Cyber warfare sounds like something out of a Hollywood action movie, but it’s something we need to take very seriously. There has been some speculation of possible cyber attacks in the past, power outages in Brazil in 2005 and 2007 could have possibly been caused intentionally. The United States was affected by a power outage in 2003 that blacked out the entire northeastern region and was widely publicized. The truth of what happened in these instances may never be known for national security reasons. Power outages are only the tip of the iceberg though, we have yet to see the realm of cyber warfare blossom, or maybe I should say it is blossoming right now.
Recently a worm known as “Stuxnet” has been revealed to the public. Computer security professionals tend to agree that this worm is unique in that a tremendous amount of resources went into it. It is only about a half megabyte large, but the contents demonstrate a level of sophistication that would take a team effort, a very large team. Allow me to give you an executive overview:
The worm spread by USB thumb drive primarily, but would also infect machines on the local network once the thumb drive had been attached. It was made to hide itself. It stops spreading after three activations so that it won’t spread too far and end up under a microscope (and yet it has).
The methods that the worm uses to infect the host machines were previously unknown to the rest of the world, and there are four of them. Typically one vulnerability will be discovered and a worm exploits this vulnerability to spread across the Internet. This is what has happened in recently publicized worms such as the Conficker worm, which exploited one single undiscovered vulnerability. Stuxnet used four different ones, which would indicate that there is a team of people looking for these vulnerabilities and keeping them a secret.
Another interesting fact is that this particular worm included compiled code that had been digitally signed by two major hardware manufacturers. How is that possible? There are only 2 ways that might have happened, either the private key was somehow acquired by purchasing or stealing from the company which is entirely possible, or it was acquired through the use of another worm, which is the most likely scenario because there are other worms known to do this, most notably the “Infostealer.Nimkey” worm, which scans infected machines for private key files and sends them to the command and control host somewhere in a country you’d never visit.
The last, and most significant characteristic of this worm is that it includes a set of code routines that target a particular type of software known as supervisory control and data acquisition (SCADA). You probably have some vague notion of what I’m talking about. Picture a computer screen with icons representing individual components in an industrial process showing various indicators like water levels, temperature and pressure gauges and other information. The machine that runs this software has code routines to warn people when a component has surpassed a warning threshold, and may send out additional notification to safety equipment, shutting down the entire system if need be. This software is often connected to the Internet like everything in the world these days, so that it can receive security updates. (Oh, the irony).
This worm targeted a very specific type of SCADA software which is used in Iranian nuclear power plants, and by all accounts it likely succeeded at installing it’s “payload” into the reactor control systems.
Hopefully I haven’t bored you with too much technical detail, who am I kidding–this is fascinating right? The point I’m trying to convey here is the amount of work that went into the Stuxnet worm and the nature of the attack. I’ll come right out at this point and say that this particular worm was likely the work of the United States government, or it’s allies in an effort to stall Iran. Lets not assume, though, that this is exclusively the realm of the United States. Yes, we do have a stacked deck. We have access to the companies that make much of the technology. Many of them run on operating systems developed in the United States (Microsoft Windows). Stuxnet infections have occurred in Iran more than any other country, according to anti-virus software companies. It was likely introduced to an Iranian facility by an insider.
I’ve heard it said before that the only way to protect a computer from intrusion is to unplug it from the Internet. That made sense when I first heard it, but since then the world has become much more complicated. Almost everything has a wireless connection, which are notoriously easy to break in to. The Stuxnet worm spreads by portable devices, the same method that the very first computer viruses ever made used, and the least virulent form of transmission. You have to assume that an attacker given a selection of supposedly secure pathways for intrusion will find a way to exploit at least one of them. You have to assume it will happen.
Computer security these days not only centers around ways to protect a system, but how to detect when an intrusion has occurred, and how to protect critical processes and data from being compromised through the use of encryption and physical barriers.
Whoever made the Stuxnet worm obviously did it for a reason. Perhaps they wanted to demonstrate that these critical systems could in fact be compromised. Would you put nuclear fuel in this Iranian reactor? I certainly wouldn’t, but maybe the Iranians are gutsier than I am. The Stuxnet worm had the capability to retrieve software updates from its command and control host in those countries you’d never visit, and also from other hosts on it’s network (peer-to-peer). It had the capability to start new processes. It’s very likely that once the worm had reached its target destination it was then used to install another package, otherwise all that effort would be wasted at this point.
We can think about these packages (worms, viruses, trojan horse) in the same sense we think of a cruise missile, or a nuclear weapon. If this worm has the capability to compromise the control software of a nuclear power plant and make modifications, it may have been used to create a nuclear meltdown. Nobody wants to risk a nuclear meltdown and so the Iranian reactor is delayed which if you go look through news archives you will see has happened. This worms purpose may have been in the interest of humanity, but like all technology the power to do evil is always there.
To make matters worse these threats are often completely anonymous and untraceable. Think nuclear weapon going off in a country and nobody knows how it got there or who made it, and there is no way to trace it.
But that will never happen, right? The United States would never do something like that. And nobody but the United States could ever do something like this, right? No, I wouldn’t say that. Hypothetically, if it were me and I wanted to wreak maximum damage on, say, the entire world, and I knew that Stuxnet was designed to overload a reactor core, all I would have to do is follow this simple procedure:
1. Download Stuxnet.
2. Modify Stuxnet so that it was indiscriminate in the machines it targeted.
3. Modify Stuxnet so that it didn’t wait for command and control to tell it to go bang, make it go bang after a few days or some carefully calculated interval.
4. Add in the latest unpatched exploit that was discovered and reported to Microsoft last week.
5. Add in a social networking component, make it spread through popular web sites like Facebook and Twitter. (Yes, this is getting good!)
6. Release it back into the wild.
So we don’t want nuclear weapons falling into the wrong hands, right? Here we have an example of a dangerous and classified military weapon (we’re assuming), and it’s certainly in the wrong hands by now. Perhaps it can’t be used effectively, perhaps it was never meant to do any damage, maybe it was just as I’ve suggested someone wanted it to be known that they are all up in someone else’s systems.
It’s a very interesting story, I’m sure you’d agree. We all need to be aware of the very unique nature of this threat. Could you make a nuclear weapon in your basement? I will go out on a limb and guess that you’re not going to succeed even if you tried, however if your goal is to take down a countries critical infrastructure, turn the lights out, turn banking upside down with spam transactions from millions of Internet connected sales terminals, make people afraid to drive their cars or some other havoc, I’d base your likelihood of success on the level of ingenuity of you and the people you hire to help you. We all know how fragile modern society has become. This threat has similar or greater potential than an EMP attack, and it is much easier to implement by a determined group.
I have heard a lot of people on this blog make suggestions to put a lot of trust in your computer or smart phone to work the way you expect it to. If you’re storing important information on a computer that you think you’ll depend on for survival then I urge you to take steps to secure it. One of the things I mentioned earlier was physical barriers, the simplest thing you can do right now to secure everything is write all of your data to optical disks (CD, DVD, or Blu-Ray) and take necessary steps to preserve them (cool, dry, dark place) and create a bootable Linux live-CD or two or three to run them off of. Make sure this live-CD works for you. It’s very important that you try it on the computer you intend to use it on because not all hardware will work, a linux distribution comes with a collection of generic drivers that work for 90% of the hardware out there but you will want to test a few things; your network connection, flash or USB devices and also make sure this live-CD has all of the software required to access your files; a web browser, PDF reader, video/audio players with the correct codecs. As long as you are booting off of a read-only disk you can always reboot and get right back where you started. I would use this CD for all of your everyday web browsing if you want to remain uncompromised. Browsing the web is always a risk.
Here is a list of bootable live CDs:
FedoraLiveCD
Ubuntu.com
Debian.org/LiveCD
Knoppix.net/
http://getchrome.eu/download.php
http://code.google.com/p/live-android/
To read more about the technical details of Stuxnet, the Symantec blog is a great source of info.