ACCELER8OR

Jan 18 2012

The Internet is a little darker today

Share

Today, Wikipedia, Reddit, and a host of other sites across the internet have gone dark to protest the SOPA (Stop Online Piracy Act) and PIPA  (the PROTECT IP Act) bills worming their way through the legislature here in the US.

Both bills enable not just government censorship of the internet, but censorship initiated by the private sector, e.g. the MPAA and the RIAA, as a response to what they see as threats to their intellectual property rights.

The bills are both rapidly losing steam.  MSNBC.com reported yesterday that votes in both houses of Congress have been delayed as protests around the internet have picked up supporters.  On January 14, the Obama administration released a statement which indicated opposition to the most controversial enforcement mechanisms in both bills — DNS blacklisting, the same internet censorship techniques used by Iran, China, and Syria.

“We must avoid creating new cybersecurity risks or disrupting the underlying architecture of the Internet. Proposed laws must not tamper with the technical architecture of the Internet through manipulation of the Domain Name System (DNS), a foundation of Internet security. Our analysis of the DNS filtering provisions in some proposed legislation suggests that they pose a real risk to cybersecurity and yet leave contraband goods and services accessible online. We must avoid legislation that drives users to dangerous, unreliable DNS servers and puts next-generation security policies, such as the deployment of DNSSEC, at risk.”  — the White House Blog, at Whitehouse.gov

But that doesn’t mean the bills are dead; far from it. Today’s digital protests are important, both as a way to raise awareness of the bills amongst people who might not know much about intellectual property law, and also to register the displeasure of all the internet entrepreneurs and information workers who would be affected by the sweeping legislation.

We at Acceler8or believe both these bills are bad policy with a high potential for abuse, and we stand with the sites which have chosen to go dark today.  We’re a small site, and blacking out for the day doesn’t make much sense for us, nor would it make a ripple in the immense oceans of traffic that make up the internet.  But we would like  to encourage our US readers to take a moment to register their opposition to the bills with their elected representatives.  One easy way is using this page from the Electronic Frontier Foundation to send email to your representatives in Congress.  Another good way is through AmericanCensorship.org, where you can get tools to help you advertise your opposition on your own websites.

PROTECT IP / SOPA Breaks The Internet from Fight for the Future on Vimeo.
 

 

Share
Aug 25 2011

Dillon Beresford and The Strange Case of the Stuxnet Worm

Share
Cyber Security

Cyber security has come front and center recently with the threat of the Guy Fawkes cyber attack on Facebook and the U.S. Department of Homeland Security’s warning about the use of Chinese-made software. Malicious hackers are everywhere these days, it seems.

Dillon Beresford, a “good guy” hacker who works for security firm NSS Labs, demonstrated at the Black Hat Briefings conference in Las Vegas this month how he had successfully exploited flaws in commonly-used industrial computer systems made by Siemens that are used in thousands of industrial plants.

The Siemens Industrial Control Systems (ICS) is the same product targeted by Stuxnet, the sophisticated computer worm discovered last year to have crippled Iran’s nuclear program. It reprogrammed the computer-controlled centrifuges used to enrich uranium so that they spun out of control and destroyed themselves.

Beresford’s talk was given in lieu of one he had planned to give at TakedownCon in June. He cancelled that talk voluntarily after Siemens and ICS CERT (cyber emergency response team) raised concerns about the impact of a public disclosure of the security holes.  Here is the latest ICS CERT advisory.

The Washington Times quotes Vikram Phatak, chief technology officer of NSS Labs: Beresford’s work shows that “you don’t need Stuxnet to do real damage” to industrial plants. The demonstration showed vulnerabilities in the software and hardware used to run everything from nuclear power plants to manufacturing assembly lines to water treatment plants and prisons.

What is Stuxnet?
The cyber attack on the Iranian centrifuges allowed the Stuxnet worm to spread from one computer to another via infected USB sticks. The vulnerability was in the LNK file of Windows Explorer, a fundamental component of Microsoft Windows. When an infected USB stick was inserted into a computer, as Explorer automatically scanned the contents of the stick, Stuxnet awoke and dropped a large, partially encrypted file onto the computer.

It was subsequently discovered that the worm itself appeared to have included two major components. One was designed to send Iran’s nuclear centrifuges spinning wildly out of control. The second seemed right out of a spy thriller: Stuxnet secretly recorded what normal operations at the nuclear plant looked like, then played those readings back to plant operators, like a pre-recorded security tape, so that it would appear that everything was operating normally while the centrifuges were actually tearing themselves apart.

The attacks were not fully successful: some parts of Iran’s operations ground to a halt, while others survived, according to the reports of international nuclear inspectors. The New York Times reported that it’s not clear the attacks are over yet: some experts believe the Stuxnet code contains the seeds for yet more versions and assaults.

