CRYPTO-GRAM, OCTOBER 15, 2010
Bruce Schneier
schneier at SCHNEIER.COM
Fri Oct 15 01:17:12 PDT 2010
CRYPTO-GRAM
October 15, 2010
by Bruce Schneier
Chief Security Technology Officer, BT
schneier at schneier.com
http://www.schneier.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit
<http://www.schneier.com/crypto-gram.html>.
You can read this issue on the web at
<http://www.schneier.com/crypto-gram-1010.html>. These same essays and
news items appear in the "Schneier on Security" blog at
<http://www.schneier.com/blog>, along with a lively comment section. An
RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
Wiretapping the Internet
News
Me on Cyberwar
Putting Unique Codes on Objects to Detect Counterfeiting
Schneier News
Stuxnet
** *** ***** ******* *********** *************
Wiretapping the Internet
In September, The New York Times reported that President Obama will seek
sweeping laws enabling law enforcement to more easily eavesdrop on the
internet. Technologies are changing, the administration argues, and modern
digital systems aren't as easy to monitor as traditional telephones.
The government wants to force companies to redesign their communications
systems and information networks to facilitate surveillance, and to
provide law enforcement with back doors that enable them to bypass any
security measures.
The proposal may seem extreme, but -- unfortunately -- it's not unique.
Just a few months ago, the governments of the United Arab Emirates and
Saudi Arabia threatened to ban BlackBerry devices unless the company made
eavesdropping easier. China has already built a massive internet
surveillance system to better control its citizens.
Formerly reserved for totalitarian countries, this wholesale surveillance
of citizens has moved into the democratic world as well. Governments like
Sweden, Canada and the United Kingdom are debating or passing laws giving
their police new powers of internet surveillance, in many cases requiring
communications system providers to redesign products and services they
sell. More are passing data retention laws, forcing companies to retain
customer data in case they might need to be investigated later.
Obama isn't the first U.S. president to seek expanded digital
eavesdropping. The 1994 CALEA law required phone companies to build ways
to better facilitate FBI eavesdropping into their digital phone switches.
Since 2001, the National Security Agency has built substantial
eavesdropping systems within the United States.
These laws are dangerous, both for citizens of countries like China and
citizens of Western democracies. Forcing companies to redesign their
communications products and services to facilitate government
eavesdropping reduces privacy and liberty; that's obvious. But the laws
also make us less safe. Communications systems that have no inherent
eavesdropping capabilities are more secure than systems with those
capabilities built in.
Any surveillance system invites both criminal appropriation and government
abuse. Function creep is the most obvious abuse: New police powers, enacted
to fight terrorism, are already used in situations of conventional
nonterrorist crime. Internet surveillance and control will be no different.
Official misuses are bad enough, but the unofficial uses are far more
worrisome. An infrastructure conducive to surveillance and control invites
surveillance and control, both by the people you expect and the people you
don't. Any surveillance and control system must itself be secured, and
we're not very good at that. Why does anyone think that only authorized law
enforcement will mine collected internet data or eavesdrop on Skype and IM
conversations?
These risks are not theoretical. After 9/11, the National Security Agency
built a surveillance infrastructure to eavesdrop on telephone calls and
e-mails within the United States. Although procedural rules stated that
only non-Americans and international phone calls were to be listened to,
actual practice didn't always match those rules. NSA analysts collected
more data than they were authorized to and used the system to spy on wives,
girlfriends and famous people like former President Bill Clinton.
The most serious known misuse of a telecommunications surveillance
infrastructure took place in Greece. Between June 2004 and March 2005,
someone wiretapped more than 100 cell phones belonging to members of the
Greek government -- the prime minister and the ministers of defense,
foreign affairs and justice -- and other prominent people. Ericsson built
this wiretapping capability into Vodafone's products, but enabled it only
for governments that requested it. Greece wasn't one of those governments,
but some still unknown party -- a rival political group? organized crime?
-- figured out how to surreptitiously turn the feature on.
