Tag Archives: businessman

Stuck on Stuxnet

By Jeremy Wagstaff (this is my weekly Loose Wire Service column for newspaper syndication)

We’ve reached one of those moments that I like: When we’ll look back at the time before and wonder how we were so naive about everything. In this case, we’ll think about when we thought computer viruses were just things that messed up, well, computers.

Henceforward, with every mechanical screw-up, every piston that fails, every pump that gives out, any sign of smoke, we’ll be asking ourselves: was that a virus?

I’m talking, of course, about the Stuxnet worm. It’s a piece of computer code–about the size of half an average MP3 file–which many believe is designed to take out Iran’s nuclear program. Some think it may already have done so.

What’s got everyone in a tizzy is that this sort of thing was considered a bit too James Bond to actually be possible. Sure, there are stories. Like the one about how the U.S. infected some software which a Siberian pipeline so it exploded in 1982 and brought down the whole Soviet Union. No-one’s actually sure that this happened–after all, who’s going to hear a pipeline blow up in the middle of Siberia in the early 1980s?–but that hasn’t stopped it becoming one of those stories you know are too good not to be true.

And then there’s the story about how the Saddam Hussein’s phone network was disabled by US commandos in January 1991 armed with a software virus, some night vision goggles and a French dot matrix printer. It’s not necessarily that these things didn’t happen–it’s just that we heard about them so long after the fact that we’re perhaps a little suspicious about why we’re being told them now.

But Stuxnet is happening now. And it seems, if all the security boffins are to be believed, to open up a scary vista of a future when one piece of software can become a laser-guided missile pointed right at the heart of a very, very specific target. Which needn’t be a computer at all, but a piece of heavy machinery. Like, say, a uranium enrichment plant.

Stuxnet is at its heart just like any other computer virus. It runs on Windows. You can infect a computer by one of those USB flash drive thingies, or through a network if it finds a weak password.

But it does a lot more than that. It’s on the look out for machinery to infect—specifically, a Siemens Simatic Step 7 factory system. This system runs a version of Microsoft Windows, and is where the code that runs the programmable logic controllers (PLCs) are put together. Once they’re compiled, these PLCs are uploaded to the computer that controls the machinery. Stuxnet, from what people can figure out, fiddles around with this code within the Siemens computer, tweaking it as it goes to and comes back from the PLC itself.

This is the thing: No one has seen this kind of thing before. Of course, we’ve heard stories. Only last month it was reported that the 2008 crash of a Spanish passenger jet, killing 154 people, may have been caused by a virus.

But this Stuxnet thing seems to be on a whole new level. It seems to be very deliberately targeted at one factory, and would make complex modifications to the system. It uses at least four different weaknesses in Windows to burrow its way inside, and installs its own software drivers—something that shouldn’t happen because drivers are supposed to be certified.

And it’s happening in real time. Computers are infected in Indonesia, India, Iran and now China. Boffins are studying it and may well be studying it for years to come. And it may have already done what it’s supposed to have done; we may never know. One of the key vulnerabilities the Trojan used was first publicized in April 2009 in an obscure Polish hacker’s magazine. The number of operating centrifuges in Iran’s main nuclear enrichment program at Natanz was reduced significantly a few months later; the head of Iran’s Atomic Energy Organization resigned in late June 2009.

All this is guesswork and very smoke and mirrors: Israel, perhaps inevitably, has been blamed by some. After all, it has its own cyber warfare division called Unit 8200, and is known to have been interested, like the U.S., in stopping Iran from developing any nuclear capability. And researchers have found supposed connections inside the code: the word myrtle, for example, which may or may not refer to the Book of Esther, which tells of a Persian plot against the Jews, and the string 19790509, which may or may not be a nod to Habib Elghanian, a Jewish-Iranian businessman who was accused of spying for Israel and was executed in Iran on May 9, 1979.

Frankly, who knows?

The point with all this is that we’re entering unchartered territory. It may all be a storm in a teacup, but it probably isn’t. Behind all this is a team of hackers who not only really know what they’re doing, but know what they want to do. And that is to move computer viruses out of our computers and into machinery. As Sam Curry from security company RSA puts it:

This is, in effect, an IT exploit targeted at a vital system that is not an IT system.

That, if nothing else, is reason enough to look nostalgically back on the days when we didn’t wonder whether the machinery we entrusted ourselves to was infected.

Phishing Victim Fights Back

It had to happen some time. Phishing victims are fighting back — against their banks. A Miami Businessman is sueing Bank of America according to AccountingWEB.com and other sources:

 Joe Lopez, a Miami businessman who regularly conducts business over the Internet, is suing Bank of America for negligence and failure to provide protection for online banking risks of which he claims the bank was aware. Last April, Mr. Lopez’s computer system was hacked into and $90,348.65 was wired from his account at Bank of America to a bank in Riga, Latvia without his approval.

Ralph Patino, Mr. Lopez’s lawyer, claims Bank of America had knowledge of a virus called coreflood, a Trojan horse virus known for infiltrating and compromising security systems and enabling unauthorized access to infected computers, and therefore the bank had a responsibility to inform its customers of the virus.

Coreflood, according to The Register, is primarily designed to conduct Denial of Service (DoS) attacks, but the theory is that the backdoor access it enabled criminals to extract banking passwords and account details entered into Lopez’s PC. This remains unproven.

This makes the case a bit more complicated than if Lopez was hoodwinked by a phishing email designed to look like something from Bank Of America. Still, the the AccountingWeb piece quotes Avivah Litan, vice president and research director for research firm Gartner Inc. and an online fraud expert, as saying

banking cybercrime cases such as this one may result in banks adopting stricter security measures in the future. “Banks can’t reasonably expect consumers to protect themselves from cybercriminals,” said Ms. Litan. She believes that consumers need banks to offer greater security if they want online banking to increase. Gartner Inc. predicts that within two years, “50 percent of today’s stronger methods for customer authentication will no longer be strong enough to be a safeguard against phishing and malware.”

In other words, banks have got to find a better way to keep their customers secure, and arguing that cases like Lopez’ are nothing to do with them may not impress customers already increasingly nervous about doing business and banking online.

News: Hotels Ban Phones, Sort Of

 From the very sizeable Cheapskate Hoteliers Dept comes a report (thanks textually.org) from Scotland of a mobile phone jamming scam, as exposed by the Daily Record. Businessman Ronnie McGuire, the paper says, is flooding Scotland with high-tech phone jammers that are illegal to use. Sold to hotels, restaurants, bars and bed and breakfasts, the devices emit radio waves which wipe out the signal to mobile phones, rendering them useless. Guests, unaware their signal has been sabotaged, are forced to use expensive hotel phone lines or call boxes.
 
McGuire is quoted as saying: “It comes up on their phone `no service’ and people think there’s no service in that area.
But it’s best not to tell anyone you’ve got it because they might not be too happy.” True, too true. Of course they must be great for a bit of peace and quiet.