DARPA just pro­vided an answer the ques­tion posed in the title of this post: Yes.

http://www.wired.com/dangerroom/2011/11/darpa-hackers-cybersecurity/

Darpa Begs Hack­ers: Secure Our Net­works, End ‘Sea­son of Darkness’

By Spencer Ack­er­man, 11/7/2011

The Pentagon’s far-out research agency and its brand new mil­i­tary com­mand for cyber­space have a con­fes­sion to make. They don’t really know how to keep U.S. mil­i­tary net­works secure. And they want to know: could you help them out?

Darpa con­vened a “cyber col­lo­quium” at a swank north­ern Vir­ginia hotel on Mon­day for what it called a “frank dis­cus­sion” about the per­sis­tent vul­ner­a­bil­i­ties within the Defense Department’s data net­works. The Pen­ta­gon can’t defend those net­works on its own, the agency admitted.

Because it’s the blue-sky research agency that helped cre­ate the inter­net, Darpa framed the prob­lem as a deep, exis­ten­tial one, not a pedes­trian ques­tion of inse­cure code. “It is the mak­ings of nov­els and poetry from Dick­ens to Gibran that the best and the worst occupy the same time, that wis­dom and fool­ish­ness appear in the same age, light and dark­ness in the same sea­son,” mused Regina Dugan, Darpa’s direc­tor. She’s talk­ing about the inter­net. “These are the time­less words of our exis­tence. We know it is true of everything.”

Put in a blunter way, U.S. net­works are “as porous as a colan­der,” Richard Clarke, the for­mer White House coun­tert­er­ror­ism chief turned cyber­se­cu­rity Cas­san­dra, told a packed ballroom.

“We are los­ing ground because we are inher­ently diver­gent from the threat,” con­ceded Dugan, swoop­ing down from the stratos­phere. Cur­rent net­work secu­rity is a num­bers game: accord­ing to Darpa research, secur­ing sen­si­tive infor­ma­tion on the military’s net­works requires, typ­i­cally, on pro­grams run­ning 10 mil­lion lines of code. On aver­age, the mali­cious code, viruses, bots, worms and exploits that try to pen­e­trate those defenses rely on 9,000 lines of code. Even­tu­ally, sim­ple beats over-engineered.

Dugan didn’t go as far as Clarke did — she’s a senior Defense Depart­ment offi­cial, after all — but she implied that left to its own devices, the government’s net­work defenses will allow cru­cial data to increas­ingly sluice through, like water through Clarke’s colan­der. And it’s not just infor­ma­tion leak­ing out: it’s the dan­ger of a cyber­at­tack crip­pling U.S. finan­cial sys­tems or the power grid, accord­ing to many at the col­lo­quium. ”We believe we need more and bet­ter options,” Dugan said.
....
”

Son of Stuxnet?

US inves­ti­gates cyber attack on Illi­nois water sys­tem
State report says stolen cre­den­tials used by hacker who was traced to Russia

By Jim Fin­kle
Reuters
updated 2 hours 21 min­utes ago

Fed­eral inves­ti­ga­tors are look­ing into a report that hack­ers man­aged to remotely shut down a utility’s water pump in cen­tral Illi­nois last week, in what could be the first known for­eign cyber attack on a U.S. indus­trial system.

The Nov. 8 inci­dent was described in a one-page report from the Illi­nois Statewide Ter­ror­ism and Intel­li­gence Cen­ter, accord­ing to Joe Weiss, a promi­nent expert on pro­tect­ing infra­struc­ture from cyber attacks.

The attack­ers obtained access to the water utility’s net­work with cre­den­tials stolen from a com­pany that makes soft­ware used to con­trol indus­trial sys­tems, accord­ing to the account obtained by Weiss. It did not explain the motive of the attackers.

...

SCADA secu­rity
Cyber secu­rity experts said that the reported attack high­lights the risk that attack­ers can break into what is known as Super­vi­sory Con­trol and Data Acqui­si­tion (SCADA) sys­tems. They are highly spe­cial­ized com­puter sys­tems that con­trol crit­i­cal infra­struc­ture — from water treat­ment facil­i­ties, chem­i­cals plants and nuclear reac­tors to gas pipelines, dams and switches on train lines.

The issue of secur­ing SCADA sys­tems from cyber attacks made inter­na­tional head­lines last year after the mys­te­ri­ous Stuxnet virus attacked a cen­trifuge at a ura­nium enrich­ment facil­ity in Iran. Many experts say that was a major set­back for Iran’s nuclear weapon’s pro­gram and attribute the attack to the United States and Israel.

In 2007, researchers at the U.S. government’s Idaho National Lab­o­ra­to­ries iden­ti­fied a vul­ner­a­bil­ity in the elec­tric grid, demon­strat­ing how much dam­age a cyber attack could inflict on a large diesel gen­er­a­tor.

