Spitfire List Web site and blog of anti-fascist researcher and radio personality Dave Emory.

News & Supplemental  

Can the Muslim Brotherhood and Ptech Sabotage U.S. Electronic Defense Systems?

COMMENT: Two of the most neglect­ed aspects of the inves­ti­ga­tion into the 9/11 attacks are the Ptech company/investigation and Oper­a­tion Green Quest. In the per­son of Yaqub Mirza, the two over­lap.

Now comes the dis­clo­sure that inte­grat­ed cir­cuits can be implant­ed with “kill switch­es” that could enable a male­fac­tor to sab­o­tage crit­i­cal mil­i­tary and/or civil­ian oper­at­ing sys­tems.

How might the Ptech/Yaqub nexus described in the linked arti­cle above affect the pos­si­ble implant­i­ng of such “kill switch­es” in com­put­er chips?

The results might be dev­as­tat­ing.

“Researcher to Feds: Beware of Secret ‘Kill Switch­es’ on Com­put­er Chips” by Sarah Lai Stir­land; Talk­ing Points Memo; 5/25/2011.

EXCERPT: Fed­er­al author­i­ties need to shift more of their atten­tion to com­put­er chips as a plat­form for a well-orga­nized attack on the Unit­ed States by would-be sabo­teurs, warns a well-respect­ed pro­fes­sor in the field of inte­grat­ed cir­cuits.

Sev­er­al admin­is­tra­tion offi­cials are sched­uled to tes­ti­fy in front of two House com­mit­tees Wednes­day as Capi­tol Hill works with them to enact land­mark cyber­se­cu­ri­ty leg­is­la­tion by the end of the sum­mer.

One lit­tle-dis­cussed area that they all need to more thor­ough­ly exam­ine is the secu­ri­ty mea­sures that should be adopt­ed against mali­cious hard­ware that can be secret­ly implant­ed in the inte­grat­ed cir­cuits that con­trol much of the world around us today, John D. Vil­lasenor, pro­fes­sor of elec­tri­cal engi­neer­ing at the Uni­ver­si­ty of Cal­i­for­nia, told TPM.

“There are lit­er­al­ly thou­sands of peo­ple engaged in address­ing soft­ware secu­ri­ty con­cerns, but there’s very lit­tle aware­ness of the enor­mous expo­sure we have with respect to hard­ware secu­ri­ty,” he said. “Chips are in almost every­thing these days, and in the com­mer­cial sec­tor very lit­tle effort is direct­ed to mak­ing sure they are free of mali­cious cir­cuit­ry.”

Chips can be a secu­ri­ty risk because a sabo­teur can slip in one com­po­nent of hard­ware into a design that could con­tain thou­sands. Mod­ern com­put­er chips can pow­er any­thing from the flaps of air­planes to the entire elec­tric­i­ty sys­tem itself.

Inte­grat­ed cir­cuits pose a par­tic­u­lar risk because they have become so com­plex. They are sourced and put togeth­er by sup­pli­ers all around the globe, and so it’s dif­fi­cult to con­trol the process of cre­at­ing every sin­gle part that goes into them.

Vil­lasenor esti­mates that there are about 1,550 com­pa­nies around the world involved in design­ing inte­grat­ed cir­cuits.

Sabo­teurs could implant parts that are trig­gered by cer­tain events to freeze hard­ware, or they could build in ‘back doors’ that could per­form secret actions on devices as it, or what­ev­er sys­tem it’s part of, keeps run­ning.

While it all might sound like some­thing out of The Bourne Con­spir­a­cy, French chip­mak­ers and defense con­trac­tors have appar­ent­ly already built such capa­bil­i­ties, an indus­try source told engi­neer­ing mag­a­zine IEEE in 2008.

The Defense Advanced Research Projects Agency has already embarked on a project to address the issue with chips pow­er­ing mil­i­tary equip­ment. Vil­lasenor said that per­haps indus­try could take a look to see if they could learn any lessons. . . .


Discussion

11 comments for “Can the Muslim Brotherhood and Ptech Sabotage U.S. Electronic Defense Systems?”

  1. DARPA just pro­vid­ed an answer the ques­tion posed in the title of this post: Yes.

    http://www.wired.com/dangerroom/2011/11/darpa-hackers-cybersecurity/

    Darpa Begs Hack­ers: Secure Our Net­works, End ‘Sea­son of Dark­ness’

    By Spencer Ack­er­man, 11/7/2011

    The Pentagon’s far-out research agency and its brand new mil­i­tary com­mand for cyber­space have a con­fes­sion to make. They don’t real­ly know how to keep U.S. mil­i­tary net­works secure. And they want to know: could you help them out?

    Darpa con­vened a “cyber col­lo­qui­um” at a swank north­ern Vir­ginia hotel on Mon­day for what it called a “frank dis­cus­sion” about the per­sis­tent vul­ner­a­bil­i­ties with­in the Defense Department’s data net­works. The Pen­ta­gon can’t defend those net­works on its own, the agency admit­ted.

    Because it’s the blue-sky research agency that helped cre­ate the inter­net, Darpa framed the prob­lem as a deep, exis­ten­tial one, not a pedes­tri­an ques­tion of inse­cure code. “It is the mak­ings of nov­els and poet­ry from Dick­ens to Gibran that the best and the worst occu­py the same time, that wis­dom and fool­ish­ness appear in the same age, light and dark­ness in the same sea­son,” mused Regi­na Dugan, Darpa’s direc­tor. She’s talk­ing about the inter­net. “These are the time­less words of our exis­tence. We know it is true of every­thing.”

    Put in a blunter way, U.S. net­works are “as porous as a colan­der,” Richard Clarke, the for­mer White House coun­tert­er­ror­ism chief turned cyber­se­cu­ri­ty Cas­san­dra, told a packed ball­room.

    “We are los­ing ground because we are inher­ent­ly diver­gent from the threat,” con­ced­ed Dugan, swoop­ing down from the stratos­phere. Cur­rent net­work secu­ri­ty is a num­bers game: accord­ing to Darpa research, secur­ing sen­si­tive infor­ma­tion on the military’s net­works requires, typ­i­cal­ly, on pro­grams run­ning 10 mil­lion lines of code. On aver­age, the mali­cious code, virus­es, bots, worms and exploits that try to pen­e­trate those defens­es rely on 9,000 lines of code. Even­tu­al­ly, sim­ple beats over-engi­neered.

    Dugan didn’t go as far as Clarke did — she’s a senior Defense Depart­ment offi­cial, after all — but she implied that left to its own devices, the government’s net­work defens­es will allow cru­cial data to increas­ing­ly sluice through, like water through Clarke’s colan­der. And it’s not just infor­ma­tion leak­ing out: it’s the dan­ger of a cyber­at­tack crip­pling U.S. finan­cial sys­tems or the pow­er grid, accord­ing to many at the col­lo­qui­um. ”We believe we need more and bet­ter options,” Dugan said.
    ....

    Posted by Pterrafractyl | November 7, 2011, 11:26 am
  2. Son of Stuxnet?

    US inves­ti­gates cyber attack on Illi­nois water sys­tem
    State report says stolen cre­den­tials used by hack­er who was traced to Rus­sia

    By Jim Fin­kle
    Reuters
    updat­ed 2 hours 21 min­utes ago

    Fed­er­al inves­ti­ga­tors are look­ing into a report that hack­ers man­aged to remote­ly shut down a util­i­ty’s water pump in cen­tral Illi­nois last week, in what could be the first known for­eign cyber attack on a U.S. indus­tri­al sys­tem.

    The Nov. 8 inci­dent was described in a one-page report from the Illi­nois Statewide Ter­ror­ism and Intel­li­gence Cen­ter, accord­ing to Joe Weiss, a promi­nent expert on pro­tect­ing infra­struc­ture from cyber attacks.

    The attack­ers obtained access to the water util­i­ty’s net­work with cre­den­tials stolen from a com­pa­ny that makes soft­ware used to con­trol indus­tri­al sys­tems, accord­ing to the account obtained by Weiss. It did not explain the motive of the attack­ers.

    ...

    SCADA secu­ri­ty
    Cyber secu­ri­ty experts said that the report­ed attack high­lights the risk that attack­ers can break into what is known as Super­vi­so­ry Con­trol and Data Acqui­si­tion (SCADA) sys­tems. They are high­ly spe­cial­ized com­put­er sys­tems that con­trol crit­i­cal infra­struc­ture — from water treat­ment facil­i­ties, chem­i­cals plants and nuclear reac­tors to gas pipelines, dams and switch­es on train lines.

    The issue of secur­ing SCADA sys­tems from cyber attacks made inter­na­tion­al head­lines last year after the mys­te­ri­ous Stuxnet virus attacked a cen­trifuge at a ura­ni­um enrich­ment facil­i­ty in Iran. Many experts say that was a major set­back for Iran’s nuclear weapon’s pro­gram and attribute the attack to the Unit­ed States and Israel.

    In 2007, researchers at the U.S. gov­ern­men­t’s Ida­ho Nation­al Lab­o­ra­to­ries iden­ti­fied a vul­ner­a­bil­i­ty in the elec­tric grid, demon­strat­ing how much dam­age a cyber attack could inflict on a large diesel gen­er­a­tor.

