The Bangladesh Bank Hack, Part XIV

Lots of attention at the moment on the implications of the Bangladesh Bank hack, now four months old. This is a piece I contributed last week. Quite a bit of water has gone under the bridge since then. We not only don’t know who was behind the hack – North Koreans have been put somewhere in the frame, but that’s by no means a certainty – but we still don’t really understand how all the pieces fit together. Meanwhile, the blame game continues.

Cyber firms say Bangladesh hackers have attacked other Asian banks

WASHINGTON/SINGAPORE | BY DUSTIN VOLZ AND JEREMY WAGSTAFF

Hackers who stole $81 million from Bangladesh’s central bank have been linked to an attack on a bank in the Philippines, in addition to the 2014 hack on Sony Pictures, cybersecurity company Symantec Corp (SYMC.O) said in a blog post.

The U.S. Federal Bureau of Investigation has blamed North Korea for the attack on Sony’s Hollywood studio.

A senior executive at Mandiant, the cybersecurity company investigating the Bank Bangladesh heist, also told Reuters the hackers had recently penetrated banks in Southeast Asia.

In the blog post published on Thursday, Symantec did not name the Philippines bank or say whether any money was stolen, but said the attacks could be traced back to October last year. It did not identify the hackers.

The Philippines central bank’s deputy governor, Nestor Espenilla, told Reuters that no bank in the country had lost money to hackers, although he did not rule out the possibility of cyber attacks.

“We are checking if there are similar attacks on Philippine banks,” Espenilla said. “However, no reported losses so far.”

He added: “It is one thing to be attacked. It is another to lose money.”

Marshall Heilman, vice president for Mandiant, a part of U.S.-based FireEye (FEYE.O), said it was not known whether any money was lost in the other attacks he described or whether the hackers had been successfully blocked.

“There is a group operating in Southeast Asia that definitely understands the bank industry and is at more than one location,” he said.

Heilman declined to identify the country or countries, or the institutions attacked. He said it was the same group as the one involved in the Bank Bangladesh theft and that the attacks were recent, but declined to be more specific.

Central banks elsewhere in Southeast Asia – Singapore, Indonesia, Brunei, Myanmar, Laos, Cambodia, Vietnam, Thailand and East Timor – have declined comment or denied knowledge of any other breaches.

There have been at least four known cyber attacks against a bank involving fraudulent messages on the SWIFT payments network, one dating back to 2013. SWIFT, the Society for Worldwide Interbank Financial Telecommunication, urged banks this week to bolster their security, saying it was aware of multiple attacks.

Banks around the world use secure SWIFT messages for issuing payment instructions to each other.

“HARD CONNECTION”

SWIFT said earlier this week that February’s Bangladesh Bank hack was a “watershed event for the banking industry” and that it was “not an isolated incident.”

Spokeswoman Natasha de Teran said on Thursday that SWIFT was “actively looking into other possible instances of such fraud,” but would not comment on individual entities.

Symantec said it had identified three pieces of malware that were used in limited targeted attacks against financial institutions in Southeast Asia. (symc.ly/1sRNHc7)

One of the malicious programs has been previously associated with a hacking group known as Lazarus, which has been linked to the devastating attack on Sony’s Hollywood studio in 2014.

“There is a pretty hard connection now to the Sony attacks and the actor behind them” and the Bangladesh heist, Eric Chien, technical director at Symantec, said in an interview.

Another cybersecurity firm, BAE Systems, said this month that the distinctive computer code used to erase the tracks of hackers in the Bangladesh Bank heist was similar to code used to attack Sony.

Chien said that if North Korea was responsible for the hacks on banks via the SWIFT messaging network it would represent the first known episode of a nation-state stealing money in a cyber attack.

Policymakers, regulators and financial institutions around the world are stepping up scrutiny of the cyber security of the SWIFT payments system after hackers used it to make fraudulent transfers totaling $81 million out of Bank Bangladesh’s account at the Federal Reserve Bank of New York.