Iran’s Nuclear Capabilities
Iran’s ability to produce bomb-ready enriched uranium became a major concern during the Bush administration. “Bomb, bomb, bomb, bomb Iran,” said Senator John McCain, parodying The Beach Boys’ tune Barbara Ann.

President Obama spent 2009 trying to engage Iran diplomatically. Tehran initially accepted but then rejected an offer for an interim solution under which it would ship some uranium out of the country for enrichment. In June 2010, after months of lobbying by the Obama administration and Europe, the United Nations Security council voted to impose a new round of sanctions on Iran, which was the fourth such move.

The Cyber Attack on Iran’s Nuclear Centrifuges
Wired Magazine’s Threat Level reported that as early as January 2010, investigators with the International Atomic Energy Agency completed an inspection at the uranium enrichment plant outside Natanz in central Iran, when they realized that something wasn’t right in the cascade rooms where thousands of centrifuges were enriching uranium.

Workers had been replacing the units at an incredible rate: perhaps as many as 1,000 and 2,000 centrifuges were swapped out over a few months. This was, of course, due to Stuxnet.

Stuxnet, it turns out, was actually released June 2009. But it would be nearly a year before the inspectors would learn of this. It took dozens of computer security researchers around the world months of analysis and deconstruction to determine that a worm, a “zero-day” exploit, had occurred.

The zero day in the Iranian incident was dubbed “Stuxnet” by Microsoft from a combination of file names (.stub and MrxNet.sys) found in the code.

An Israeli Connection?
Israel’s never-acknowledged nuclear arms program is supposedly centered in The Dimona complex in the Negev desert. The New York Times reported that behind Dimona’s barbed wire, Israel spun nuclear centrifuges virtually identical to Iran’s at Natanz. Did they test the effectiveness of the Stuxnet computer worm before it infected the Iranian computers?

In January 2011, the retiring chief of Israel’s Mossad intelligence agency, Meir Dagan, and Secretary of State Hillary Rodham Clinton separately announced that they believed Iran’s uranium enrichment efforts had been set back by several years. Mrs. Clinton cited American-led sanctions, which have hurt Iran’s ability to buy components and do business around the world.

Officially, American nor Israeli officials won’t even acknowledge the existence of the Stuxnet worm.

But Israeli officials were reported as “grinning widely” when asked about its effects. President Obama’s chief WMD strategist, Gary Samore, sidestepped a Stuxnet question at a conference about Iran. He added, “with a smile,” “I’m glad to hear they are having troubles with their centrifuge machines, and the U.S. and its allies are doing everything we can to make it more complicated.”

Enter Dillon Beresford
Dillon Beresford is not just an everyday hacker. He has an extensive IT security background in exploit development, penetration testing, reverse code engineering, intrusion prevention systems, and intrusion detection systems.

After working with Siemens to identify the security breaches that allowed the Stuxnet incident to occur, he canceled a planned demonstration of the vulnerabilities (as mentioned earlier) at the TakeDownCon security conference in Texas in early June 2011, after Siemens and the Department of Homeland Security expressed concern about disclosing information before Siemens could patch the vulnerabilities.

The vulnerabilities affect the programmable logic controllers, or PLCs, in several Siemens SCADA (supervisory control and data acquisition) systems. Siemens PLC products are used in companies throughout the United States and the world.

It was a vulnerability in a PLC belonging to Siemens’ Step7 control system that was the target of the Stuxnet worm.

Beresford researched SCADA systems independently at home. He purchased SCADA products online with funding from NSS Labs, intending to examine systems belonging to multiple vendors. Beresford began with Siemens and found multiple vulnerabilities in the products very quickly.

Cyber Warfare?
The increasing attention to SCADA systems coming on the heels of Stuxnet and other cyber security incidents is bringing pressure to both the the U.S. Department of Homeland Security (DHS) and firms like Siemens to take a hard look at the security of PLCs and other industrial control equipment.

Underscoring the importance of cyber security, ZDNet reports that DHS just issued a warning about using Chinese-made software, especially when it comes to the chemical, defense, and energy firms. Much of the concern comes from recent hacking attacks against companies like Lockheed Martin and Sony. It appears to have been traced back to a specific Beijing software company called Sunway ForceControl.

A huge Internet attack this month targeted 72 organizations, including the U.N., and analysts say it apparently originated in China.

The Daily Beast quotes Richard Clarke, the former top U.S. government official who famously held roles in counterterrorism and cybersecurity in the Clinton and Bush administrations: “What’s going on is very large-scale Chinese industrial espionage. They’re stealing our intellectual property. They’re getting our research and development for pennies on the dollar.”

What’s at stake goes beyond the ability to breach industrial control systems — even as scary as that is — into the realm of state secrets… and global military and economic dominance.

Share