    ...

    “Many (SCADA sys­tems) are old and vul­ner­a­ble,” said Kass. “There are no finan­cial incen­tives for the util­i­ty own­ers to replace and secure these sys­tems and the costs would be high.”
    .....

    Umm, if there are “no finan­cial incen­tives” for oper­a­tors of crit­i­cal infra­struc­ture to secure their sys­tems I think we need new oper­a­tors.

    Posted by Pterrafractyl | November 18, 2011, 3:07 pm
  3. I’ve often won­dered over the years why it isn’t con­sid­ered a nation­al secu­ri­ty issue that the USs tax poli­cies actu­al­ly incen­tivize man­u­fac­tures to move jobs off­shore.

    Still won­der­ing:

    VOA
    Fake Chi­nese Parts Wide­spread in US Mil­i­tary Equip­ment: Sen­ate Report
    Post­ed Tues­day, May 22nd, 2012 at 3:35 am

    A U.S. Sen­ate inves­ti­ga­tion has found that coun­ter­feit Chi­nese elec­tron­ic parts used in U.S. mil­i­tary equip­ment are com­pro­mis­ing the safe­ty of Amer­i­can troops and pos­ing a nation­al secu­ri­ty risk.

    A year-long inves­ti­ga­tion by the Sen­ate Armed Ser­vices Com­mit­tee found over 1,800 cas­es of fake elec­tron­ic com­po­nents in every­thing from car­go air­craft to night vision gog­gles.

    The report released Mon­day said that more than 70 per­cent of an esti­mat­ed one mil­lion sus­pect parts could be traced to Chi­na, which it says has failed to ade­quate­ly police its coun­ter­feit elec­tron­ics mar­ket.

    ...

    Posted by Pterrafractyl | May 24, 2012, 10:07 pm
  4. Not sur­pris­ing, but worth not­ing:

    Tech­world
    Ger­many ready­ing offen­sive cyber­war­fare unit, par­lia­ment told
    Cyber-ops are go

    By John E Dunn | Tech­world | Pub­lished: 12:45, 07 June 2012

    Ger­many has set up a cyber-war­fare unit designed to car­ry out offen­sive oper­a­tions, the country’s Defence Min­istry has admit­ted for the first time in a par­lia­men­tary report to leg­is­la­tors.

    Accord­ing to Ger­man reports, the Bonn-based Com­put­er Net­work Oper­a­tions (CNO) unit had exist­ed since 2006 but was only now being read­ied for deploy­ment under the con­trol of the country’s mil­i­tary.

    “The ini­tial capac­i­ty to oper­ate in hos­tile net­works has been achieved,” a Ger­man press agency report­ed the brief doc­u­ment as say­ing. The unit had already con­duct­ed closed lab sim­u­la­tions of cyber-attacks.

    Although the Ger­man admis­sion is not a huge sur­prise — most coun­tries are assumed to have cyber-offen­sive capa­bil­i­ties — the clear dec­la­ra­tion that the CNO has an attack role has report­ed­ly caused con­tro­ver­sy among the country’s leg­is­la­tors.

    The ambi­gu­i­ties are legion. Does the mil­i­tary have the legal or con­sti­tu­tion­al author­i­ty to launch cyber-attacks against third par­ties with­out the approval of Par­lia­ment and if so under what cir­cum­stances?
    ...

    Posted by Pterrafractyl | June 12, 2012, 6:38 pm
  5. @Pterrafractyl–

    I won­der if they will start mak­ing noise in this direc­tion?

    Dave Emory

    Posted by Dave Emory | June 13, 2012, 3:42 pm
  6. @Dave: Heh, well, I sup­pose the Ger­man mil­i­tary could send some “noise” towards site pret­ty eas­i­ly, along with at least half the oth­er mil­i­taries of the world. For­tu­nate­ly, I sus­pect some sort of attack would sim­ply gath­er atten­tion and act as a proxy-val­i­da­tion of the con­tent on this site. Unfor­tu­nate­ly, that same val­i­da­tion of this site’s con­tent could have been achieved years ago by enough peo­ple read­ing the con­tent on this site but that’s a seem­ing­ly insur­mount­able bar­ri­er (ahis­tor­i­cal his­tor­i­cal eras tend to end unwell).

    On the plus side, at least we don’t have to be as imme­di­ate­ly con­cerned about hack­ing as these folks:

    June 13, 2012 11:27 PM
    Report: Flight suits could make F‑22 pilots sick

    (CBS News) Pilots fly­ing the U.S. mil­i­tary’s most advanced fight­er jet, the F‑22 Rap­tor, had been get­ting sick at the con­trols, and much of the focus toward find­ing the cause has been on the plane itself.

    Now, how­ev­er, Air Force inves­ti­ga­tors say the spe­cial­ized flight suit pilots wear in the F‑22 could be at least par­tial­ly to blame for the oxy­gen depri­va­tion expe­ri­enced in flight.

    Offi­cials tell CBS News cor­re­spon­dent David Mar­tin that tests car­ried out in a flight-sim­u­lat­ing cen­trifuge repli­cat­ed hypox­ia-like con­di­tions for pilots wear­ing the suits. The link to the suits was first report­ed by CNN on Wednes­day.

    As “60 Min­utes” report­ed in May (video), the Rap­tor — the most expen­sive fight­er ever — has been plagued by a mys­te­ri­ous flaw that caus­es its pilots to become dis­ori­ent­ed while at the con­trols from a lack of oxy­gen.

    Pilots of the stealth fight­er have com­plained that those oxy­gen-deficit prob­lems have result­ed in pilot dizzi­ness, black­outs and oth­er symp­toms.

    Mar­tin report­ed that, accord­ing to the Air Force, there have been 22 unex­plained cas­es over the past four years in which pilots expe­ri­enced symp­toms of oxy­gen depri­va­tion.

    The F‑22 was ground­ed last year while engi­neers searched for some­thing that could be con­t­a­m­i­nat­ing the cock­pit air, but the Air Force returned it to flight, send­ing the F‑22s to the Per­sian Gulf, with­out find­ing the cause.

    Now, inves­ti­ga­tors are zero­ing in on a part of the flight suit called the “Com­bat Edge,” which “ham­pers breath­ing and caus­es oxy­gen loss when com­bined with a phys­i­o­log­i­cal con­di­tion that col­laps­es air sacs in the lungs,” CNN reports.

    The Air Force report is also expect­ed to state that anoth­er pos­si­ble prob­lem for pilots is a con­di­tion called accel­er­a­tion atelec­ta­sis, which caus­es a pilot’s lungs to not effec­tive­ly deliv­er oxy­gen to the blood­stream. The extreme effects of g‑forces along with the pure oxy­gen breathed by pilots could lead to the con­di­tion.

    ...

    Yes, the pilots of the most expen­sive fight­er jet ever made are either suf­fer­ing from atelec­ta­sis, a med­ical con­di­tion caused by breath­ing pure oxy­gen under extreme g‑forces OR they’re suf­fer­ing from a asphyx­i­a­tion, a med­ical con­di­tion caused by the “Com­bat Edge” g‑suit not deliv­er­ing enough oxy­gen dur­ing extreme aero­nau­tic maneau­vers. That sounds like an unpleas­ant sit­u­a­tion all around.

    If the flight suit is the cul­prit, it sounds like it might be a soft­ware issue:

    FlightGlobal.com
    Com­bat Edge anti‑g ensem­ble might be caus­ing the Rap­tor’s woes

    By
    Dave Majum­dar
    on June 6, 2012 12:41 AM

    The Com­bat Edge upper pres­sure-gar­ment might be respon­si­ble for the Lock­heed Mar­tin F‑22 Rap­tor’s oxy­gen woes.

    The US Air Force isn’t say­ing any­thing offi­cial­ly just yet though.

    The USAF still main­tains it has two broad hypothe­ses as to the root cause of the Rap­tor’s oxy­gen woes. One the­o­ry is that there is a prob­lem with the qual­i­ty of the air reach­ing the pilot, which might include some sort of tox­in or con­t­a­m­i­nant. “To date, we’ve seen no con­clu­sive evi­dence of tox­ins in the analy­ses of life sup­port sys­tem com­po­nents, cock­pit air sam­ples, or pilots’ med­ical work-ups, although we have not defin­i­tive­ly ruled out con­t­a­m­i­na­tion as a pos­si­ble fac­tor,” the USAF says. That includes analy­sis of the con­tents of the C2A1 acti­vat­ed car­bon fil­ters when pilots were fly­ing with those devices, the ser­vice adds.

    The sec­ond hypoth­e­sis is that the quan­ti­ty of air reach­ing the pilot may not be the cor­rect amount. Fac­tors that might impact right quan­ti­ty of oxy­gen reach­ing the pilot include the demand for air ver­sus the sup­ply flow­ing through the life sup­port sys­tem under oper­at­ing con­di­tions like high alti­tude and high‑G force and oth­er fac­tors. This sec­ond hypoth­e­sis seems to be in line with what sources have dis­closed to Flight­glob­al.

    But the USAF has not ruled out decom­pres­sion sick­ness, which could be a fac­tor at the alti­tudes and cab­in pres­sures encoun­tered by F‑22 pilots.

