As discussed in the previous post, the Stuxnet, Flame and Duqu virii -- all state-sponsored mechanisms of subverting industrial control systems -- have penetrated key systems throughout the globe. These malwares allow an outsider to gain control of SCADA, the software used to control industrial facilities around the world.
Nearly a decade ago, a few writers -- including myself -- worried that Al Qaeda terrorists might pose the major threat to SCADA systems. (Frankly, I had forgotten that I wrote this post
back in 2004.) More recently, security writers fingered Anonymous
as the potential bad guys -- which is a rather hilarious accusations, considering how low-rent and disorganized those guys really are.
Still, the article at the other end of that link is quite eye-opening. As you read it, keep telling yourself: Stuxnet ain't no "Anonymous" thing -- it's an NSA/Unit 8200 thing.
In fact, the Department of Homeland Security and Idaho National Laboratory have engaged in mock hack-offs to wreak havoc and to highlight the vulnerabilities at factories, electrical plants and chemical facilities. The bad guys on the Red Team used virtual tools to crack into and cause chaos in the real world of the good guys on the Blue Team. These hackers showed that a malicious attack that caused mayhem and a toxic spill at ACME Chemical company was as easy as point, click and destroy.
Last year Stuxnet proved the reality of how very vulnerable Supervisory Control And Data Acquisition (SCADA) systems and industrial control software (ICS) systems could be. That was followed by Black Hat / DefCon security conference presentations of hacking SCADA to unlock and throw open prison doors, whacking wireless water meter networks, and penetrating internet-connected power lines to cut the power or seize control of security cameras, jam security alarms, or otherwise hack into home automation systems.
Within 30 minutes of the CEO of opening a malicious phishing email, Red Team hackers had pillaged company documents, snuck in to IP-based surveillance cameras and were spying on admins, had taken control and maliciously overrode safety features on a chemical plant computer system in order to turn valves, start pumps and cause a toxic chemical spill. In fact, the government cyberattack drill showed that in the hands of skilled hackers, industrial destruction really is as easy as point, click, destroy.
Here's something else I didn't know until recently: Stuxnet is older
than most people think. Variants were floating around in 2005.
This recent piece
in Foreign Policy by Ralph Langner turns on some of the lights, although it continues to propagate the fantasy that the real bad guys ould not possibly be Americans or Israelis (because we are always the good
guys, so huzzah and three cheers for the home team):
Stuxnet-inspired attackers will not necessarily place the same emphasis on disguise; they may want victims to know that they are under cyberattack and perhaps even want to publicly claim credit for it.
And unlike the Stuxnet attackers, these adversaries are also much more likely to go after civilian critical infrastructure. Not only are these systems more accessible, but they're standardized. Each system for running a power plant or a chemical factory is largely configured like the next. In fact, all modern plants operate with standard industrial control system architectures and products from just a handful of vendors per industry, using similar or even identical configurations. In other words, if you get control of one industrial control system, you can infiltrate dozens or even hundreds of the same breed more.
The shift of attention may have been fueled by a simple insight: Nuclear proliferators come and go, but cyberwarfare is here to stay. Operation Olympic Games started as an experiment with an unpredictable outcome. Along the road, one result became clear: Digital weapons work. And different from their analog counterparts, they don't put military forces in harm's way, they produce less collateral damage, they can be deployed stealthily, and they are dirt cheap. The contents of this Pandora's box have implications much beyond Iran; they have made analog warfare look low-tech, brutal, and so 20th century.
At that brings us to QUANTUM.
This is the mechanism by which the NSA and Britain's GCHQ have transformed the internet itself into a weapon of war
According to revelations about the QUANTUM program, the NSA can “shoot” (their words) an exploit at any target it desires as his or her traffic passes across the backbone.
If the NSA can hack Petrobras, the Russians can justify attacking Exxon/Mobil. If GCHQ can hack Belgacom to enable covert wiretaps, France can do the same to AT&T. If the Canadians target the Brazilian Ministry of Mines and Energy, the Chinese can target the U.S. Department of the Interior. We now live in a world where, if we are lucky, our attackers may be every country our traffic passes through except our own.
The QUANTUM codename is deliciously apt for a technique known as “packet injection,” which spoofs or forges packets to intercept them. The NSA’s wiretaps don’t even need to be silent; they just need to send a message that arrives at the target first.
Packet attacks have been used for censorship, disallowing home users from accessing "forbidden" websites. (It seems possible that the same technique could redirect users to a fake website. The psy-war possibilities should be obvious to anyone with a little imagination.)
And then there's the NSA's lovely QUANTUMCOOKIE approach, which strips Tor uses of anonymity. But there's so much more it can do...
So for any webmail service that doesn’t require HTTPS encryption, QUANTUMCOOKIE also allows the wiretap to log in as the target and read the target’s mail. QUANTUMCOOKIE could also tag users, as the same redirection that extracts a cookie could also set or modify a cookie, enabling the NSA to actively track users of interest as they move across the network — although there is no indication yet that the NSA utilizes this technique.
I was a little surprised by "cache poisoning," which can be defeated through the simple act of clearing one's browser cache. Be honest now: How often do you do that? (Not as often as you should, I would wager.)
The FinFly “remote monitoring” hacking tool sold to governments includes exploit-free exploitation, where it modifies software downloads and updates to contain a copy of the FinFisher Spyware. Although Gamma International’s tool operates as a full man-in-the-middle, packet injection can reproduce the effect. The injector simply waits for the victim to attempt a file download, and replies with a 302 redirect to a new server. This new server fetches the original file, modifies it, and passes it on to the victim. When the victim runs the executable, they are now exploited — without the need for any actual exploits.
In recent days, FinFisher has been a popular topic of discussion. See, for example, here:
Security firms have detected FinFisher on computers across the world, and it is no surprise that Gamma is one company featured prominently on the Surveillance Industry Index.
Another is Italy's spyware writers Hacking Team, last week exposed by Mac antivirus firm Intego for its introduction of a new version of the multi-platform Da Vinci rootkit.
Officially, these programs are legitimate because they are used by police forces to monitor crime targets but the potential for abuse is obvious. Security firms mark FinFisher and Da Vinci as malware because from the point of view of anyone infected by them that is what they are.
"Because of the freedom to exist largely in the shadows, members of the private surveillance industry have gained a sense of impunity," said Rice. "By its very nature, mass surveillance is neither necessary nor proportionate, meaning that these technologies enable the violation of human rights, particularly the right to privacy and freedom of expression.
We need international treaties. We need to silence the defeatists and attack the cyber-attackers. Most of all, we need to get past the silly pretense that we need to fear hackers. Uncle Sam is the most dangerous hacker of all.