...

“Many (SCADA sys­tems) are old and vul­ner­a­ble,” said Kass. “There are no finan­cial incen­tives for the util­ity own­ers to replace and secure these sys­tems and the costs would be high.“
.....

Umm, if there are “no finan­cial incen­tives” for oper­a­tors of crit­i­cal infra­struc­ture to secure their sys­tems I think we need new operators.

I’ve often won­dered over the years why it isn’t con­sid­ered a national secu­rity issue that the USs tax poli­cies actu­ally incen­tivize man­u­fac­tures to move jobs off­shore.

Still won­der­ing:

VOA
Fake Chi­nese Parts Wide­spread in US Mil­i­tary Equip­ment: Sen­ate Report
Posted Tues­day, May 22nd, 2012 at 3:35 am

A U.S. Sen­ate inves­ti­ga­tion has found that coun­ter­feit Chi­nese elec­tronic parts used in U.S. mil­i­tary equip­ment are com­pro­mis­ing the safety of Amer­i­can troops and pos­ing a national secu­rity risk.

A year-long inves­ti­ga­tion by the Sen­ate Armed Ser­vices Com­mit­tee found over 1,800 cases of fake elec­tronic com­po­nents in every­thing from cargo air­craft to night vision goggles.

The report released Mon­day said that more than 70 per­cent of an esti­mated one mil­lion sus­pect parts could be traced to China, which it says has failed to ade­quately police its coun­ter­feit elec­tron­ics market.

...

Not sur­pris­ing, but worth not­ing:

Tech­world
Ger­many ready­ing offen­sive cyber­war­fare unit, par­lia­ment told
Cyber-ops are go

By John E Dunn | Tech­world | Pub­lished: 12:45, 07 June 2012

Ger­many has set up a cyber-warfare unit designed to carry out offen­sive oper­a­tions, the country’s Defence Min­istry has admit­ted for the first time in a par­lia­men­tary report to legislators.

Accord­ing to Ger­man reports, the Bonn-based Com­puter Net­work Oper­a­tions (CNO) unit had existed since 2006 but was only now being read­ied for deploy­ment under the con­trol of the country’s military.

“The ini­tial capac­ity to oper­ate in hos­tile net­works has been achieved,” a Ger­man press agency reported the brief doc­u­ment as say­ing. The unit had already con­ducted closed lab sim­u­la­tions of cyber-attacks.

Although the Ger­man admis­sion is not a huge sur­prise — most coun­tries are assumed to have cyber-offensive capa­bil­i­ties — the clear dec­la­ra­tion that the CNO has an attack role has report­edly caused con­tro­versy among the country’s legislators.

The ambi­gu­i­ties are legion. Does the mil­i­tary have the legal or con­sti­tu­tional author­ity to launch cyber-attacks against third par­ties with­out the approval of Par­lia­ment and if so under what cir­cum­stances?
...

@Pterrafractyl–

I won­der if they will start mak­ing noise in this direction?

Dave Emory

@Dave: Heh, well, I sup­pose the Ger­man mil­i­tary could send some “noise” towards site pretty eas­ily, along with at least half the other mil­i­taries of the world. For­tu­nately, I sus­pect some sort of attack would sim­ply gather atten­tion and act as a proxy-validation of the con­tent on this site. Unfor­tu­nately, that same val­i­da­tion of this site’s con­tent could have been achieved years ago by enough peo­ple read­ing the con­tent on this site but that’s a seem­ingly insur­mount­able bar­rier (ahis­tor­i­cal his­tor­i­cal eras tend to end unwell).

On the plus side, at least we don’t have to be as imme­di­ately con­cerned about hack­ing as these folks:

June 13, 2012 11:27 PM
Report: Flight suits could make F-22 pilots sick

(CBS News) Pilots fly­ing the U.S. military’s most advanced fighter jet, the F-22 Rap­tor, had been get­ting sick at the con­trols, and much of the focus toward find­ing the cause has been on the plane itself.

Now, how­ever, Air Force inves­ti­ga­tors say the spe­cial­ized flight suit pilots wear in the F-22 could be at least par­tially to blame for the oxy­gen depri­va­tion expe­ri­enced in flight.

Offi­cials tell CBS News cor­re­spon­dent David Mar­tin that tests car­ried out in a flight-simulating cen­trifuge repli­cated hypoxia-like con­di­tions for pilots wear­ing the suits. The link to the suits was first reported by CNN on Wednesday.

As “60 Min­utes” reported in May (video), the Rap­tor — the most expen­sive fighter ever — has been plagued by a mys­te­ri­ous flaw that causes its pilots to become dis­ori­ented while at the con­trols from a lack of oxygen.

Pilots of the stealth fighter have com­plained that those oxygen-deficit prob­lems have resulted in pilot dizzi­ness, black­outs and other symptoms.