    ...

    “Some of the symp­toms pilots have report­ed are list­ed as symp­toms of [decom­pres­sion sick­ness], but they’re also non-spe­cif­ic symp­toms of a num­ber of oth­er con­di­tions or fac­tors such as accel­er­a­tion atelec­ta­sis or increased work of breath­ing that are as con­sis­tent or more con­sis­tent with what may be hap­pen­ing between pilots and their life sup­port sys­tems dur­ing inci­dent sor­ties,” the USAF says. “We con­tin­ue to look at a range of poten­tial root caus­es, but that range con­tin­ues to nar­row.”

    That Com­bat Edge suit is prob­a­bly the source of the prob­lem, sources say. The USAF release alludes to that... The F‑35’s suit might be a way of par­tial­ly fix­ing the prob­lem, but giv­en the extreme alti­tudes and high g‑forces Rap­tor pilots encounter at those cab­in pres­sures, they may just need to take a day off after their flight. But there is anoth­er fac­tor that plays into all this, and that is a new­er mod­el dig­i­tal On-board Oxy­gen Gen­er­a­tion System–but more on that lat­er...

    On the plus side, the man­u­fac­tur­ers of the “Com­bat Edge” g‑suit, David Clark Com­pa­ny, are known for their noise-can­cel­ing head­phones so noise is some­thing they hope­ful­ly don’t have to wor­ry about too much. In the age of out­sourced nation­al secu­ri­ty and “WTF?!” real­i­ty, I guess beg­gars can’t be choosers.

    Posted by Pterrafractyl | June 14, 2012, 7:31 am
  7. Did script kid­dies just tar­get ener­gy com­pa­nies in Sau­di Ara­bia?

    Shamoon Mal­ware Tar­gets Ener­gy Firms, Pos­si­bly Saud­is
    By: Robert Lemos
    2012-08-17

    The same day a Sau­di oil com­pa­ny announces it’s been attacked, antivirus firms release an analy­sis of a pro­gram called Shamoon that is delet­ing cor­po­rate data at dif­fer­ent ener­gy firms.

    A lim­it­ed num­ber of ener­gy com­pa­nies have been tar­get­ed with a destruc­tive virus—dubbed Shamoon—that spreads through shared net­work dri­ves and deletes impor­tant data from com­put­ers.

    The virus, which some are call­ing Dis­strack, has destroyed data belong­ing to at least one ener­gy firm, accord­ing to an analy­sis pub­lished Aug. 16 by secu­ri­ty firm Syman­tec. Reports of the pro­gram came a day after a major Sau­di oil com­pa­ny, Sau­di Aram­co, announced that a virus had destroyed data in its net­work, but antivirus firms declined to com­ment on whether the firm was the source of their mal­ware sam­ples.

    The virus is like­ly the dig­i­tal ver­sion of a clean-up crew for a sep­a­rate attack, but its sim­plis­tic pro­gram­ming does not resem­ble pre­vi­ous pro­grams aimed at gov­ern­ments in the region, such as Stuxnet, Duqu and Flame, said Liam O Murchu, man­ag­er of oper­a­tions for Syman­tec’s secu­ri­ty response group.

    “I think the fact that it appears to have been tar­get­ed is quite inter­est­ing,” he said, adding: “But it looks like some­thing that is quite sim­ple and quite quick to code, so it falls into a dif­fer­ent cat­e­go­ry in my mind.”

    ...

    Shamoon may not be of the same ilk as pre­vi­ous attacks. While the mal­ware resem­bles anoth­er destruc­tive attack on Iran­ian gov­ern­ment agen­cies that led to the dis­cov­ery of the Flame espi­onage Tro­jan, there are sig­nif­i­cant tech­ni­cal dif­fer­ences between the two attacks, wrote an ana­lyst with secu­ri­ty soft­ware firm Kasper­sky Lab.

    “It is more like­ly that this is a copy­cat, the work of script kid­dies inspired by the sto­ry,” the analy­sis states. “Nowa­days, destruc­tive mal­ware is rare; the main focus of cyber-crim­i­nals is finan­cial prof­it. Cas­es like the one here do not appear very often.”

    ...

    “This is anoth­er strong case for say­ing that the com­pa­nies which were tar­get­ed were those whose machines had impor­tant infor­ma­tion on them and were not con­nect­ed direct­ly to the Inter­net,” said Raff.

    For the most part, oth­er com­pa­nies do not need to wor­ry about Shamoon, as the attacks appear to be tar­get­ed at a very lim­it­ed num­ber of com­pa­nies, accord­ing to the Kasper­sky analy­sis.

    “So far, there are only two (oth­er) reports, both from Chi­na, which appear to be secu­ri­ty researchers,” accord­ing to Kasper­sky. “So we can con­clude that the mal­ware is not wide­spread and it was prob­a­bly only used in very focused tar­get­ed attacks.”

    While it’s pos­si­ble that script kid­dies tar­get­ting machines with impor­tant info on Saudi­Aram­co’s net­works, the just-dis­cov­ered virus tar­get­ting finan­cial insti­tu­tions in Lebanon appears to have more than just script kid­dies behind its devel­op­ment:

    The Atlantic
    Did the Bounds of Cyber War Just Expand to Banks and Neu­tral States?
    By Kather­ine Maher

    Aug 17 2012, 7:34 AM ET

    Last week the Russ­ian secu­ri­ty research group Kasper­sky Labs announced they had found a new com­put­er virus infect­ing thou­sands of com­put­ers in the Mid­dle East. Called “Gauss,” after a file­name found in its code­base, the mal­ware can cap­ture infor­ma­tion about the infect­ed com­put­er, includ­ing Inter­net brows­ing his­to­ries, user login details, and sys­tem con­fig­u­ra­tion details. The exis­tence of Gauss sug­gests that coun­tries may be using cyber war­fare for more than just coun­ter­ing immi­nent threats, and that, with the rules of dig­i­tal engage­ment so ambigu­ous, there’s lit­tle to restrain or guide cyber­war’s devel­op­ment.

    Kasper­sky Labs was blunt: Gauss, it says, is like­ly a “nation-state spon­sored bank­ing Tro­jan” built by the same pro­gram­mers behind Stuxnet and Flame, the recent, sophis­ti­cat­ed dig­i­tal pathogens often spec­u­lat­ed as designed by the Unit­ed States and Israel. How­ev­er, unlike these virus­es, which both tar­get­ed Iran, Gauss appears to have a very dif­fer­ent tar­get: the bank­ing sys­tem of Lebanon.

    Gauss is the lat­est in a line of mas­sive mal­ware attacks, and much like its pre­de­ces­sors, it appears to be so com­plex and sophis­ti­cat­ed that it’s assumed to have been built by a sov­er­eign state. Gauss uses the same plat­form as Flame, a “cyber espi­onage” pro­gram that was found in a num­ber of loca­tions in Iran in ear­ly 2012 and was capa­ble of com­pre­hen­sive sur­veil­lance of infect­ed com­put­ers. Flame itself bore a strong fam­i­ly resem­blance to Stuxnet, a 2010 virus that tar­get­ed the Iran­ian nuclear research pro­gram.

    Like Flame, Gauss trans­mits detailed records of user activ­i­ty back to its cen­tral com­mand. Like Stuxnet, it car­ries a spe­cial encrypt­ed “pay­load” that tar­gets machines that car­ry spe­cif­ic sys­tem con­fig­u­ra­tions. Stuxnet’s pay­load would iden­ti­fy and dis­able nuclear research sys­tems, but the encryp­tion for the Gauss pay­load has not yet been bro­ken, and its pur­pose remains unknown.

    How­ev­er, unlike Flame and Stuxnet, which tar­get­ed a rogue state’s gov­ern­ment net­works, Gauss goes after the com­mer­cial sec­tor in a coun­try that has nor­mal­ized rela­tions with the Unit­ed States. Out of more than 2,500 iden­ti­fied instances of Gauss, near­ly two-thirds of have been found in Lebanon. And, unlike the broad spy­ing capac­i­ty of Flame, Gauss seems designed for the nar­row pur­pose of cap­tur­ing trans­ac­tion data from finan­cial insti­tu­tions and dig­i­tal pay­ment providers; specif­i­cal­ly, Lebanese banks Frans­a­bank, Bank of Beirut, BLOM, Cred­it Libanais, Byb­los Bank, and EBLF, as well as siphon­ing data from Pay­Pal and Citibank.

    Why Lebanon? Why banks? Steal­ing finan­cial trans­ac­tion data is tra­di­tion­al­ly the province of, say, shad­owy under­ground crim­i­nal gangs. Lebanon is a small coun­try bet­ter known for its vibrant nightlife and per­pet­u­al domes­tic volatil­i­ty. Nei­ther its bank­ing sec­tor nor the state itself are obvi­ous tar­gets for the U.S. or Israeli ntel­li­gence ser­vices, which, though they haven’t been con­nect­ed to Gauss, are the only groups with both the know-how and, if they tru­ly were behind Stuxnet and Flame, the track record.