Symantec and other researchers have also linked the hack to a failed attempt to use fraudulent SWIFT messages to steal from a commercial bank in Vietnam.

In addition, Reuters reported last week that Ecuador’s Banco del Austro had more than $12 million stolen from a Wells Fargo account due to fraudulent transfers over the SWIFT network.

Bangladesh police are also reviewing a nearly-forgotten 2013 cyber heist at the nation’s largest commercial bank, Sonali Bank, for connections to the central bank heist, a senior law enforcement official told Reuters. The unsolved theft of $250,000 at Sonali Bank also involved fraudulent transfer requests sent over the SWIFT network.

(Additional reporting by Narottam Medhora in Bengaluru and Karen Lema in Manila; Editing by Siddharth Cavale, Leslie Adler and Raju Gopalakrishnan)

Hunt for Deep Panda intensifies in trenches of U.S.-China cyberwar | Reuters

My piece on what Deep Panda looks like in action: Hunt for Deep Panda intensifies in trenches of U.S.-China cyberwar | Reuters:

Security researchers have many names for the hacking group that is one of the suspects for the cyberattack on the U.S. government’s Office of Personnel Management: PinkPanther, KungFu Kittens, Group 72 and, most famously, Deep Panda. But to Jared Myers and colleagues at cybersecurity company RSA, it is called Shell Crew, and Myers’ team is one of the few who has watched it mid-assault — and eventually repulsed it.

Myers’ account of a months-long battle with the group illustrates the challenges governments and companies face in defending against hackers that researchers believe are linked to the Chinese government – a charge Beijing denies.

‘The Shell Crew is an extremely efficient and talented group,’ Myers said in an interview.Shell Crew, or Deep Panda, are one of several hacking groups that Western cybersecurity companies have accused of hacking into U.S. and other countries’ networks and stealing government, defense and industrial documents.The attack on the OPM computers, revealed this month, compromised the data of 4 million current and former federal employees, raising U.S. suspicions that Chinese hackers were building huge databases that could be used to recruit spies.

China has denied any connection with such attacks and little is known about the identities of those involved in them.  But cybersecurity experts are starting to learn more about their methods.

Researchers have connected the OPM breach to an earlier attack on U.S. healthcare insurer Anthem Inc (ANTM.N), which has been blamed on Deep Panda.

RSA’s Myers says his team has no evidence that Shell Crew were behind the OPM attack, but believes Shell Crew and Deep Panda are the same group.

And they are no newcomers to cyber-espionage.CrowdStrike, the cybersecurity company which gave Deep Panda its name due to its perceived Chinese links, traces its activities to 2011, when it launched attacks on defense, energy and chemical industries in the United States and Japan. But few have caught them in the act.

    SHELL CREW IN ACTION

In February 2014 a U.S. firm that designs and makes technology products called in RSA, a division of technology company EMC (EMC.N), to fix an unrelated problem. RSA realized there was a much bigger one at hand: hackers were inside the company’s network, stealing sensitive data. 

‘In fact,’ Myers recalls telling the company, ‘you have a problem right now.’Myers’ team could see hackers had been there for more than six months. But the attack went back further than that.

For months Shell Crew had probed the company’s defenses, using software code that makes use of known weaknesses in computer systems to try to unlock a door on its servers. Once Shell Crew found a way in, however, they moved quickly, aware this was the point when they were most likely to be spotted.        SPEARPHISHING

On July 10, 2013, they set up a fake user account at an engineering portal. A malware package was uploaded to a site, and then, 40 minutes later, the fake account sent emails to company employees, designed to fool one into clicking on a link which in turn would download the malware and open the door. 

‘It was very well timed, very well laid out,’ recalls Myers.

Once an employee fell for the email, the Shell Crew were in, and within hours were wandering the company’s network. Two days later the company, aware employees had fallen for the emails – known as spearphish – reset their passwords. But it was too late: the Shell Crew had already shipped in software to create backdoors and other ways in and out of the system. 