Surveillance infrastructure is easy to export. Once surveillance
capabilities are built into Skype or Gmail or your BlackBerry, it's easy
for more totalitarian countries to demand the same access; after all, the
technical work has already been done.
Western companies such as Siemens, Nokia and Secure Computing built Iran's
surveillance infrastructure, and U.S. companies like L-1 Identity
Solutions helped build China's electronic police state. The next
generation of worldwide citizen control will be paid for by countries like
the United States.
We should be embarrassed to export eavesdropping capabilities. Secure,
surveillance-free systems protect the lives of people in totalitarian
countries around the world. They allow people to exchange ideas even when
the government wants to limit free exchange. They power citizen
journalism, political movements and social change. For example, Twitter's
anonymity saved the lives of Iranian dissidents -- anonymity that many
governments want to eliminate.
Yes, communications technologies are used by both the good guys and the
bad guys. But the good guys far outnumber the bad guys, and it's far more
valuable to make sure they're secure than it is to cripple them on the off
chance it might help catch a bad guy. It's like the FBI demanding that no
automobiles drive above 50 mph, so they can more easily pursue getaway
cars. It might or might not work -- but, regardless, the cost to society of
the resulting slowdown would be enormous.
It's bad civic hygiene to build technologies that could someday be used to
facilitate a police state. No matter what the eavesdroppers say, these
systems cost too much and put us all at greater risk.
This essay previously appeared on CNN.com.
http://www.cnn.com/2010/OPINION/09/29/schneier.web.surveillance/index.html?iref=allsearch
or http://tinyurl.com/2449te3
It was a rewrite of a 2009 op-ed on MPR News Q.
http://www.schneier.com/essay-281.html
That was based in part on a 2007 Washington Post op-ed by Susan Landau.
http://www.washingtonpost.com/wp-dyn/content/article/2007/08/08/AR2007080801961.html
or http://tinyurl.com/2cz43v
News articles:
http://www.nytimes.com/2010/09/27/us/27wiretap.html
http://www.wired.com/threatlevel/2010/09/fbi-backdoors/
https://www.eff.org/deeplinks/2010/09/government-seeks
http://arstechnica.com/tech-policy/news/2010/09/fbi-drive-for-encryption-backdoors-is-deja-vu-for-security-experts.ars
or http://tinyurl.com/37sk66r
Blackberry bans:
http://www.schneier.com/blog/archives/2010/08/uae_to_ban_blac.html
Eavesdropping on Bill Clinton:
http://www.wired.com/threatlevel/2009/06/pinwale
Wiretapping cell phones in Greece:
http://spectrum.ieee.org/telecom/security/the-athens-affair
** *** ***** ******* *********** *************
News
Kenzero is a Japanese Trojan that collects and publishes users' porn
surfing habits, and then blackmails them, requiring them to pay to have
the information removed.
http://www.telegraph.co.uk/technology/news/7596756/Browsing-histories-published-online-in-Kenzero-virus-scam.html
or http://tinyurl.com/yynwghl
http://www.dangerousminds.net/comments/kenzero_the_blackmailing_porn_virus/
or http://tinyurl.com/2b3snvc
http://news.bbc.co.uk/2/hi/8622665.stm
http://www.pc1news.com/news/1299/kenzero-trojan-blackmails-victims.html or
http://tinyurl.com/25kk6k5
There's a paper at the upcoming ACM CCS conference examining similar
Japanese scams.
http://www.andrew.cmu.edu/user/nicolasc/publications/TR-CMU-CyLab-10-011.pdf
or http://tinyurl.com/22njamx
Vulnerabilities in US-CERT network. You'd think they'd do somewhat better.
http://www.wired.com/threatlevel/2010/09/us-cert/
http://www.nextgov.com/nextgov/ng_20100909_5549.php?oref=topnews
http://www.dhs.gov/xoig/assets/mgmtrpts/OIG_10-111_Aug10.pdf
http://gcn.com/articles/2010/09/09/us-cert-riddled-with-security-holes.aspx?s=gcndaily_100910
or http://tinyurl.com/3a4xz56
Not answering questions at U.S. Customs.
http://knifetricks.blogspot.com/2010/04/i-am-detained-by-feds-for-not-answering.html
or http://tinyurl.com/264resf
Police set up a highway sign warning motorists that there are random stops
for narcotics checks ahead, but they actually search people who take the
next exit. Clever real-world honeypot.
http://420tribune.com/2010/03/narcotics-checkpoint/
A graphical representation of popular usernames and passwords.
http://www.dragonresearchgroup.org/insight/sshpwauth-cloud.html
DHS *still* worried about terrorists using Internet surveillance.
http://www.schneier.com/blog/archives/2010/09/dhs_still_worri.html
DARPA is looking for something that can automatically declassify documents.
http://www.wired.com/dangerroom/2010/09/darpa-wants-you-to-build-it-an-anti-secrecy-app/
or http://tinyurl.com/2v7q2xa
The master key for the High-Bandwidth Digital Content Protection standard
-- that's what encrypts digital television between set-top boxes and
digital televisions -- has been cracked and published. The ramifications
are unclear.
http://www.engadget.com/2010/09/14/hdcp-master-key-supposedly-released-unlocks-hdtv-copy-protect/
or http://tinyurl.com/35t6cg7
http://news.cnet.com/8301-27080_3-20016756-245.html
http://www.wired.com/threatlevel/2010/09/no-pirate-bonanza/
Good essay questioning counterterrorism policy:
http://www.theatlantic.com/magazine/archive/2007/11/just-asking/6288
This list of "Four Irrefutable Security Laws" is from Malcolm Harkins,
Intel's chief information security officer: 1) users want to click on
things, 2) code wants to be wrong, 3) services want to be on, and 4)
security features can be used to harm.
http://www.schneier.com/blog/archives/2010/09/four_irrefutabl.html
Statistical distribution of combat wounds to the head.
http://mindhacks.com/2010/09/15/an-uneven-hail-of-bullets/
I'm not sure it's useful, but it is interesting.
I stayed clear of Haystack -- the anonymity program that was going to
protect the privacy of dissidents the world over -- because I didn't have
enough details about the program to have an intelligent opinion. The
project has since imploded, and here are two excellent essays about the
program and the hype surrounding it.
http://www.slate.com/id/2267262/pagenum/all/
http://jilliancyork.com/2010/09/13/haystack-and-media-irresponsibility/ or
http://tinyurl.com/24m22vf
http://esr.ibiblio.org/?p=2568
http://www.pelicancrossing.net/netwars/2010/09/lost_in_a_haystack.html
A new prepaid electricity meter fraud:
http://www.schneier.com/blog/archives/2010/09/new_prepaid_ele.html
Evercookies: extremely persistent browser cookies.
http://www.schneier.com/blog/archives/2010/09/evercookies.html
WARNING --My blog page is safe, but when you visit the evercookie site, it
stores an evercookie on your machine.
In an article about Robert Woodward's new book, Obama's Wars, this is
listed as one of the book's "disclosures": "A new capability developed by
the National Security Agency has dramatically increased the speed at which
intercepted communications can be turned around into useful information for
intelligence analysts and covert operators. 'They talk, we listen. They
move, we observe. Given the opportunity, we react operationally,'
then-Director of National Intelligence Mike McConnell explained to Obama at
a briefing two days after he was elected president." Eavesdropping is
easy. Getting actual intelligence to the hands of people is hard. It
sounds as if the NSA has advanced capabilities to automatically sift
through massive amounts of electronic communications and find the few bits
worth relaying to intelligence officers.