    How­ev­er, Lebanon’s size belies its impor­tance as a region­al entre­pôt and bank­ing haven; its cos­mopoli­tan lib­er­tar­i­an­ism, along with old-world dis­cre­tion, have long made the coun­try a pop­u­lar choice for for­eign depos­i­tors of all pro­files and per­sua­sions. Think of it as some­thing like the Switzer­land of the mod­ern Mid­dle East. More than 60 banks man­age near­ly $120 bil­lion in pri­vate deposits in a coun­try of 4.3 mil­lion peo­ple, and account for rough­ly 35 per­cent of the coun­try’s eco­nom­ic activ­i­ty.

    These are not mere cor­ner retail banks serv­ing up loans, mort­gages, and check­ing accounts to Lebanese cit­i­zens. They are among the most pri­vate banks in the world, bound by gen­teel con­ven­tions of secre­cy long since aban­doned else­where. Since 1956, domes­tic and for­eign banks oper­at­ing in Lebanon have been legal­ly required to pro­tect the names and assets of their clients from all inquir­ing author­i­ties.

    U.S. finan­cial reg­u­la­tors, con­cerned with mon­ey laun­der­ing and ter­ror­ism financ­ing, have long giv­en spe­cial atten­tion to the opac­i­ty and reach of the Lebanese bank­ing sys­tem. A 2000 advi­so­ry by the U.S. Depart­ment of Trea­sury Finan­cial Crimes Enforce­ment Net­work instruct­ed all U.S. banks to “give enhanced scruti­ny to all finan­cial trans­ac­tions orig­i­nat­ing in or rout­ed to or through Lebanon.” In 2011, the Lebanese Cana­di­an Bank was shut­tered after the U.S. revealed that the Lebanese mil­i­tant group Hezbol­lah was using the bank to laun­der mon­ey from cocaine prof­its, Mex­i­can car­tels, and African con­flict dia­monds. This year, the entire nation­al bank­ing sys­tem has come under scruti­ny, accused of assist­ing mem­bers of the Syr­i­an and Iran­ian regimes evade inter­na­tion­al sanc­tions and laun­der mon­ey that’s also being fun­neled to Syr­i­a’s ongo­ing con­flict.

    The Kasper­sky researchers think that Gauss first made its way onto Lebanese com­put­ers in late sum­mer 2011, as vio­lence wors­ened in Syr­ia and Iran­ian nuclear talks stalled. With­out the decrypt­ed con­tents of the Gauss pay­load, it’s impos­si­ble to know the virus’ full capa­bil­i­ties, but it’s not dif­fi­cult to con­jec­ture a like­ly pur­pose. Gauss appears to be capa­ble of trac­ing the flow of illic­it funds through some of the region’s largest finan­cial clear­ing hous­es, offer­ing its design­ers unprece­dent­ed access to data on how mon­ey flows and between whom, on orga­ni­za­tion­al net­works, and on fund­ing sources — a ver­i­ta­ble intel­li­gence bonan­za for any­one who might have an inter­est in that sort of thing.

    ...

    Per­haps the most sur­pris­ing part of this “Gauss” sto­ry is that a virus pre­sum­ably devel­oped by the US intel­li­gence com­mu­ni­ty would even both­er try­ing to cap­ture Pay­Pal trans­ac­tions for intel­li­gence gath­er­ing pur­pos­es. I would have expect­ed that info to be read­i­ly avail­able to the spooks.

    Posted by Pterrafractyl | August 20, 2012, 12:13 pm
  8. Giv­en that this lat­est Stuxnet-cousin, Gauss, may also con­tain a Stuxnet-like abil­i­ty to remote­ly take con­trol of indus­tri­al com­mand and con­trol sys­tems, and giv­en the mas­sive RSA login-pass­word data-breach from 2011, this should prob­a­bly be looked into:

    Siemens works to fix vul­ner­a­bil­i­ty in crit­i­cal con­trol net­works
    Remote­ly exploitable flaw could dis­rupt devices used by util­i­ties, refiner­ies oth­ers

    By Jaiku­mar Vijayan
    August 22, 2012 05:34 PM ET

    Com­put­er­world — Siemens is work­ing on a fix for a remote­ly exploitable vul­ner­a­bil­i­ty in net­work routers and switch­es from sub­sidiary Rugged­Com that are wide­ly deployed in refiner­ies, pow­er sub­sta­tions and oth­er crit­i­cal infra­struc­ture net­works in the U.S.

    In a state­ment, Siemens said it was noti­fied of the issue by the Depart­ment of Home­land Secu­ri­ty’s Indus­tri­al Con­trol Sys­tems Com­put­er Emer­gency Response Team (ICS-CERT) ear­li­er this week. The vul­ner­a­bil­i­ty stems from a hard-cod­ed RSA SSL pri­vate key in Rugged­Com’s Rugged Oper­at­ing Sys­tem (ROS) that gives attack­ers a way to decrypt traf­fic between an end user and the router.

    Accord­ing to ICS-CERT, the hard-cod­ed key can be used by attack­ers to launch mali­cious com­mu­ni­ca­tions against Rugged­Com net­work devices.

    “Spe­cial­ists from Siemens and Rugged­Com are inves­ti­gat­ing this issue and will pro­vide infor­ma­tion updates as soon as they become avail­able,” the com­pa­ny said, with­out spec­i­fy­ing when that might hap­pen. Siemens acquired Rugged­Com ear­li­er this year.

    ICS-CERT on Wednes­day issued an alert warn­ing oper­a­tors of indus­tri­al con­trol net­works about the prob­lem. The alert urged admin­is­tra­tors to ensure that con­trol sys­tem devices are not con­nect­ed direct­ly to the Inter­net and to make sure all con­trol sys­tem net­works and devices are behind fire­walls.

    ...

    Dale Peter­son, CEO of Dig­i­tal Bond, a con­sult­ing firm spe­cial­iz­ing in con­trol sys­tem secu­ri­ty, said the flaw allows an attack­er to access the login cre­den­tials to Rugged­Com devices and to launch denial-of-ser­vice attacks against net­work devices run­ning the vul­ner­a­ble OS.

    Peter­son described Rugged­Com as the “Cis­co” of the indus­tri­al con­trol net­work space and said the com­pa­ny is the largest sup­pli­er of ruggedi­zed net­work devices to indus­tri­al con­trol sys­tems own­ers in the U.S.

    The vul­ner­a­bil­i­ty described by Clarke is akin to flaws in old­er ver­sions of Microsoft­’s Remote Desk­top Pro­to­col clients and Ter­mi­nal Servers. And just like Microsoft, it will like­ly take Siemens a while to address the issue, he said.

    By itself, the vul­ner­a­bil­i­ty is unlike­ly to great­ly height­en risks for oper­a­tors of indus­tri­al con­trol net­works, accord­ing to Peter­son. That’s because an attack­er would already need to have access to an ICS net­work to be able to exploit the vul­ner­a­bil­i­ty. “It’s pret­ty much game over if you already have some­one on your net­work,” he said. “This [vul­ner­a­bil­i­ty] gives them just anoth­er thing they can do as an attack­er.”

    Even so, flaws such as this high­light the fun­da­men­tal secu­ri­ty prob­lems that exist in sys­tems run­ning crit­i­cal infra­struc­ture equip­ment and net­works, he said.

    This is the sec­ond secu­ri­ty vul­ner­a­bil­i­ty in Rugged­Com’s prod­ucts in just the past few months, Peter­son not­ed. “They had a ter­ri­ble response last time, so it will be inter­est­ing to see if they do bet­ter with this one,” he said. In addi­tion to fix­ing the issue, Rugged­Com also needs to offer an expla­na­tion to cus­tomers about how it plans on chang­ing its soft­ware devel­op­ment and test­ing process­es to ensure such prob­lems don’t con­tin­ue, he said.

    ...

    Posted by Pterrafractyl | August 23, 2012, 11:05 am
  9. And here we have anoth­er sur­pris­ing devel­op­ing com­ing out of the Mid­dle East: A group call­ing itself “Izz ad-Din al-Quas­sam Cyber Fight­ers” just unleashed an unusu­al­ly pow­er­ful series of denial-of-ser­vice attacks on major US banks:

    Bloomberg
    Cyber Attacks on U.S. Banks Expose Com­put­er Vul­ner­a­bil­i­ty
    By Chris Strohm and Eric Engle­man on Sep­tem­ber 27, 2012

    Cyber attacks on the biggest U.S. banks, includ­ing JPMor­gan Chase & Co. (JPM) and Wells Far­go & Co., have breached some of the nation’s most advanced com­put­er defens­es and exposed the vul­ner­a­bil­i­ty of its infra­struc­ture, said cyber­se­cu­ri­ty spe­cial­ists track­ing the assaults.

    The attack, which a U.S. offi­cial yes­ter­day said was waged by a still-uniden­ti­fied group out­side the coun­try, flood­ed bank web­sites with traf­fic, ren­der­ing them unavail­able to con­sumers and dis­rupt­ing trans­ac­tions for hours at a time.

    Such a sus­tained net­work attack ranks among the worst-case sce­nar­ios envi­sioned by the Nation­al Secu­ri­ty Agency, accord­ing to the U.S. offi­cial, who asked not to be iden­ti­fied because he isn’t autho­rized to speak pub­licly. The extent of the dam­age may not be known for weeks or months, said the offi­cial, who has access to clas­si­fied infor­ma­tion.

    “The nature of this attack is sophis­ti­cat­ed enough or large enough that even the largest of the finan­cial insti­tu­tions would find it dif­fi­cult to defend against,” Rod­ney Joffe, senior vice pres­i­dent at Ster­ling, Vir­ginia-based secu­ri­ty firm Neustar Inc. (NSR), said in a phone inter­view.

    While the group is using a method known as dis­trib­uted denial-of-ser­vice, or DDoS, to over­whelm finan­cial-indus­try web­sites with traf­fic from hijacked com­put­ers, the attacks have tak­en con­trol of com­mer­cial servers that have much more pow­er, accord­ing to the spe­cial­ists.

    “The notable thing is the vol­ume and the scale of the traf­fic that’s been direct­ed at these sites, and that’s very rare,” Dmitri Alper­ovitch, co-founder and chief tech­nol­o­gy offi­cer of Palo Alto, Cal­i­for­nia-based secu­ri­ty firm Crowd­Strike Inc. (0192981D), said in a phone inter­view.

    White House

    The assault, which esca­lat­ed this week, was the sub­ject of closed-door White House meet­ings in the past few days, accord­ing to a pri­vate-secu­ri­ty spe­cial­ist who asked not to be iden­ti­fied because he’s help­ing to trace the attacks.

    Pres­i­dent Barack Obama’s admin­is­tra­tion is cir­cu­lat­ing a draft exec­u­tive order that would cre­ate a pro­gram to shield vital com­put­er net­works from cyber attacks, two for­mer U.S. offi­cials with knowl­edge of the effort said ear­li­er this month.

    The U.S. Sen­ate last month failed to advance com­pre­hen­sive cyber­se­cu­ri­ty leg­is­la­tion and the admin­is­tra­tion is con­tem­plat­ing using the exec­u­tive order because it’s not cer­tain that Con­gress can pass a cyber­se­cu­ri­ty bill, the offi­cials said.

    ...

    Respon­si­bil­i­ty Claim

    A group call­ing itself Izz ad-Din al-Quas­sam Cyber Fight­ers claimed respon­si­bil­i­ty for the assault in a state­ment post­ed to the web­site pastebin.com, say­ing it was in response to a video uploaded to Google Inc.’s YouTube, depict­ing the Prophet Muham­mad in ways that offend­ed some Mus­lims.

    The ini­tial plan­ning for the assault pre-dat­ed the video con­tro­ver­sy, mak­ing it less like­ly that it inspired the attacks, accord­ing to Alper­ovitch and Joffe, both of whom have been track­ing the inci­dents. A sig­nif­i­cant amount of plan­ning and prepa­ra­tion went into the attacks, they said.

    “The ground work was done to infect sys­tems and pro­duce an infra­struc­ture capa­ble of launch­ing an attack when it was need­ed,” Joffe said.

    Jen­ny Shear­er, a spokes­woman for the Fed­er­al Bureau of Inves­ti­ga­tion, and Peter Boogaard at the U.S. Depart­ment of Home­land Secu­ri­ty, declined to com­ment.
    Pre­ma­ture Attri­bu­tion

    Sen­a­tor Joe Lieber­man, a Con­necti­cut inde­pen­dent who heads the Sen­ate Home­land Secu­ri­ty and Gov­ern­men­tal Affairs Com­mit­tee, said last week he thought Iran was behind the attacks.

    Alper­ovitch and Joffe said that while they think one group is behind the attacks, they didn’t have enough infor­ma­tion to prove or dis­prove Lieberman’s asser­tion that Iran is respon­si­ble. The U.S. offi­cial with access to clas­si­fied infor­ma­tion said it’s pre­ma­ture to attribute the attacks to Iran’s gov­ern­ment.

    The attacks flood­ed the bank web­sites with 10 to 20 times more Inter­net traf­fic than the typ­i­cal denial-of-ser­vice attack, Alper­ovitch said. He said that no data were stolen and no net­works infil­trat­ed by hack­ers.

    ...

    Bad Tim­ing

    “If bank­ing infra­struc­ture was affect­ed in this way for an extend­ed peri­od of time, the nat­ur­al out­come of that is a loss of faith,” he said. “If you can’t get to your bank­ing site for three or four hours on a day when you have to do things, you start think­ing about what are my alter­na­tives because this might hap­pen again.”

    The bank­ing indus­try wor­ries about an orga­ni­za­tion with more resources launch­ing attacks, said Ed Pow­ers, head of secu­ri­ty and pri­vate issues for U.S. finan­cial firms at Deloitte & Touche LLP.

    “This is com­ing toward the end of the month; it’s bad­ly timed,” Joffe said. “Peo­ple have to pay bills today and tomor­row.”

    ...

    So we can add one more item to the list of recent sur­pris­ing devel­op­ments in the Mid­dle East while claim­ing the pathet­ic Islam-bash­ing film as the inspi­ra­tion for the attacks when it’s clear that the attacks were planned in advance of the film’s release:

    Hack­ers May Have Had Help With Attacks on U.S. Banks, Researchers Say
    By NICOLE PERLROTH
    Sep­tem­ber 27, 2012, 5:25 pm

    The hack­ers claim­ing respon­si­bil­i­ty for cyber­at­tacks on Amer­i­can banks over the past week must have had sub­stan­tial help to dis­rupt and take down major bank­ing sites, secu­ri­ty researchers say.

    Bank of Amer­i­ca, JPMor­gan Chase, Cit­i­group, U.S. Ban­corp, Wells Far­go and PNC all expe­ri­enced dis­rup­tions and delays on their bank­ing sites over the past week because of denial of ser­vice or DDoS attacks, in which hack­ers clog a Web site with data requests until it slows or col­laps­es under the load.

    A hack­er group, which calls itself the Izz ad-Din al-Qas­sam Cyber Fight­ers, took cred­it for the attacks in online posts. They enlist­ed vol­un­teers for the attacks with mes­sages on var­i­ous sites. On one blog, they called on vol­un­teers to vis­it two Web address­es that would cause their com­put­ers to instant­ly start flood­ing tar­gets — includ­ing the New York Stock Exchange, Nas­daq and Bank of Amer­i­ca — with hun­dreds of data requests each sec­ond. This week, hack­ers asked vol­un­teers to attack banks accord­ing to a defined timetable: Wells Far­go on Tues­day, U.S. Ban­corp on Wednes­day and PNC on Thurs­day.

    Rep­re­sen­ta­tives for Wells Far­go, U.S. Bank and PNC all con­firmed Wednes­day that their Web sites had expe­ri­enced dis­rup­tions because of unex­pect­ed vol­umes of traf­fic. Both the New York Stock Exchange and Nas­daq saw a slow­down, but no seri­ous dis­rup­tion, on their Web sites.

    Secu­ri­ty researchers say the attack meth­ods being ped­dled by hack­ers — the cus­tom-built Web sites — were too basic to have gen­er­at­ed the dis­rup­tions.

    “The num­ber of users you need to break those tar­gets is very high,” said Jaime Blas­co, a secu­ri­ty researcher at Alien­Vault who has been inves­ti­gat­ing the attacks. “They must have had help from oth­er sources.”

    Those addi­tion­al sources, Mr. Blas­co said, would have to be a well-resourced group, like a nation state, or bot­nets — net­works of infect­ed zom­bie com­put­ers that do the bid­ding of cyber­crim­i­nals. Bot­nets can be rent­ed via black mar­ket schemes that are com­mon in the Inter­net under­ground, or loaned out by cyber­crim­i­nals or gov­ern­ments.

    Last week, Sen­a­tor Joseph I. Lieber­man, chair­man of the Sen­ate Home­land Secu­ri­ty Com­mit­tee, said in an inter­view that he believed the attacks on the banks were being spon­sored by Iran’s gov­ern­ment.

    Mr. Blas­co said secu­ri­ty researchers had noticed an increase in the use of bot­nets out of Iran recent­ly. But he said he had not been able to track the ori­gin of the attack to Iran. Attacks can be rout­ed through var­i­ous I.P. address­es to mask their true ori­gin, mak­ing attri­bu­tion “near­ly impos­si­ble,” Mr. Blas­co said.

    In the hack­ers’ post, they said their attacks were not spon­sored by Iran, and said they “strong­ly reject the Amer­i­can offi­cials’ insid­i­ous attempts to deceive pub­lic opin­ion.”

    ...

    Regard­ing the alle­ga­tions that Iran is behind the attack, while it may be the case that Ahmadine­jad and much of Iran’s lead­er­ship are pathet­ic lunatics that are ensur­ing the destruc­tion of their nation’s future through ass-back­wards mis­man­age­ment(some­times in iron­ic ways). But it’s still kind of dif­fi­cult to see what, if any­thing, the Iran­ian gov­ern­ment would gain from a cyber attack that would prob­a­bly just end up help­ing the can­di­date that’s promis­ing uni­lat­er­al mil­i­tary action against Iran if elect­ed.