Mar­tin reported that, accord­ing to the Air Force, there have been 22 unex­plained cases over the past four years in which pilots expe­ri­enced symp­toms of oxy­gen deprivation.

The F-22 was grounded last year while engi­neers searched for some­thing that could be con­t­a­m­i­nat­ing the cock­pit air, but the Air Force returned it to flight, send­ing the F-22s to the Per­sian Gulf, with­out find­ing the cause.

Now, inves­ti­ga­tors are zero­ing in on a part of the flight suit called the “Com­bat Edge,” which “ham­pers breath­ing and causes oxy­gen loss when com­bined with a phys­i­o­log­i­cal con­di­tion that col­lapses air sacs in the lungs,” CNN reports.

The Air Force report is also expected to state that another pos­si­ble prob­lem for pilots is a con­di­tion called accel­er­a­tion atelec­ta­sis, which causes a pilot’s lungs to not effec­tively deliver oxy­gen to the blood­stream. The extreme effects of g-forces along with the pure oxy­gen breathed by pilots could lead to the condition.

...

Yes, the pilots of the most expen­sive fighter jet ever made are either suf­fer­ing from atelec­ta­sis, a med­ical con­di­tion caused by breath­ing pure oxy­gen under extreme g-forces OR they’re suf­fer­ing from a asphyx­i­a­tion, a med­ical con­di­tion caused by the “Com­bat Edge” g-suit not deliv­er­ing enough oxy­gen dur­ing extreme aero­nau­tic maneau­vers. That sounds like an unpleas­ant sit­u­a­tion all around.

If the flight suit is the cul­prit, it sounds like it might be a soft­ware issue:

FlightGlobal.com
Com­bat Edge anti-g ensem­ble might be caus­ing the Raptor’s woes

By
Dave Majum­dar
on June 6, 2012 12:41 AM

The Com­bat Edge upper pressure-garment might be respon­si­ble for the Lock­heed Mar­tin F-22 Raptor’s oxy­gen woes.

The US Air Force isn’t say­ing any­thing offi­cially just yet though.

The USAF still main­tains it has two broad hypothe­ses as to the root cause of the Raptor’s oxy­gen woes. One the­ory is that there is a prob­lem with the qual­ity of the air reach­ing the pilot, which might include some sort of toxin or con­t­a­m­i­nant. “To date, we’ve seen no con­clu­sive evi­dence of tox­ins in the analy­ses of life sup­port sys­tem com­po­nents, cock­pit air sam­ples, or pilots’ med­ical work-ups, although we have not defin­i­tively ruled out con­t­a­m­i­na­tion as a pos­si­ble fac­tor,” the USAF says. That includes analy­sis of the con­tents of the C2A1 acti­vated car­bon fil­ters when pilots were fly­ing with those devices, the ser­vice adds.

The sec­ond hypoth­e­sis is that the quan­tity of air reach­ing the pilot may not be the cor­rect amount. Fac­tors that might impact right quan­tity of oxy­gen reach­ing the pilot include the demand for air ver­sus the sup­ply flow­ing through the life sup­port sys­tem under oper­at­ing con­di­tions like high alti­tude and high-G force and other fac­tors. This sec­ond hypoth­e­sis seems to be in line with what sources have dis­closed to Flightglobal.

But the USAF has not ruled out decom­pres­sion sick­ness, which could be a fac­tor at the alti­tudes and cabin pres­sures encoun­tered by F-22 pilots.

...

“Some of the symp­toms pilots have reported are listed as symp­toms of [decom­pres­sion sick­ness], but they’re also non-specific symp­toms of a num­ber of other con­di­tions or fac­tors such as accel­er­a­tion atelec­ta­sis or increased work of breath­ing that are as con­sis­tent or more con­sis­tent with what may be hap­pen­ing between pilots and their life sup­port sys­tems dur­ing inci­dent sor­ties,” the USAF says. “We con­tinue to look at a range of poten­tial root causes, but that range con­tin­ues to narrow.”

That Com­bat Edge suit is prob­a­bly the source of the prob­lem, sources say. The USAF release alludes to that... The F-35’s suit might be a way of par­tially fix­ing the prob­lem, but given the extreme alti­tudes and high g-forces Rap­tor pilots encounter at those cabin pres­sures, they may just need to take a day off after their flight. But there is another fac­tor that plays into all this, and that is a newer model dig­i­tal On-board Oxy­gen Gen­er­a­tion System–but more on that later...

On the plus side, the man­u­fac­tur­ers of the “Com­bat Edge” g-suit, David Clark Com­pany, are known for their noise-canceling head­phones so noise is some­thing they hope­fully don’t have to worry about too much. In the age of out­sourced national secu­rity and “WTF?!” real­ity, I guess beg­gars can’t be choosers.