http://www.washingtonpost.com/wp-dyn/content/article/2010/09/21/AR2010092106706.html
or http://tinyurl.com/2b67b6j
http://www.amazon.com/exec/obidos/ASIN/1439172498/counterpane/
Serious new attack against ASP.NET:
http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310
or http://tinyurl.com/357jhfc
http://threatpost.com/en_us/blogs/demo-aspnet-padding-oracle-attack-091710
or http://tinyurl.com/2vo66be
https://www.microsoft.com/technet/security/advisory/2416728.mspx
http://www.computerworld.com/s/article/9186842/Microsoft_sounds_alert_on_massive_Web_bug
or http://tinyurl.com/23t93vh
http://visualstudiomagazine.com/articles/2010/09/14/aspnet-security-hack.aspx
or http://tinyurl.com/32wq3cw
http://www.iacr.org/archive/eurocrypt2002/23320530/cbc02_e02d.pdf
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
or http://tinyurl.com/2fdqvgn
http://weblogs.asp.net/scottgu/archive/2010/09/20/frequently-asked-questions-about-the-asp-net-security-vulnerability.aspx
or http://tinyurl.com/2uy54b9
http://weblogs.asp.net/scottgu/archive/2010/09/24/update-on-asp-net-vulnerability.aspx
or http://tinyurl.com/2d7934r
There's a patch.
http://www.microsoft.com/technet/security/bulletin/ms10-070.mspx
It's better to try to isolate parts of a terrorist network than to attempt
to destroy it as a whole, at least according to this model:
http://www.sciencedaily.com/releases/2010/09/100917090835.htm
The cultural cognition of risk:
http://www.schneier.com/blog/archives/2010/09/cultural_cognit.html
Stealing money from a safe with a vacuum.
http://www.thesun.co.uk/sol/homepage/news/3149962/Robbers-clean-up-with-vacuum.html
or http://tinyurl.com/378p7ft
There is an interesting list of NSA publications in this document, pages
30b36. This document is a bunch of pages from the NSA intranet.
http://www.governmentattic.org/3docs/NSA-CCH-1-page-Intranet.pdf
This is a list of master's theses from the Naval Postgraduate School's
Center for Homeland Defense and Security, this year.
http://www.hlswatch.com/2010/09/21/growing-ideas-in-homeland-security/
Monitoring employees' online behavior: not their online behavior at work,
but their online behavior in life.
http://www.schneier.com/blog/archives/2010/10/monitoring_empl.html
I regularly say that security decisions are primarily made for
non-security reasons. This article about the placement of sky marshals on
airplanes is an excellent example. Basically, the airlines would prefer
they fly coach instead of first class.
http://online.wsj.com/article_email/SB10001424052748703431604575521832473932878-lMyQjAxMTAwMDIwOTEyNDkyWj.html
or http://tinyurl.com/25txpf5
http://www.economist.com/blogs/gulliver/2010/10/sky_marshals
When I list the few improvements to airline security since 9/11, I don't
include sky marshals.
New research: "Attacks and Design of Image Recognition CAPTCHAs."
http://homepages.cs.ncl.ac.uk/jeff.yan/ccs10.pdf
The politics of allocating Homeland Security money to states.
http://www.schneier.com/blog/archives/2010/10/the_politics_of_1.html
Hacking trial breaks D.C. Internet voting system. It was easy.
http://voices.washingtonpost.com/debonis/2010/10/hacker_infiltration_ends_dc_on.html
or http://tinyurl.com/2fsvxdo
http://www.dcboee.us/dvm/
http://www.wired.com/threatlevel/2010/10/dc-voting-system-hacked/
http://www.freedom-to-tinker.com/blog/jhalderm/hacking-dc-internet-voting-pilot
or http://tinyurl.com/23w8ocw
My primary worry about contests like this is that people will think a
positive result means something. If a bunch of students can break into a
system after a couple of weeks of attempts, we know it's insecure. But just
because a system withstands a test like this doesn't mean it's secure. We
don't know who tried. We don't know what they tried. We don't know how
long they tried. And we don't know if someone who tries smarter, harder,
and longer could break the system.