    Posted by Pterrafractyl | September 27, 2012, 10:00 pm
  10. While it’s laugh­able to think that the Russ­ian gov­ern­ment just found out about secu­ri­ty risks in elec­tron­ic hard­ware from Snow­den, it’s going to be inter­est­ing to see if any seri­ous pol­i­cy shifts emerge from this pro­pos­al. You also have to won­der how this could impact Rus­si­a’s arms export indus­try:

    Rus­sia should use own elec­tron­ics in defense indus­try: deputy PM

    By Alex­ei Anishchuk

    NOVO-OGARYOVO, Rus­sia | Mon Jul 29, 2013 1:12pm EDT

    (Reuters) — Rus­si­a’s defense indus­try is cut­ting down on its use of for­eign elec­tron­ics as a result of leaks by ex‑U.S. spy agency con­trac­tor Edward Snow­den, a Russ­ian gov­ern­ment offi­cial said on Mon­day.

    Snow­den’s actions in divulging details of U.S. gov­ern­ment intel­li­gence pro­grams had shown the need for arms mak­ers to be care­ful in import­ing any equip­ment that con­tained soft­ware capa­ble of trans­mit­ting sen­si­tive data abroad, Deputy Prime Min­is­ter Dmit­ry Rogozin said.

    Rogozin specif­i­cal­ly referred to for­eign-made lath­es.

    “Those lath­es con­tain soft­ware which can have cer­tain set­tings. They could either shut down at some point or trans­mit cer­tain data about the engi­neer­ing para­me­ters of an assign­ment (in progress),” Rogozin, who over­sees the defense indus­try, told reporters after a meet­ing on arms con­tracts chaired by Pres­i­dent Vladimir Putin.

    Russ­ian offi­cials have denied that Snow­den has been debriefed by Russ­ian secu­ri­ty ser­vices.

    “If we talk about elec­tron­ic com­po­nents used wide­ly in the navy, air force and armored vehi­cles, not to men­tion space ... here we will also stick to the neces­si­ty of key elec­tron­ic com­po­nents being pro­duced in Rus­sia,” Rogozin, Rus­si­a’s for­mer ambas­sador to NATO, said.

    The Russ­ian defense indus­try has been crip­pled by under financ­ing after the fall of the Sovi­et Union and domes­tic elec­tron­ic engi­neer­ing has large­ly fall­en behind, forc­ing pro­duc­ers to rely on for­eign-made elec­tron­ics.

    Krem­lin-backed project Glonass, its answer to the U.S. Glob­al Posi­tion­ing Sys­tem (GPS) sys­tem, has been marred by sev­er­al botched launch­es which experts inside Rus­sia have blamed on faulty for­eign-made microchips.

    ...

    Posted by Pterrafractyl | July 29, 2013, 11:15 am
  11. The US Sen­ate just vot­ed 56–44 to pro­ceed with the sec­ond impeach­ment tri­al of Don­ald Trump, with just six Repub­li­cans join­ing 50 Democ­rats in sup­port­ing the valid­i­ty of the impeach­ment process. Con­sid­er­ing that this is an impeach­ment tri­al over Trump’s insti­ga­tion of a vio­lent insur­rec­tion and the storm­ing of the Capi­tol, it’s prob­a­bly not an exag­ger­a­tion to say that the US is cur­rent­ly under a lev­el of the risk of a domes­tic ter­ror­ism with few his­tor­i­cal prece­dents. There’s an actu­al rogue pres­i­dent try­ing to stoke a ‘lead­er­less resistance’-style reac­tion to his loss and the vast major­i­ty of the Repub­li­can Par­ty is ful­ly behind him.

    So with that ele­vat­ed risk of domes­tic ter­ror in mind, there’s a new sto­ry that rais­es the chill­ing ques­tion: did the US just dodge a Super Bowl ter­ror attack? That’s the ques­tion raised by new reports of a hack­ing attempt against the crit­i­cal infra­struc­ture in the down of Olds­mar, Flori­da, which is just 12 miles away from Super Bowl held in Tam­pa over the week­end. The hack­er broke into the city’s water sup­ply on Fri­day and changed the chem­i­cal lev­els caus­ing a 100-fold spike in the lev­els of sodi­um hydrox­ide. This is the equiv­a­lent of spik­ing the water sup­ply with lye.

    We’re told that there were min­i­mal risks of this attack suc­ceed­ing due to pH mon­i­tors that would have detect­ed this change before it made it into house­holds. In addi­tion, the Although the Olds­mar water sup­ply is based on well water and sep­a­rate from sur­round­ing water sys­tems. So at least that would have like­ly reduced the impact on Super Bowl tourists. But we’re also told that it would have tak­en a day or two for the changes in pH to make it into the water sup­ply. And since this hack took place on Fri­day, two days before the the Super Bowl, that would have timed the impact of this to coin­cide with the flood of peo­ple trav­el­ing to that area over the week­end.

    The hack was wit­nessed in real-time by a city employ­ee who watched as their mouse seemed to move under some­one else’s con­trol. The same hack­er took con­trol of the mouse ear­li­er in the day, but the employ­ee assumed it at the time was one of the oth­er employ­ees using soft­ware to remote­ly access that com­put­er. Dur­ing the first hack­ing inci­dent, the mouse was just moved around a lit­tle bit. But dur­ing the sec­ond attack, they took con­trol and imme­di­ate­ly pro­ceed­ed to change the sodi­um hydrox­ide lev­els, so it was a very delib­er­ate action.

    Adding to the dis­turb­ing nature of this sto­ry is how typ­i­cal it sounds like this type of hack actu­al­ly is. Accord­ing to experts, remote access hacks like this hap­pen all the time all crit­i­cal infra­struc­ture that’s con­nect­ed to the inter­net. The pri­ma­ry thing defend­ing the pub­lic against these attacks is the sophis­ti­ca­tion of the indus­tri­al con­trol sys­tems the hack­ers gained access to. In oth­er words, it’s easy to hack into these sys­tems but the con­trols are still so bewil­der­ing that you won’t know how to actu­al­ly mod­i­fy the sys­tems in a way to cause dam­age. That’s the US’s prime infra­struc­ture defense today. It’s not exact­ly a reas­sur­ing defense.

    Final­ly, note that we are told inves­ti­ga­tors have no idea where the Olds­mar hack orig­i­nat­ed from. They don’t know if it was a for­eign or domes­tic hack. And that’s why it’s going to be impor­tant to keep in mind that if we do end up deal­ing with a vio­lent Trumpian insur­gency in the US and a cam­paign of domes­tic ter­ror attacks, they aren’t nec­es­sar­i­ly going to want to adver­tise those attacks as com­ing from Trump sym­pa­thiz­ers, espe­cial­ly if the pur­pose is to gener­i­cal­ly desta­bi­lize the Biden admin­is­tra­tion. And that makes false flag hacks a high­ly tempt­ing form of ter­ror attack in this sit­u­a­tion. So don’t be too sur­prised if any upcom­ing waves of infra­struc­ture attacks end up being filled with ‘clues’ of a for­eign ori­gin.

    Ok, here’s an NPR piece on that hack at points out one of the most dis­turb­ing aspects of this sto­ry: it hap­pened 12 miles out from Tam­pa and, giv­en the 1–2 day delay in the impact on water qual­i­ty, was seem­ing­ly timed to hit right before the Super Bowl:

    Nation­al Pub­lic Radio

    FBI Called In After Hack­er Tries To Poi­son Tam­pa-Area City’s Water With Lye

    Bill Chap­pell
    Feb­ru­ary 9, 2021 11:10 AM ET

    It start­ed with a cur­sor mov­ing on its own, slid­ing across a com­put­er screen at the water treat­ment plant in Olds­mar, Fla. Some­one had tak­en remote con­trol of a plant oper­a­tor’s machine – and in just a few min­utes, they increased the lev­el of sodi­um hydrox­ide in the city’s drink­ing water by a fac­tor of 100. After spik­ing the caus­tic sub­stance to unsafe lev­els, the hack­er imme­di­ate­ly left the sys­tem.

    The plant oper­a­tor quick­ly reset the sodi­um hydrox­ide lev­el back to nor­mal para­me­ters before the rogue action posed a threat to the water sup­ply, offi­cials say. But the inci­dent, which took place Fri­day, is now being inves­ti­gat­ed by local author­i­ties as well as the FBI and Secret Ser­vice, accord­ing to Pinel­las Coun­ty Sher­iff Bob Gualtieri.

    “The hack­er changed the sodi­um hydrox­ide from about 100 parts per mil­lion to 11,100 parts per mil­lion,” Gualtieri said on Mon­day, dur­ing a brief­ing about the attack. “This is obvi­ous­ly a sig­nif­i­cant and poten­tial­ly dan­ger­ous increase. Sodi­um hydrox­ide, also known as lye, is the main ingre­di­ent in liq­uid drain clean­ers. It’s also used to con­trol water acid­i­ty and remove met­als from drink­ing water.”

    At one point in the brief­ing, Gualtieri was asked if he would call the inci­dent an attempt­ed bioter­ror­ism attack.

    “It is what it is,” he replied. “Some­one hacked into the sys­tem, not just once but twice,” to take con­trol of the sys­tem and change the water chem­istry to unsafe lev­els.

    If the per­son who con­duct­ed the hack is iden­ti­fied, Gualtieri said, they would like­ly face state felony charges, with the poten­tial for fed­er­al charges depend­ing on the cir­cum­stances, such as the place where the hack orig­i­nat­ed.

    Olds­mar is a small city north­west of Tam­pa, rough­ly 12 miles away from Ray­mond James Sta­di­um, which host­ed the Super Bowl two days after the hack­ing attack. Olds­mar draws its water from wells; its sys­tem is sep­a­rate from oth­er near­by com­mu­ni­ties, the offi­cials said.

    The intrud­er broke into the sys­tem at least twice on Fri­day, tak­ing con­trol of a plant oper­a­tor’s com­put­er through the same meth­ods a super­vi­sor or spe­cial­ist might use. The hack did­n’t ini­tial­ly set off red flags, because remote access is some­times used to mon­i­tor the sys­tem or trou­ble-shoot prob­lems, Gualtieri said.

    The first intru­sion was fleet­ing and did­n’t cause con­cern. But hours lat­er, the hack­er returned. And as the oper­a­tor looked on, the sodi­um hydrox­ide set­tings were moved to dan­ger­ous ter­ri­to­ry. After reset­ting the sys­tem to nor­mal lev­els, the oper­a­tor raised the alarm. The sher­iff was called; soon, fed­er­al inves­ti­ga­tors were also involved.

    “Obvi­ous­ly, these inves­ti­ga­tions are very com­pli­cat­ed right now,” Gualtieri said. “We do not have a sus­pect iden­ti­fied, but we do have leads that we’re fol­low­ing. We don’t know right now whether the breach orig­i­nat­ed from with­in the Unit­ed States or out­side the coun­try.”

    The FBI’s field office in Tam­pa con­firms that its agents are work­ing with the city and the sher­if­f’s office to find the per­son respon­si­ble.

    The hack was clear­ly the act of some­one try­ing to harm oth­ers, the sher­iff said. But he and offi­cials in Olds­mar also stressed that while the hack was a seri­ous intru­sion, pub­lic health was nev­er at risk. In addi­tion to the plant oper­a­tor’s vig­i­lance, they said, the water sys­tem has sen­sors that would have raised the alarm if pH lev­els sud­den­ly sky­rock­et­ed. And it would have tak­en more than a day for the water to reach any cus­tomers, they added.

    “We have pH alarms through­out the sys­tem,” City Man­ag­er Al Braith­waite said. “So obvi­ous­ly if you change the alka­lin­i­ty lev­el, the pH changes. That would have been an alarm through­out the entire sys­tem. So, even if we had­n’t noticed it right away, it would have alarmed to all our peo­ple to notice it quick­ly.”

    The remote-access pro­gram that allowed the change to be made is now dis­abled, Braith­waite said, and the city is mak­ing fur­ther upgrades to its sys­tems. And he said the attack on Olds­mar’s infra­struc­ture did­n’t come as a com­plete sur­prise. “We talk about it, we think about it, we study it,” he said.

    ...

    ———–

    “FBI Called In After Hack­er Tries To Poi­son Tam­pa-Area City’s Water With Lye” by Bill Chap­pell; Nation­al Pub­lic Radio; 02/09/2021

    Olds­mar is a small city north­west of Tam­pa, rough­ly 12 miles away from Ray­mond James Sta­di­um, which host­ed the Super Bowl two days after the hack­ing attack. Olds­mar draws its water from wells; its sys­tem is sep­a­rate from oth­er near­by com­mu­ni­ties, the offi­cials said.”

    It’s not hard to imag­ine the kind of dis­as­ter this could have cre­at­ed, even with Olds­mar’s water sys­tem being sep­a­rate from near­by com­mu­ni­ties. Thou­sands of peo­ple just miles from the Super Bowl would have sud­den­ly expe­ri­enced a form of bio­chem­i­cal ter­ror­ism. The hack would take 1–2 days to take effect and was exe­cut­ed 2 days before the Super Bowl. That’s unlike­ly to be a coin­ci­dence:

    ...
    “The hack­er changed the sodi­um hydrox­ide from about 100 parts per mil­lion to 11,100 parts per mil­lion,” Gualtieri said on Mon­day, dur­ing a brief­ing about the attack. “This is obvi­ous­ly a sig­nif­i­cant and poten­tial­ly dan­ger­ous increase. Sodi­um hydrox­ide, also known as lye, is the main ingre­di­ent in liq­uid drain clean­ers. It’s also used to con­trol water acid­i­ty and remove met­als from drink­ing water.”

    At one point in the brief­ing, Gualtieri was asked if he would call the inci­dent an attempt­ed bioter­ror­ism attack.

    “It is what it is,” he replied. “Some­one hacked into the sys­tem, not just once but twice,” to take con­trol of the sys­tem and change the water chem­istry to unsafe lev­els.

    ...

    The hack was clear­ly the act of some­one try­ing to harm oth­ers, the sher­iff said. But he and offi­cials in Olds­mar also stressed that while the hack was a seri­ous intru­sion, pub­lic health was nev­er at risk. In addi­tion to the plant oper­a­tor’s vig­i­lance, they said, the water sys­tem has sen­sors that would have raised the alarm if pH lev­els sud­den­ly sky­rock­et­ed. And it would have tak­en more than a day for the water to reach any cus­tomers, they added.
    ...

    And now here’s a Wired piece that man­ages to make this sto­ry even more dis­turb­ing by point­ing out how com­mon it actu­al­ly is. The odd­i­ty in this sto­ry isn’t that a piece of crit­i­cal infra­struc­ture was hacked. That’s appar­ent­ly hap­pen­ing all the time all over. No, what’s weird is that the hack­er did some­thing that could have actu­al­ly trig­gered a dis­as­ter:

    Wired
    Secu­ri­ty

    A Hack­er Tried to Poi­son a Flori­da City’s Water Sup­ply, Offi­cials Say
    The attack­er upped sodi­um hydrox­ide lev­els in the Olds­mar, Flori­da, water sup­ply to extreme­ly dan­ger­ous lev­els.

    Andy Green­berg
    02.08.2021 06:54 PM

    Around 8 am on Fri­day morn­ing, an employ­ee of a water treat­ment plant in the 15,000-person city of Olds­mar, Flori­da, noticed that his mouse cur­sor was mov­ing strange­ly on his com­put­er screen, out of his con­trol, as local police would lat­er tell it. Ini­tial­ly, he was­n’t con­cerned; the plant used the remote-access soft­ware TeamView­er to allow staff to share screens and trou­bleshoot IT issues, and his boss often con­nect­ed to his com­put­er to mon­i­tor the facil­i­ty’s sys­tems.

    But a few hours lat­er, police say, the plant oper­a­tor noticed his mouse mov­ing out of his con­trol again. This time there would be no illu­sion of benign mon­i­tor­ing from a super­vi­sor or IT per­son. The cur­sor began click­ing through the water treat­ment plan­t’s con­trols. With­in sec­onds, the intrud­er was attempt­ing to change the water sup­ply’s lev­els of sodi­um hydrox­ide, also known as lye or caus­tic soda, mov­ing the set­ting from 100 parts per mil­lion to 11,100 parts per mil­lion. In low con­cen­tra­tions the cor­ro­sive chem­i­cal reg­u­lates the PH lev­el of potable water. At high lev­els, it severe­ly dam­ages any human tis­sue it touch­es.

    Accord­ing to city offi­cials, the oper­a­tor quick­ly spot­ted the intru­sion and returned the sodi­um hydrox­ide to nor­mal lev­els. Even if he had­n’t, the poi­soned water would have tak­en 24 to 36 hours to reach the city’s pop­u­la­tion, and auto­mat­ed PH test­ing safe­guards would have trig­gered an alarm and caught the change before any­one was harmed, they say.

    But if the events described by local offi­cials are confirmed—they have yet to be cor­rob­o­rat­ed first­hand by exter­nal secu­ri­ty auditors—they may well rep­re­sent a rare pub­licly report­ed cyber­in­tru­sion aimed at active­ly sab­o­tag­ing the sys­tems that con­trol a US city’s crit­i­cal infra­struc­ture. “This is dan­ger­ous stuff,” said Bob Gualtieri, the sher­iff of Pinel­las Coun­ty, Flori­da, of which Olds­mar is a part, in a press con­fer­ence Mon­day after­noon. “This is some­body that is try­ing, it appears on the sur­face, to do some some­thing bad.”

    In a fol­low-up call with WIRED, Gualtieri said that the hack­er appears to have com­pro­mised the water treat­ment plan­t’s TeamView­er soft­ware to gain remote access to the tar­get com­put­er, and that net­work logs con­firm the oper­a­tor’s mouse takeover sto­ry. But the sher­iff had lit­tle else to share about how the hack­er accessed TeamView­er or gained ini­tial access to the plan­t’s IT net­work. He also pro­vid­ed no details as to how the intrud­er broke into the so-called oper­a­tional tech­nol­o­gy net­work that con­trols phys­i­cal equip­ment in indus­tri­al con­trol sys­tems and is typ­i­cal­ly seg­re­gat­ed from the inter­net-con­nect­ed IT net­work.

    Gual­teri said the city’s own foren­sic inves­ti­ga­tors, as well as the FBI and Secret Ser­vice, are seek­ing those answers. “That’s the mil­lion-dol­lar ques­tion, and it’s a point of con­cern, because we don’t know where the hole is and how sophis­ti­cat­ed these peo­ple are,” Gual­teri said. “Did this come from down the street or out­side the coun­try? No idea.”

    Secu­ri­ty pro­fes­sion­als have long advised not only seg­re­gat­ing IT and OT net­works for max­i­mal secu­ri­ty but also lim­it­ing or ide­al­ly elim­i­nat­ing all con­nec­tions from oper­a­tional tech­nol­o­gy sys­tems to the inter­net. But Gual­teri con­ced­ed that the plan­t’s OT sys­tems were exter­nal­ly acces­si­ble, and that all evi­dence points to the attack­er access­ing them from the inter­net. “There is mer­it to the point that crit­i­cal infra­struc­ture com­po­nents shouldn’t be con­nect­ed,” Gual­teri said. “If you’re con­nect­ed, you’re vul­ner­a­ble.”

    Gual­teri said that the water treat­ment facil­i­ty had unin­stalled TeamView­er since the attack, but he could­n’t oth­er­wise com­ment on what oth­er secu­ri­ty mea­sures the plant was tak­ing to remove the intrud­er’s access or pre­vent anoth­er breach. He added that offi­cials have warned all gov­ern­ment orga­ni­za­tions in the wider Tam­pa Bay area to review their secu­ri­ty pro­to­cols and make updates to pro­tect them­selves. “We want to make sure that every­one real­izes these kind of bad actors are out there. It’s hap­pen­ing,” Old­mar may­or Eric Sei­del said in a press con­fer­ence. “So real­ly take a hard look at what you have in place.”

    As unprece­dent­ed as Old­mar’s pub­lic announce­ment of a cybersab­o­tage attempt on its water sys­tems may be, the attack it describes is hard­ly unique, says Les­ley Carhart, a prin­ci­pal threat ana­lyst at indus­tri­al con­trol sys­tem secu­ri­ty firm Dra­gos. She says she’s seen inci­dents first­hand in which even unso­phis­ti­cat­ed hack­ers access soft­ware appli­ca­tions that offer con­trol of phys­i­cal equipment—such as the TeamView­er remote access tool report­ed­ly used in Old­mar or the human-machine inter­faces (HMIs) that direct­ly con­trol equipment—and start mess­ing with them. Thou­sands of such sys­tems are dis­cov­er­able over the inter­net with search tools like Shodan, she points out. It’s often only the com­plex­i­ty and safe­guards in indus­tri­al con­trol sys­tems that pre­vent hack­er med­dling from hav­ing seri­ous con­se­quences.

    “Do I think that on a reg­u­lar basis peo­ple are log­ging in to HMI sys­tems and hit­ting but­tons? Absolute­ly,” says Carhart. “Do those things have a mea­sur­able impact on the real world? Very rarely.”

    Carhart points to a com­pa­ra­ble incident—albeit one car­ried out by an insid­er rather than an exter­nal attacker—when a dis­grun­tled IT con­sul­tant for a sewage treat­ment plant in the Aus­tralian shire of Maroochy used his remote access to dump mil­lions of gal­lons of raw sewage into local parks and rivers. On the oth­er end of the sophis­ti­ca­tion spec­trum, the Russ­ian hack­er group known as Sand­worm in Decem­ber 2015 hijacked a remote-access soft­ware sim­i­lar to the TeamView­er pro­gram used in Old­mar to open cir­cuit break­ers in Ukrain­ian elec­tric util­i­ties, turn­ing off the pow­er to a quar­ter-mil­lion civil­ians. And there’s an even more direct prece­dent: In 2016, Ver­i­zon Secu­ri­ty Solu­tions report­ed that hack­ers broke into an uniden­ti­fied water util­i­ty and changed the chem­i­cal lev­els.

    Water treat­ment and sewage plants, Carhart says, are often some of the most dig­i­tal­ly vul­ner­a­ble crit­i­cal infra­struc­ture tar­gets in the Unit­ed States, made more so by the bud­get cuts and remote work sce­nar­ios imposed by the Covid-19 pan­dem­ic. She says she has dealt with entire cities whose munic­i­pal water treat­ment plant has only a sin­gle IT per­son.

    ...

    ———–

    “A Hack­er Tried to Poi­son a Flori­da City’s Water Sup­ply, Offi­cials Say” by Andy Green­berg; Wired; 02/08/2021

    “Gual­teri said the city’s own foren­sic inves­ti­ga­tors, as well as the FBI and Secret Ser­vice, are seek­ing those answers. “That’s the mil­lion-dol­lar ques­tion, and it’s a point of con­cern, because we don’t know where the hole is and how sophis­ti­cat­ed these peo­ple are,” Gual­teri said. “Did this come from down the street or out­side the coun­try? No idea.”

    Where did this hack come from? Did it orig­i­nate from inside the US or out­side? Inves­ti­ga­tors have no idea. And, of course, if these hack­ers are rea­son­ably com­pe­tent it’s pos­si­ble the inves­ti­ga­tors will nev­er have any idea of where the hack ulti­mate­ly orig­i­nat­ed from. It’s a form of attack that, if exe­cut­ed cor­rect­ed, can leave the attack with a very low risk of being caught. Which is all the more rea­sons why it’s utter­ly insane that that the oper­a­tional tech­nol­o­gy that con­trols this crit­i­cal infra­struc­ture is acces­si­ble over the inter­net:

    ...
    In a fol­low-up call with WIRED, Gualtieri said that the hack­er appears to have com­pro­mised the water treat­ment plan­t’s TeamView­er soft­ware to gain remote access to the tar­get com­put­er, and that net­work logs con­firm the oper­a­tor’s mouse takeover sto­ry. But the sher­iff had lit­tle else to share about how the hack­er accessed TeamView­er or gained ini­tial access to the plan­t’s IT net­work. He also pro­vid­ed no details as to how the intrud­er broke into the so-called oper­a­tional tech­nol­o­gy net­work that con­trols phys­i­cal equip­ment in indus­tri­al con­trol sys­tems and is typ­i­cal­ly seg­re­gat­ed from the inter­net-con­nect­ed IT net­work.

    ...

    Secu­ri­ty pro­fes­sion­als have long advised not only seg­re­gat­ing IT and OT net­works for max­i­mal secu­ri­ty but also lim­it­ing or ide­al­ly elim­i­nat­ing all con­nec­tions from oper­a­tional tech­nol­o­gy sys­tems to the inter­net. But Gual­teri con­ced­ed that the plan­t’s OT sys­tems were exter­nal­ly acces­si­ble, and that all evi­dence points to the attack­er access­ing them from the inter­net. “There is mer­it to the point that crit­i­cal infra­struc­ture com­po­nents shouldn’t be con­nect­ed,” Gual­teri said. “If you’re con­nect­ed, you’re vul­ner­a­ble.”
    ...

    But despite these obvi­ous risks, plen­ty of crit­i­cal infra­struc­ture remains con­nect­ed to the inter­net leav­ing the sheer com­plex­i­ty of the oper­a­tional con­trol sys­tems as the pri­ma­ry line of defense against these forms of attack:

    ...
    As unprece­dent­ed as Old­mar’s pub­lic announce­ment of a cybersab­o­tage attempt on its water sys­tems may be, the attack it describes is hard­ly unique, says Les­ley Carhart, a prin­ci­pal threat ana­lyst at indus­tri­al con­trol sys­tem secu­ri­ty firm Dra­gos. She says she’s seen inci­dents first­hand in which even unso­phis­ti­cat­ed hack­ers access soft­ware appli­ca­tions that offer con­trol of phys­i­cal equipment—such as the TeamView­er remote access tool report­ed­ly used in Old­mar or the human-machine inter­faces (HMIs) that direct­ly con­trol equipment—and start mess­ing with them. Thou­sands of such sys­tems are dis­cov­er­able over the inter­net with search tools like Shodan, she points out. It’s often only the com­plex­i­ty and safe­guards in indus­tri­al con­trol sys­tems that pre­vent hack­er med­dling from hav­ing seri­ous con­se­quences.

    “Do I think that on a reg­u­lar basis peo­ple are log­ging in to HMI sys­tems and hit­ting but­tons? Absolute­ly,” says Carhart. “Do those things have a mea­sur­able impact on the real world? Very rarely.”
    ...

    Also keep in mind that, while the com­plex­i­ty of these con­trol sys­tems might thwart ran­dom hack­ers who know noth­ing about these sys­tems, that’s not nec­es­sar­i­ly going to be the case when deal­ing with insid­er attacks. Don’t for­get what we just read about what the Olds­mar employ­ee witnssed as this hack unfold­ed: the sec­ond time this hack­er logged into the Olds­mar sys­tem, they almost imme­di­ate­ly pro­ceed­ed to cause the 100-fold jump in the sodi­um hydrox­ide lev­els. That sounds like some­one who knew their way around this con­trol sys­tem. And if we’re going to be deal­ing with a MAGA insur­gency for years to come, we have to assume those insur­gents will include a lot of insid­ers with detailed knowl­edge of how these sys­tems work and, more impor­tant, how they can be strate­gi­cal­ly bro­ken.

    Posted by Pterrafractyl | February 9, 2021, 5:17 pm

Post a comment