Image and video hosting by TinyPic

Monday, November 25, 2013

Total world control

On the Emptywheel site, a writer named Rayne offers a good look at the threat posed by the Stuxnet malware and its two siblings, Duqu and Flame. We've been told that Stuxnet was directed against Iran's nuclear capabilities and "accidentally" spread around the globe. But Rayne offers evidence that the "accident" was no accident.

This could be the biggest story of our time:
The government has chosen to deliberately poison the digital waters so that all are contaminated, far beyond the intended initial target.

There’s very little chance of escaping the poison, either.
In the case of both Duqu and Flame, there is a command-and-control network of servers still in operation, still communicating with instances of these two malware cyber weapons. The servers’ locations are global — yet another indicator of the planners’/developers’ intention that these weapons be dispersed widely.

Poison everything, everywhere.
We've not discussed Duqu in these pages before. Like Stuxnet, it targets industrial control systems. In a previous post, we discussed SCADA, software designed to control industrial facilities -- including the plants which provide you with water, gas and electricity. As I wrote earlier of Stuxnet and SCADA:
If it is true that the worm has infected nuclear power plants around the world, we have officially entered James Bond territory. A single malefic individual (feel free to visualize a bald man sitting in a leather chair as he strokes a white cat) could set off dozens of nuclear meltdowns. Simultaneously. Worse, that same malefic individual could also control water systems, electrical systems, gas pipelines -- anything that uses SCADA.
You think I overstated the case? Read on...

We saw a flurry of stories about SCADA in 2011 -- see (for example) here, here and here. The last of those three links includes this passage, which quote Kevin Hayley of Symantec:
“The people behind Stuxnet are not done,” he said. “They've continued to do different things. This was not a one-shot deal.”

Haley declined to name any of the targets, but according to the Symantec blog, the Duqu sample was recovered from computer systems located in Europe, from a limited number of organizations, including those involved in making industrial control systems. Such SCADA, or supervisory control and data acquisition, systems are used to open and shut valves and control machinery and other physical functions at factories, gasoline refineries, and other industrial facilities, many of which are considered critical to the national security of the countries where they're located.
The Wikipedia page on Duqu contains some astounding information.
Duqu malware is a variety of software components that together provide services to the attackers. Currently this includes information stealing capabilities and in the background, kernel drivers and injection tools.
Outsiders aren't even sure what language the malware was written in.
Duqu looks for information that could be useful in attacking industrial control systems. Its purpose is not to be destructive, the known components are trying to gather information.[12] However, based on the modular structure of Duqu, special payload could be used to attack any type of computer systems by any means and thus cyber-physical attacks based on Duqu might be possible. However, use on personal computer systems has been found to delete all recent information entered on the system, and in some cases total deletion of the computer's hard drive.
This bit is particularly clever:
According to McAfee, one of Duqu's actions is to steal digital certificates (and corresponding private keys, as used in public-key cryptography) from attacked computers to help future viruses appear as secure software.
Arguably, whoever controls SCADA controls the world. If I understand this information aright, it seems possible that the service controlling Stuxnet and Duqu can, with the push of a button, cause the electricity to flicker off in your city. The people who wrote this malware have the ability to send us back to the stone age.

Ever see the pilot to Revolution? Thanks to Stuxnet and Duqu, you may one day live it.

Let's stop pretending that this is all about Iran's alleged nuclear capability. Let's stop pretending that the thing "just happened" to escape. Let's stop pretending that the Israelis blindsided Obama by making Stuxnet go forth and multiply. Let's stop buying the cover story.

This is about control.

Why aren't we seeing congressional hearings? 
Computing is great, but this business of putting critical systems on wide area networks is a flash in the pan. Trusting venders with firmware is probably doomed as well. Sure, I'm victim blaming here. But running a nuclear program without employing your own programmers and getting total control over every machine code instruction on every device is madness. The same thing goes for critical infrastructure and even critical business or government systems. Putting them on a wide area network is even more utterly incompetent.
I agree, Zolo. But your comment represents something akin to a decision of the mice to bell the cat. SCADA is now a fact of industrial life throughout the world, and it's not going away any time soon. So what do we do about these threats?

I don't think I've stressed the problems enough. An outside force could blackmail the world by gaining access to the power grid, water, gas and nuclear infrastructure in dozens of nations. We're talking about the ability to shut down cities, to make aqueducts run dry -- to turn a nuclear reactor into another Chernobyl.

And it has already happened.
They'll have to go back to a minimalist design philosophy that is fundamentally more secure though probably more labor intensive. I wonder if that would take less time than trying to address the specific vulnerabilities that these threats are using. In a power plant I imagine that the most vulnerable systems aren't absolutely necessary to run the plant. The short term solution would be to hire and train more people in order to run the plant without those systems. If there isn't enough redundancy built in to allow that, oh well.
What if Skynet becomes self-aware?
Post a Comment

<< Home

This page is 

powered by Blogger. 

Isn't yours?

Image and video hosting by TinyPic

Image and video hosting by TinyPic