Did script kid­dies just tar­get energy com­pa­nies in Saudi Ara­bia?

Shamoon Mal­ware Tar­gets Energy Firms, Pos­si­bly Saudis
By: Robert Lemos
2012-08-17

The same day a Saudi oil com­pany announces it’s been attacked, antivirus firms release an analy­sis of a pro­gram called Shamoon that is delet­ing cor­po­rate data at dif­fer­ent energy firms.

A lim­ited num­ber of energy com­pa­nies have been tar­geted with a destruc­tive virus—dubbed Shamoon—that spreads through shared net­work dri­ves and deletes impor­tant data from com­put­ers.

The virus, which some are call­ing Dis­strack, has destroyed data belong­ing to at least one energy firm, accord­ing to an analy­sis pub­lished Aug. 16 by secu­rity firm Syman­tec. Reports of the pro­gram came a day after a major Saudi oil com­pany, Saudi Aramco, announced that a virus had destroyed data in its net­work, but antivirus firms declined to com­ment on whether the firm was the source of their mal­ware samples.

The virus is likely the dig­i­tal ver­sion of a clean-up crew for a sep­a­rate attack, but its sim­plis­tic pro­gram­ming does not resem­ble pre­vi­ous pro­grams aimed at gov­ern­ments in the region, such as Stuxnet, Duqu and Flame, said Liam O Murchu, man­ager of oper­a­tions for Symantec’s secu­rity response group.

“I think the fact that it appears to have been tar­geted is quite inter­est­ing,” he said, adding: “But it looks like some­thing that is quite sim­ple and quite quick to code, so it falls into a dif­fer­ent cat­e­gory in my mind.”

...

Shamoon may not be of the same ilk as pre­vi­ous attacks. While the mal­ware resem­bles another destruc­tive attack on Iran­ian gov­ern­ment agen­cies that led to the dis­cov­ery of the Flame espi­onage Tro­jan, there are sig­nif­i­cant tech­ni­cal dif­fer­ences between the two attacks, wrote an ana­lyst with secu­rity soft­ware firm Kasper­sky Lab.

“It is more likely that this is a copy­cat, the work of script kid­dies inspired by the story,” the analy­sis states. “Nowa­days, destruc­tive mal­ware is rare; the main focus of cyber-criminals is finan­cial profit. Cases like the one here do not appear very often.”

...

“This is another strong case for say­ing that the com­pa­nies which were tar­geted were those whose machines had impor­tant infor­ma­tion on them and were not con­nected directly to the Inter­net,” said Raff.

For the most part, other com­pa­nies do not need to worry about Shamoon, as the attacks appear to be tar­geted at a very lim­ited num­ber of com­pa­nies, accord­ing to the Kasper­sky analysis.

“So far, there are only two (other) reports, both from China, which appear to be secu­rity researchers,” accord­ing to Kasper­sky. “So we can con­clude that the mal­ware is not wide­spread and it was prob­a­bly only used in very focused tar­geted attacks.”

While it’s pos­si­ble that script kid­dies tar­get­ting machines with impor­tant info on SaudiAramco’s net­works, the just-discovered virus tar­get­ting finan­cial insti­tu­tions in Lebanon appears to have more than just script kid­dies behind its devel­op­ment:

The Atlantic
Did the Bounds of Cyber War Just Expand to Banks and Neu­tral States?
By Kather­ine Maher

Aug 17 2012, 7:34 AM ET

Last week the Russ­ian secu­rity research group Kasper­sky Labs announced they had found a new com­puter virus infect­ing thou­sands of com­put­ers in the Mid­dle East. Called “Gauss,” after a file­name found in its code­base, the mal­ware can cap­ture infor­ma­tion about the infected com­puter, includ­ing Inter­net brows­ing his­to­ries, user login details, and sys­tem con­fig­u­ra­tion details. The exis­tence of Gauss sug­gests that coun­tries may be using cyber war­fare for more than just coun­ter­ing immi­nent threats, and that, with the rules of dig­i­tal engage­ment so ambigu­ous, there’s lit­tle to restrain or guide cyberwar’s development.

Kasper­sky Labs was blunt: Gauss, it says, is likely a “nation-state spon­sored bank­ing Tro­jan” built by the same pro­gram­mers behind Stuxnet and Flame, the recent, sophis­ti­cated dig­i­tal pathogens often spec­u­lated as designed by the United States and Israel. How­ever, unlike these viruses, which both tar­geted Iran, Gauss appears to have a very dif­fer­ent tar­get: the bank­ing sys­tem of Lebanon.