For the next 50 days the group moved freely, mapping the network and sending their findings back to base. This, Myers said, was because the hackers would be working in tandem with someone else, someone who knew what to steal.

‘They take out these huge lists of what is there and hand it over to another unit, someone who knows about this, what is important,’ he said. 

Then in early September 2013, they returned, with specific targets. For weeks they mined the company’s computers, copying gigabytes of data. They were still at it when the RSA team discovered them nearly five months later. 

Myers’ team painstakingly retraced Shell Crew’s movements, trying to catalogue where they had been in the networks and what they had stolen. They couldn’t move against them until they were sure they could kick them out for good. 

It took two months before they closed the door, locking the Shell Crew out.  But within days they were trying to get back in, launching hundreds of assaults through backdoors, malware and webshells.

Myers says they are still trying to gain access today, though all attempts have been unsuccessful.  

‘If they’re still trying to get back in, that lets you know you’re successful in keeping them out,’ he said.

(Additional reporting by Joseph Menn; Editing by Rachel Armstrong and Mark Bendeich)”

Spy in the Sky – are planes hacker-proof?

My take on aviation cybersecurity for Reuters: Plane safe? Hacker case points to deeper cyber issues:

“Plane safe? Hacker case points to deeper cyber issues

BY JEREMY WAGSTAFF

Security researcher Chris Roberts made headlines last month when he was hauled off a plane in New York by the FBI and accused of hacking into flight controls via his underseat entertainment unit.

Other security researchers say Roberts – who was quoted by the FBI as saying he once caused ‘a sideways movement of the plane during a flight’ – has helped draw attention to a wider issue: that the aviation industry has not kept pace with the threat hackers pose to increasingly computer-connected airplanes.

Through his lawyer, Roberts said his only interest had been to ‘improve aircraft security.’

‘This is going to drive change. It will force the hand of organizations (in the aviation industry),’ says Jonathan Butts, a former US Air Force researcher who now runs a company working on IT security issues in aviation and other industries.

As the aviation industry adopts communication protocols similar to those used on the Internet to connect cockpits, cabins and ground controls, it leaves itself open to the vulnerabilities bedevilling other industries – from finance to oil and gas to medicine.

‘There’s this huge issue staring us in the face,’ says Brad Haines, a friend of Roberts and a security researcher focused on aviation. ‘Are you going to shoot the messenger?’

More worrying than people like Roberts, said Mark Gazit, CEO of Israel-based security company ThetaRay, are the hackers probing aircraft systems on the quiet. His team found Internet forum users claiming to have hacked, for example, into cabin food menus, ordering free drinks and meals.

That may sound harmless enough, but Gazit has seen a similar pattern of trivial exploits evolve into more serious breaches in other industries. ‘It always starts this way,’ he says.

ANXIOUS AIRLINES

The red flags raised by Roberts’ case are already worrying some airlines, says Ralf Cabos, a Singapore-based specialist in inflight entertainment systems.

One airline official at a recent trade show, he said, feared the growing trend of offering inflight WiFi allowed hackers to gain remote access to the plane. Another senior executive demanded that before discussing any sale, vendors must prove their inflight entertainment systems do not connect to critical flight controls.

Panasonic Corp and Thales SA, whose inflight entertainment units Roberts allegedly compromised, declined to answer detailed questions on their systems, but both said they take security seriously and their devices were certified as secure.

Airplane maker Boeing Co says that while such systems do have communication links, ‘the design isolates them from other systems on planes performing critical and essential functions.’ European rival Airbus said its aircraft are designed to be protected from ‘any potential threats coming from the In-Flight-Entertainment System, be it from Wi-Fi or compromised seat electronic boxes.’

Steve Jackson, head of security at Qantas Airways Ltd, said the airline’s ‘extremely stringent security measures’ would be ‘more than enough to mitigate any attempt at remote interference with aircraft systems.’

CIRCUMVENTING

But experts question whether such systems can be completely isolated. An April report by the U.S. General Accountability Office quoted four cybersecurity experts as saying firewalls ