuxnet) is a type of malware that is unique for a number of reasons, not the least in that it's the first known malware to infect SCADA systems.  It's rather versatile as well, possessing the ability to exfiltrate data (send confidential info back to the hackers), hide itself in the Windows operating system, and insert new code into the systems so that the hacker can change the operations of the system.  Interestingly, it injects the code in such a way that the new code is hidden from people who examine the infected system.  Stuxnet exploits several different zero-day vulnerabilities, which in itself is quite unusual.  A vulnerability is most effective before it's discovered and patched, so to "waste" four vulnerabilities on one virus is quite uncommon.  On top of that, the hackers who wrote the virus stole two digital certificates and used them to sign the virus, so that Windows would trust that the virus came from a legitimate company.  The virus contacted two command and control servers to obtain updates and instructions, but it also had a peer-to-peer (p2p) update scheme as a backup.

All of this leads several leading virus researchers to believe this was created by an organization with a large degree of technical skill, time, and money.  Many believe it was created by a government intelligence agency.  The fact that in the first couple days 59% of infections were in Iran further encourages the belief that it was an intelligence operation against a particular industrial facility in that country, perhaps the Bushehr nuclear reactor or perhaps the Natanz nuclear enrichment facility.  The Natanz facility was built 8 meters underground and protected by reinforced concrete, likely to protect it against threatened airstrikes.  Since the facility is very difficult to attack by conventional means, it's tempting to believe that this was the target of Stuxnet, and it's tempting to believe that Stuxnet may have been an Israeli intelligence operation.  However, we'll likely never know for sure.  Even if the perpetrators step forward and admit what they were doing (and the odds of that are nil), we'd have no way to verify it.

Either way, the fact that Stuxnet exists is proof that cyber sabotage is indeed possible.  Two months after the beginning of the attack, we still no proof as to who was responsible for it, only guesses.  To me, that's the more frightening part.  With all conventional weapons, it's relatively easy to determine who is responsible for an attack.  Even in the case of terrorism, with some investigation it's possible to prove who should be held accountable for their actions.  With viruses, sometimes it's possible but much of the time it's not.  Obviously, only time will tell if the creators of Stuxnet will be held accountable for their actions, but if they're never identified then I don't think there can be an effective arms control for "cyberwar"

What do you think?

Monday, September 13, 2010

On trust

Computer security is a complex and continually changing field, but there are a few elements that keep cropping up.  One in particular is that with increasing security measures in software, hackers and virus writers are increasingly using psychology to convince a system's user to bypass security for them.  Much like an old-fashioned con-man or fraudster will persuade a user to give them access to their home or bank account, many modern viruses and hacking attempts utilize social engineering to spread viruses.  By either impersonating someone you may know or stealing and using their account, hackers may try to get you to open a file or click on a link they send you.  This gives them control of your computer for their nefarious ends and allows them to use your accounts (email, facebook, twitter, and others) to infect your friends.  There are numerous examples of this in the wild right now, and in particular one of my friends recently fell victim to some variation of one of these.  No matter where you are, always be careful of what you click, always run an up-to-date antivirus software, keep your software up to date (particularly Windows and Adobe Acrobat), and always pay attention to possible warning signs of infection (not being able to go to certain websites, antivirus being disabled).

It's not just your friends that hackers and scammers impersonate to get you to trust them.  Particularly if you work on sensitive material (such as military or other government matters), there are quite a few attacks out there impersonating government officials to spread viruses or steal money.  The FBI's "E-Scams and Warnings" page currently has a long list of attacks impersonating government officials.

The only way to protect yourself against these sorts of attacks is to be suspicious of any email that comes into your inbox and any page you view on the internet.  Just because something claims to be from a particular source doesn't mean that's really where it comes from.  Learn to identify malicious email and stay safe out there.  Don't worry, if you've fallen for one of these scams, here is some advice of how to recover.  Also, I strongly urge everyone to report these scams to the Internet Crime Complaint Center (http://www.ic3.gov).

The Internet is a dangerous place, but we can all do our part to keep it a bit safer.