Gauss is the lat­est in a line of mas­sive mal­ware attacks, and much like its pre­de­ces­sors, it appears to be so com­plex and sophis­ti­cated that it’s assumed to have been built by a sov­er­eign state. Gauss uses the same plat­form as Flame, a “cyber espi­onage” pro­gram that was found in a num­ber of loca­tions in Iran in early 2012 and was capa­ble of com­pre­hen­sive sur­veil­lance of infected com­put­ers. Flame itself bore a strong fam­ily resem­blance to Stuxnet, a 2010 virus that tar­geted the Iran­ian nuclear research program.

Like Flame, Gauss trans­mits detailed records of user activ­ity back to its cen­tral com­mand. Like Stuxnet, it car­ries a spe­cial encrypted “pay­load” that tar­gets machines that carry spe­cific sys­tem con­fig­u­ra­tions. Stuxnet’s pay­load would iden­tify and dis­able nuclear research sys­tems, but the encryp­tion for the Gauss pay­load has not yet been bro­ken, and its pur­pose remains unknown.

How­ever, unlike Flame and Stuxnet, which tar­geted a rogue state’s gov­ern­ment net­works, Gauss goes after the com­mer­cial sec­tor in a coun­try that has nor­mal­ized rela­tions with the United States. Out of more than 2,500 iden­ti­fied instances of Gauss, nearly two-thirds of have been found in Lebanon. And, unlike the broad spy­ing capac­ity of Flame, Gauss seems designed for the nar­row pur­pose of cap­tur­ing trans­ac­tion data from finan­cial insti­tu­tions and dig­i­tal pay­ment providers; specif­i­cally, Lebanese banks Frans­a­bank, Bank of Beirut, BLOM, Credit Libanais, Byb­los Bank, and EBLF, as well as siphon­ing data from Pay­Pal and Citibank.

Why Lebanon? Why banks? Steal­ing finan­cial trans­ac­tion data is tra­di­tion­ally the province of, say, shad­owy under­ground crim­i­nal gangs. Lebanon is a small coun­try bet­ter known for its vibrant nightlife and per­pet­ual domes­tic volatil­ity. Nei­ther its bank­ing sec­tor nor the state itself are obvi­ous tar­gets for the U.S. or Israeli ntel­li­gence ser­vices, which, though they haven’t been con­nected to Gauss, are the only groups with both the know-how and, if they truly were behind Stuxnet and Flame, the track record.

How­ever, Lebanon’s size belies its impor­tance as a regional entre­pôt and bank­ing haven; its cos­mopoli­tan lib­er­tar­i­an­ism, along with old-world dis­cre­tion, have long made the coun­try a pop­u­lar choice for for­eign depos­i­tors of all pro­files and per­sua­sions. Think of it as some­thing like the Switzer­land of the mod­ern Mid­dle East. More than 60 banks man­age nearly $120 bil­lion in pri­vate deposits in a coun­try of 4.3 mil­lion peo­ple, and account for roughly 35 per­cent of the country’s eco­nomic activity.

These are not mere cor­ner retail banks serv­ing up loans, mort­gages, and check­ing accounts to Lebanese cit­i­zens. They are among the most pri­vate banks in the world, bound by gen­teel con­ven­tions of secrecy long since aban­doned else­where. Since 1956, domes­tic and for­eign banks oper­at­ing in Lebanon have been legally required to pro­tect the names and assets of their clients from all inquir­ing author­i­ties.

U.S. finan­cial reg­u­la­tors, con­cerned with money laun­der­ing and ter­ror­ism financ­ing, have long given spe­cial atten­tion to the opac­ity and reach of the Lebanese bank­ing sys­tem. A 2000 advi­sory by the U.S. Depart­ment of Trea­sury Finan­cial Crimes Enforce­ment Net­work instructed all U.S. banks to “give enhanced scrutiny to all finan­cial trans­ac­tions orig­i­nat­ing in or routed to or through Lebanon.” In 2011, the Lebanese Cana­dian Bank was shut­tered after the U.S. revealed that the Lebanese mil­i­tant group Hezbol­lah was using the bank to laun­der money from cocaine prof­its, Mex­i­can car­tels, and African con­flict dia­monds. This year, the entire national bank­ing sys­tem has come under scrutiny, accused of assist­ing mem­bers of the Syr­ian and Iran­ian regimes evade inter­na­tional sanc­tions and laun­der money that’s also being fun­neled to Syria’s ongo­ing conflict.

The Kasper­sky researchers think that Gauss first made its way onto Lebanese com­put­ers in late sum­mer 2011, as vio­lence wors­ened in Syria and Iran­ian nuclear talks stalled. With­out the decrypted con­tents of the Gauss pay­load, it’s impos­si­ble to know the virus’ full capa­bil­i­ties, but it’s not dif­fi­cult to con­jec­ture a likely pur­pose. Gauss appears to be capa­ble of trac­ing the flow of illicit funds through some of the region’s largest finan­cial clear­ing houses, offer­ing its design­ers unprece­dented access to data on how money flows and between whom, on orga­ni­za­tional net­works, and on fund­ing sources — a ver­i­ta­ble intel­li­gence bonanza for any­one who might have an inter­est in that sort of thing.

...

Per­haps the most sur­pris­ing part of this “Gauss” story is that a virus pre­sum­ably devel­oped by the US intel­li­gence com­mu­nity would even bother try­ing to cap­ture Pay­Pal trans­ac­tions for intel­li­gence gath­er­ing pur­poses. I would have expected that info to be read­ily avail­able to the spooks.

Given that this lat­est Stuxnet-cousin, Gauss, may also con­tain a Stuxnet-like abil­ity to remotely take con­trol of indus­trial com­mand and con­trol sys­tems, and given the mas­sive RSA login-password data-breach from 2011, this should prob­a­bly be looked into:

Siemens works to fix vul­ner­a­bil­ity in crit­i­cal con­trol net­works
Remotely exploitable flaw could dis­rupt devices used by util­i­ties, refiner­ies oth­ers
By Jaiku­mar Vijayan
August 22, 2012 05:34 PM ET

Com­put­er­world — Siemens is work­ing on a fix for a remotely exploitable vul­ner­a­bil­ity in net­work routers and switches from sub­sidiary Rugged­Com that are widely deployed in refiner­ies, power sub­sta­tions and other crit­i­cal infra­struc­ture net­works in the U.S.

In a state­ment, Siemens said it was noti­fied of the issue by the Depart­ment of Home­land Security’s Indus­trial Con­trol Sys­tems Com­puter Emer­gency Response Team (ICS-CERT) ear­lier this week. The vul­ner­a­bil­ity stems from a hard-coded RSA SSL pri­vate key in RuggedCom’s Rugged Oper­at­ing Sys­tem (ROS) that gives attack­ers a way to decrypt traf­fic between an end user and the router.

Accord­ing to ICS-CERT, the hard-coded key can be used by attack­ers to launch mali­cious com­mu­ni­ca­tions against Rugged­Com net­work devices.

“Spe­cial­ists from Siemens and Rugged­Com are inves­ti­gat­ing this issue and will pro­vide infor­ma­tion updates as soon as they become avail­able,” the com­pany said, with­out spec­i­fy­ing when that might hap­pen. Siemens acquired Rugged­Com ear­lier this year.

ICS-CERT on Wednes­day issued an alert warn­ing oper­a­tors of indus­trial con­trol net­works about the prob­lem. The alert urged admin­is­tra­tors to ensure that con­trol sys­tem devices are not con­nected directly to the Inter­net and to make sure all con­trol sys­tem net­works and devices are behind firewalls.

...

Dale Peter­son, CEO of Dig­i­tal Bond, a con­sult­ing firm spe­cial­iz­ing in con­trol sys­tem secu­rity, said the flaw allows an attacker to access the login cre­den­tials to Rugged­Com devices and to launch denial-of-service attacks against net­work devices run­ning the vul­ner­a­ble OS.

Peter­son described Rugged­Com as the “Cisco” of the indus­trial con­trol net­work space and said the com­pany is the largest sup­plier of ruggedi­zed net­work devices to indus­trial con­trol sys­tems own­ers in the U.S.

The vul­ner­a­bil­ity described by Clarke is akin to flaws in older ver­sions of Microsoft’s Remote Desk­top Pro­to­col clients and Ter­mi­nal Servers. And just like Microsoft, it will likely take Siemens a while to address the issue, he said.

By itself, the vul­ner­a­bil­ity is unlikely to greatly heighten risks for oper­a­tors of indus­trial con­trol net­works, accord­ing to Peter­son. That’s because an attacker would already need to have access to an ICS net­work to be able to exploit the vul­ner­a­bil­ity. “It’s pretty much game over if you already have some­one on your net­work,” he said. “This [vul­ner­a­bil­ity] gives them just another thing they can do as an attacker.”

Even so, flaws such as this high­light the fun­da­men­tal secu­rity prob­lems that exist in sys­tems run­ning crit­i­cal infra­struc­ture equip­ment and net­works, he said.

This is the sec­ond secu­rity vul­ner­a­bil­ity in RuggedCom’s prod­ucts in just the past few months, Peter­son noted. “They had a ter­ri­ble response last time, so it will be inter­est­ing to see if they do bet­ter with this one,” he said. In addi­tion to fix­ing the issue, Rugged­Com also needs to offer an expla­na­tion to cus­tomers about how it plans on chang­ing its soft­ware devel­op­ment and test­ing processes to ensure such prob­lems don’t con­tinue, he said.

...

And here we have another sur­pris­ing devel­op­ing com­ing out of the Mid­dle East: A group call­ing itself “Izz ad-Din al-Quassam Cyber Fight­ers” just unleashed an unusu­ally pow­er­ful series of denial-of-service attacks on major US banks:

Bloomberg
Cyber Attacks on U.S. Banks Expose Com­puter Vul­ner­a­bil­ity
By Chris Strohm and Eric Engle­man on Sep­tem­ber 27, 2012

Cyber attacks on the biggest U.S. banks, includ­ing JPMor­gan Chase & Co. (JPM) and Wells Fargo & Co., have breached some of the nation’s most advanced com­puter defenses and exposed the vul­ner­a­bil­ity of its infra­struc­ture, said cyber­se­cu­rity spe­cial­ists track­ing the assaults.

The attack, which a U.S. offi­cial yes­ter­day said was waged by a still-unidentified group out­side the coun­try, flooded bank web­sites with traf­fic, ren­der­ing them unavail­able to con­sumers and dis­rupt­ing trans­ac­tions for hours at a time.

Such a sus­tained net­work attack ranks among the worst-case sce­nar­ios envi­sioned by the National Secu­rity Agency, accord­ing to the U.S. offi­cial, who asked not to be iden­ti­fied because he isn’t autho­rized to speak pub­licly. The extent of the dam­age may not be known for weeks or months, said the offi­cial, who has access to clas­si­fied information.

“The nature of this attack is sophis­ti­cated enough or large enough that even the largest of the finan­cial insti­tu­tions would find it dif­fi­cult to defend against,” Rod­ney Joffe, senior vice pres­i­dent at Ster­ling, Virginia-based secu­rity firm Neustar Inc. (NSR), said in a phone interview.

While the group is using a method known as dis­trib­uted denial-of-service, or DDoS, to over­whelm financial-industry web­sites with traf­fic from hijacked com­put­ers, the attacks have taken con­trol of com­mer­cial servers that have much more power, accord­ing to the specialists.

“The notable thing is the vol­ume and the scale of the traf­fic that’s been directed at these sites, and that’s very rare,” Dmitri Alper­ovitch, co-founder and chief tech­nol­ogy offi­cer of Palo Alto, California-based secu­rity firm Crowd­Strike Inc. (0192981D), said in a phone interview.

White House

The assault, which esca­lated this week, was the sub­ject of closed-door White House meet­ings in the past few days, accord­ing to a private-security spe­cial­ist who asked not to be iden­ti­fied because he’s help­ing to trace the attacks.

Pres­i­dent Barack Obama’s admin­is­tra­tion is cir­cu­lat­ing a draft exec­u­tive order that would cre­ate a pro­gram to shield vital com­puter net­works from cyber attacks, two for­mer U.S. offi­cials with knowl­edge of the effort said ear­lier this month.

The U.S. Sen­ate last month failed to advance com­pre­hen­sive cyber­se­cu­rity leg­is­la­tion and the admin­is­tra­tion is con­tem­plat­ing using the exec­u­tive order because it’s not cer­tain that Con­gress can pass a cyber­se­cu­rity bill, the offi­cials said.

...

Respon­si­bil­ity Claim

A group call­ing itself Izz ad-Din al-Quassam Cyber Fight­ers claimed respon­si­bil­ity for the assault in a state­ment posted to the web­site pastebin.com, say­ing it was in response to a video uploaded to Google Inc.’s YouTube, depict­ing the Prophet Muham­mad in ways that offended some Muslims.

The ini­tial plan­ning for the assault pre-dated the video con­tro­versy, mak­ing it less likely that it inspired the attacks, accord­ing to Alper­ovitch and Joffe, both of whom have been track­ing the inci­dents. A sig­nif­i­cant amount of plan­ning and prepa­ra­tion went into the attacks, they said.

“The ground work was done to infect sys­tems and pro­duce an infra­struc­ture capa­ble of launch­ing an attack when it was needed,” Joffe said.

Jenny Shearer, a spokes­woman for the Fed­eral Bureau of Inves­ti­ga­tion, and Peter Boogaard at the U.S. Depart­ment of Home­land Secu­rity, declined to com­ment.
Pre­ma­ture Attribution

Sen­a­tor Joe Lieber­man, a Con­necti­cut inde­pen­dent who heads the Sen­ate Home­land Secu­rity and Gov­ern­men­tal Affairs Com­mit­tee, said last week he thought Iran was behind the attacks.

Alper­ovitch and Joffe said that while they think one group is behind the attacks, they didn’t have enough infor­ma­tion to prove or dis­prove Lieberman’s asser­tion that Iran is respon­si­ble. The U.S. offi­cial with access to clas­si­fied infor­ma­tion said it’s pre­ma­ture to attribute the attacks to Iran’s government.

The attacks flooded the bank web­sites with 10 to 20 times more Inter­net traf­fic than the typ­i­cal denial-of-service attack, Alper­ovitch said. He said that no data were stolen and no net­works infil­trated by hackers.