The ineffectiveness of vague security warnings.
http://www.slate.com/id/2269845
http://www.washingtonpost.com/wp-dyn/content/article/2010/10/04/AR2010100403090.html
or http://tinyurl.com/28umefm
I wrote much the same thing in 2004, about the DHS's vague terrorist
warnings and the color-coded threat advisory system.
http://www.schneier.com/essay-055.html
http://www.schneier.com/blog/archives/2004/10/do_terror_alert.html
Good article from The Economist on biometrics.
http://www.economist.com/blogs/babbage/2010/10/biometrics
Here's my essay on biometrics, from 1999.
http://www.schneier.com/essay-019.html
Remember the Mahmoud al-Mabhouh assassination last January? The police
identified 30 suspects, but haven't been able to find any of them. "Police
spent about 10,000 hours poring over footage from some 1,500 security
cameras around Dubai. Using face-recognition software, electronic-payment
records, receipts and interviews with taxi drivers and hotel staff, they
put together a list of suspects and publicized it." But every trail has
gone cold. Seems ubiquitous electronic surveillance is no match for a
sufficiently advanced adversary.
http://www.schneier.com/blog/archives/2010/10/the_mahmoud_al-.html
The FBI is tracking a college student in Silicon Valley. He's 20,
partially Egyptian, and studying marketing at Mission College. He found
the tracking device attached to his car. Near as he could tell, what he
did to warrant the FBI's attention was be the friend of someone who did
something to warrant the FBI's attention.
http://www.schneier.com/blog/archives/2010/10/the_fbi_is_trac.html
Pen-and-paper SQL injection attack against Swedish election:
http://www.schneier.com/blog/archives/2010/10/pen-and-paper_s.html
New technology that can pick a single voice out of a crowded and noisy
stadium:
http://www.wired.com/gadgetlab/2010/10/super-microphone-picks-out-single-voice-in-a-crowded-stadium/
or http://tinyurl.com/2e8fy45
India is writing its own operating system so it doesn't have to rely on
Western technology:
http://www.schneier.com/blog/archives/2010/10/indian_os.html
** *** ***** ******* *********** *************
Me on Cyberwar
During the cyberwar debate a few months ago, I said this:
If we frame this discussion as a war discussion, then what you do
when there's a threat of war is you call in the military and you
get military solutions. You get lockdown; you get an enemy that
needs to be subdued. If you think about these threats in terms of
crime, you get police solutions. And as we have this debate, not
just on stage, but in the country, the way we frame it, the way we
talk about it; the way the headlines read, determine what sort of
solutions we want, make us feel better. And so the threat of
cyberwar is being grossly exaggerated and I think it's being done
for a reason. This is a power grab by government. What Mike
McConnell didn't mention is that grossly exaggerating a threat of
cyberwar is incredibly profitable.
The debate:
http://www.npr.org/templates/story/story.php?storyId=127861446
The quote:
http://techinsider.nextgov.com/2010/09/the_cyberwar_echo_chamber.php
More of my writings on cyberwar are here:
http://www.schneier.com/blog/archives/2010/07/the_threat_of_c.html
** *** ***** ******* *********** *************
Putting Unique Codes on Objects to Detect Counterfeiting
This will help some.
At least two rival systems plan to put unique codes on packages
containing antimalarials and other medications. Buyers will be
able to text the code to a phone number on the package and get an
immediate reply of "NO" or "OK," with the drug's name, expiration
date, and other information.
To defeat the system, the counterfeiter has to copy the bar codes. If the
stores selling to customers are in on the scam, it can be the same code.
If not, there have to be sufficient different bar codes that the store
doesn't detect duplications. Presumably, numbers that are known to have
been copied are added to the database, so the counterfeiters need to keep
updating their codes. And presumably the codes are cryptographically hard
to predict, so the only way to keep updating them is to look at legitimate
products.
Another attack would be to intercept the verification system. A
man-in-the-middle attack against the phone number or the website would be
difficult, but presumably the verification information would be on the
object itself. It would be easy to swap in a fake phone number that would
verify anything.
It'll be interesting to see how the counterfeiters get around this
security measure.
http://www.businessweek.com/magazine/content/10_21/b4179037128534.htm
** *** ***** ******* *********** *************
Schneier News
On October 19, I'll be giving a keynote speech at Information Security
Trends Meeting 2010 in Medellin, Colombia. On October 20, I'll be giving a
keynote in BogotC!, Colombia, as part of the same conference.
http://www.digiware.net/images/stories/istmweb/istm.html
I'll be speaking at the GRC Meeting in Lisbon, Portugal, on October 28.
http://www.grc-meeting.com/
On November 6, I'll be speaking in Milton Keynes, UK, at the annual ACCU
Security Fundraising Conference, in support of the Bletchley Park Trust
and The National Museum of Computing.
http://www.bletchleypark.org.uk/calendar/event_detail.rhtm?cat=special&recID=618139
or http://tinyurl.com/25pge74
I'll be speaking at the Information Security Forum Annual World Congress
in Monaco on November 7.
https://www.securityforum.org/services/publiccongress/
I'll be speaking at the Gartner Symposium/ITxpo in Nice on November 8.
http://www.gartner.com/technology/symposium/cannes/index.jsp
My musical recording debut. It's not about security.
http://www.schneier.com/blog/archives/2010/10/my_recording_de.html
** *** ***** ******* *********** *************
Stuxnet
Computer security experts are often surprised at which stories get picked
up by the mainstream media. Sometimes it makes no sense. Why this
particular data breach, vulnerability, or worm and not others? Sometimes
it's obvious. In the case of Stuxnet, there's a great story.
As the story goes, the Stuxnet worm was designed and released by a
government--the U.S. and Israel are the most common suspects--specifically
to attack the Bushehr nuclear power plant in Iran. How could anyone not
report that? It combines computer attacks, nuclear power, spy agencies and
a country that's a pariah to much of the world. The only problem with the
story is that it's almost entirely speculation.
Here's what we do know: Stuxnet is an Internet worm that infects Windows
computers. It primarily spreads via USB sticks, which allows it to get
into computers and networks not normally connected to the Internet. Once
inside a network, it uses a variety of mechanisms to propagate to other
machines within that network and gain privilege once it has infected those
machines. These mechanisms include both known and patched vulnerabilities,
and four "zero-day exploits": vulnerabilities that were unknown and
unpatched when the worm was released. (All the infection vulnerabilities
have since been patched.)
Stuxnet doesn't actually do anything on those infected Windows computers,
because they're not the real target. What Stuxnet looks for is a particular
model of Programmable Logic Controller (PLC) made by Siemens (the press
often refers to these as SCADA systems, which is technically incorrect).
These are small embedded industrial control systems that run all sorts of
automated processes: on factory floors, in chemical plants, in oil
refineries, at pipelines--and, yes, in nuclear power plants. These PLCs are
often controlled by computers, and Stuxnet looks for Siemens SIMATIC
WinCC/Step 7 controller software.
If it doesn't find one, it does nothing. If it does, it infects it using
yet another unknown and unpatched vulnerability, this one in the
controller software. Then it reads and changes particular bits of data in
the controlled PLCs. It's impossible to predict the effects of this
without knowing what the PLC is doing and how it is programmed, and that
programming can be unique based on the application. But the changes are
very specific, leading many to believe that Stuxnet is targeting a
specific PLC, or a specific group of PLCs, performing a specific function
in a specific location--and that Stuxnet's authors knew exactly what they
were targeting.
It's already infected more than 50,000 Windows computers, and Siemens has
reported 14 infected control systems, many in Germany. (These numbers were
certainly out of date as soon as I typed them.) We don't know of any
physical damage Stuxnet has caused, although there are rumors that it was
responsible for the failure of India's INSAT-4B satellite in July. We
believe that it did infect the Bushehr plant.
All the anti-virus programs detect and remove Stuxnet from Windows systems.
Stuxnet was first discovered in late June, although there's speculation
that it was released a year earlier. As worms go, it's very complex and
got more complex over time. In addition to the multiple vulnerabilities
that it exploits, it installs its own driver into Windows. These have to
be signed, of course, but Stuxnet used a stolen legitimate certificate.
Interestingly, the stolen certificate was revoked on July 16, and a
Stuxnet variant with a different stolen certificate was discovered on July
17.
Over time the attackers swapped out modules that didn't work and replaced
them with new ones--perhaps as Stuxnet made its way to its intended target.
Those certificates first appeared in January. USB propagation, in March.
Stuxnet has two ways to update itself. It checks back to two control
servers, one in Malaysia and the other in Denmark, but also uses a
peer-to-peer update system: When two Stuxnet infections encounter each
other, they compare versions and make sure they both have the most recent
one. It also has a kill date of June 24, 2012. On that date, the worm will
stop spreading and delete itself.
We don't know who wrote Stuxnet. We don't know why. We don't know what the
target is, or if Stuxnet reached it. But you can see why there is so much
speculation that it was created by a government.
Stuxnet doesn't act like a criminal worm. It doesn't spread
indiscriminately. It doesn't steal credit card information or account
login credentials. It doesn't herd infected computers into a botnet. It
uses multiple zero-day vulnerabilities. A criminal group would be smarter
to create different worm variants and use one in each. Stuxnet performs
sabotage. It doesn't threaten sabotage, like a criminal organization intent
on extortion might.
Stuxnet was expensive to create. Estimates are that it took 8 to 10 people
six months to write. There's also the lab setup--surely any organization
that goes to all this trouble would test the thing before releasing it--and
the intelligence gathering to know exactly how to target it. Additionally,
zero-day exploits are valuable. They're hard to find, and they can only be
used once. Whoever wrote Stuxnet was willing to spend a lot of money to
ensure that whatever job it was intended to do would be done.
None of this points to the Bushehr nuclear power plant in Iran, though.
Best I can tell, this rumor was started by Ralph Langner, a security
researcher from Germany. He labeled his theory "highly speculative," and
based it primarily on the facts that Iran had an unusually high number of
infections (the rumor that it had the most infections of any country seems
not to be true), that the Bushehr nuclear plant is a juicy target, and that
some of the other countries with high infection rates--India, Indonesia,
and Pakistan--are countries where the same Russian contractor involved in
Bushehr is also involved. This rumor moved into the computer press and then
into the mainstream press, where it became the accepted story, without any
of the original caveats.
Once a theory takes hold, though, it's easy to find more evidence. The
word "myrtus" appears in the worm: an artifact that the compiler left,
possibly by accident. That's the myrtle plant. Of course, that doesn't
mean that druids wrote Stuxnet. According to the story, it refers to Queen
Esther, also known as Hadassah; she saved the Persian Jews from genocide in
the 4th century B.C. "Hadassah" means "myrtle" in Hebrew.
Stuxnet also sets a registry value of "19790509" to alert new copies of
Stuxnet that the computer has already been infected. It's rather obviously
a date, but instead of looking at the gazillion things--large and
small--that happened on that the date, the story insists it refers to the
date Persian Jew Habib Elghanain was executed in Tehran for spying for
Israel.
Sure, these markers could point to Israel as the author. On the other
hand, Stuxnet's authors were uncommonly thorough about not leaving clues
in their code; the markers could have been deliberately planted by someone
who wanted to frame Israel. Or they could have been deliberately planted by
Israel, who wanted us to think they were planted by someone who wanted to
frame Israel. Once you start walking down this road, it's impossible to
know when to stop.
Another number found in Stuxnet is 0xDEADF007. Perhaps that means "Dead
Fool" or "Dead Foot," a term that refers to an airplane engine failure.
Perhaps this means Stuxnet is trying to cause the targeted system to fail.
Or perhaps not. Still, a targeted worm designed to cause a specific
sabotage seems to be the most likely explanation.
If that's the case, why is Stuxnet so sloppily targeted? Why doesn't
Stuxnet erase itself when it realizes it's not in the targeted network?
When it infects a network via USB stick, it's supposed to only spread to
three additional computers and to erase itself after 21 days--but it
doesn't do that. A mistake in programming, or a feature in the code not
enabled? Maybe we're not supposed to reverse engineer the target. By
allowing Stuxnet to spread globally, its authors committed collateral
damage worldwide. From a foreign policy perspective, that seems dumb. But
maybe Stuxnet's authors didn't care.
My guess is that Stuxnet's authors, and its target, will forever remain a
mystery.
This essay originally appeared on Forbes.com.
http://www.forbes.com/2010/10/06/iran-nuclear-computer-technology-security-stuxnet-worm.html
or http://tinyurl.com/29bhajd
My alternate explanations for Stuxnet were cut from the essay. Here they
are:
1. A research project that got out of control. Researchers have
accidentally released worms before. But given the press, and the fact
that any researcher working on something like this would be talking to
friends, colleagues, and his advisor, I would expect someone to have outed
him by now, especially if it was done by a team.
2. A criminal worm designed to demonstrate a capability. Sure, that's
possible. Stuxnet could be a prelude to extortion. But I think a cheaper
demonstration would be just as effective. Then again, maybe not.
3. A message. It's hard to speculate any further, because we don't know
who the message is for, or its context. Presumably the intended recipient
would know. Maybe it's a "look what we can do" message. Or an "if you
don't listen to us, we'll do worse next time" message. Again, it's a very
expensive message, but maybe one of the pieces of the message is "we have
so many resources that we can burn four or five man-years of effort and
four zero-day vulnerabilities just for the fun of it." If that message
were for me, I'd be impressed.
4. A worm released by the U.S. military to scare the government into
giving it more budget and power over cybersecurity. Nah, that sort of
conspiracy is much more common in fiction than in real life.
Note that some of these alternate explanations overlap.
http://www.csmonitor.com/USA/2010/0921/Stuxnet-malware-is-weapon-out-to-destroy-Iran-s-Bushehr-nuclear-plant
or http://tinyurl.com/37aqurn
reported:
http://www.computerworld.com/s/article/9185419/Siemens_Stuxnet_worm_hit_industrial_systems
or http://tinyurl.com/32lsl8b
http://blogs.forbes.com/firewall/2010/09/29/did-the-stuxnet-worm-kill-indias-insat-4b-satellite/
or http://tinyurl.com/26jkaw8
http://www.wired.com/threatlevel/2010/10/stuxnet-deconstructed/
http://www.nytimes.com/2010/09/27/technology/27virus.html
http://www.symantec.com/connect/blogs/stuxnet-print-spooler-zero-day-vulnerability-not-zero-day-all
or http://tinyurl.com/2fh7hr9
http://news.cnet.com/8301-27080_3-20018530-245.html
http://sites.google.com/site/n3td3v/latest/whatweknowaboutstuxnet
http://antivirus.about.com/b/2010/10/02/debunking-the-bunk-of-stuxnet.htm
or http://tinyurl.com/237yed9
http://frank.geekheim.de/?p=1189
Good technical info on Stuxnet:
http://www.f-secure.com/weblog/archives/00002040.html
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
or http://tinyurl.com/36y7jzb
Ralph Langner:
http://www.langner.com/en/
** *** ***** ******* *********** *************
Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing
summaries, analyses, insights, and commentaries on security: computer and
otherwise. You can subscribe, unsubscribe, or change your address on the
Web at <http://www.schneier.com/crypto-gram.html>. Back issues are also
available at that URL.
Please feel free to forward CRYPTO-GRAM, in whole or in part, to
colleagues and friends who will find it valuable. Permission is also
granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.
CRYPTO-GRAM is written by Bruce Schneier. Schneier is the author of the
best sellers "Schneier on Security," "Beyond Fear," "Secrets and Lies,"
and "Applied Cryptography," and an inventor of the Blowfish, Twofish,
Threefish, Helix, Phelix, and Skein algorithms. He is the Chief Security
Technology Officer of BT BCSG, and is on the Board of Directors of the
Electronic Privacy Information Center (EPIC). He is a frequent writer and
lecturer on security topics. See <http://www.schneier.com>.
Crypto-Gram is a personal newsletter. Opinions expressed are not
necessarily those of BT.
Copyright (c) 2010 by Bruce Schneier.
----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
More information about the cypherpunks-legacy
mailing list