...

Bad Tim­ing

“If bank­ing infra­struc­ture was affected in this way for an extended period of time, the nat­ural out­come of that is a loss of faith,” he said. “If you can’t get to your bank­ing site for three or four hours on a day when you have to do things, you start think­ing about what are my alter­na­tives because this might hap­pen again.”

The bank­ing indus­try wor­ries about an orga­ni­za­tion with more resources launch­ing attacks, said Ed Pow­ers, head of secu­rity and pri­vate issues for U.S. finan­cial firms at Deloitte & Touche LLP.

“This is com­ing toward the end of the month; it’s badly timed,” Joffe said. “Peo­ple have to pay bills today and tomorrow.”

...

So we can add one more item to the list of recent sur­pris­ing devel­op­ments in the Mid­dle East while claim­ing the pathetic Islam-bashing film as the inspi­ra­tion for the attacks when it’s clear that the attacks were planned in advance of the film’s release:

Hack­ers May Have Had Help With Attacks on U.S. Banks, Researchers Say
By NICOLE PERLROTH
Sep­tem­ber 27, 2012, 5:25 pm

The hack­ers claim­ing respon­si­bil­ity for cyber­at­tacks on Amer­i­can banks over the past week must have had sub­stan­tial help to dis­rupt and take down major bank­ing sites, secu­rity researchers say.

Bank of Amer­ica, JPMor­gan Chase, Cit­i­group, U.S. Ban­corp, Wells Fargo and PNC all expe­ri­enced dis­rup­tions and delays on their bank­ing sites over the past week because of denial of ser­vice or DDoS attacks, in which hack­ers clog a Web site with data requests until it slows or col­lapses under the load.

A hacker group, which calls itself the Izz ad-Din al-Qassam Cyber Fight­ers, took credit for the attacks in online posts. They enlisted vol­un­teers for the attacks with mes­sages on var­i­ous sites. On one blog, they called on vol­un­teers to visit two Web addresses that would cause their com­put­ers to instantly start flood­ing tar­gets — includ­ing the New York Stock Exchange, Nas­daq and Bank of Amer­ica — with hun­dreds of data requests each sec­ond. This week, hack­ers asked vol­un­teers to attack banks accord­ing to a defined timetable: Wells Fargo on Tues­day, U.S. Ban­corp on Wednes­day and PNC on Thursday.

Rep­re­sen­ta­tives for Wells Fargo, U.S. Bank and PNC all con­firmed Wednes­day that their Web sites had expe­ri­enced dis­rup­tions because of unex­pected vol­umes of traf­fic. Both the New York Stock Exchange and Nas­daq saw a slow­down, but no seri­ous dis­rup­tion, on their Web sites.

Secu­rity researchers say the attack meth­ods being ped­dled by hack­ers — the custom-built Web sites — were too basic to have gen­er­ated the disruptions.

“The num­ber of users you need to break those tar­gets is very high,” said Jaime Blasco, a secu­rity researcher at Alien­Vault who has been inves­ti­gat­ing the attacks. “They must have had help from other sources.”

Those addi­tional sources, Mr. Blasco said, would have to be a well-resourced group, like a nation state, or bot­nets — net­works of infected zom­bie com­put­ers that do the bid­ding of cyber­crim­i­nals. Bot­nets can be rented via black mar­ket schemes that are com­mon in the Inter­net under­ground, or loaned out by cyber­crim­i­nals or governments.

Last week, Sen­a­tor Joseph I. Lieber­man, chair­man of the Sen­ate Home­land Secu­rity Com­mit­tee, said in an inter­view that he believed the attacks on the banks were being spon­sored by Iran’s government.

Mr. Blasco said secu­rity researchers had noticed an increase in the use of bot­nets out of Iran recently. But he said he had not been able to track the ori­gin of the attack to Iran. Attacks can be routed through var­i­ous I.P. addresses to mask their true ori­gin, mak­ing attri­bu­tion “nearly impos­si­ble,” Mr. Blasco said.

In the hack­ers’ post, they said their attacks were not spon­sored by Iran, and said they “strongly reject the Amer­i­can offi­cials’ insid­i­ous attempts to deceive pub­lic opinion.”

...

Regard­ing the alle­ga­tions that Iran is behind the attack, while it may be the case that Ahmadine­jad and much of Iran’s lead­er­ship are pathetic lunatics that are ensur­ing the destruc­tion of their nation’s future through ass-backwards mis­man­age­ment(some­times in ironic ways). But it’s still kind of dif­fi­cult to see what, if any­thing, the Iran­ian gov­ern­ment would gain from a cyber attack that would prob­a­bly just end up help­ing the can­di­date that’s promis­ing uni­lat­eral mil­i­tary action against Iran if elected.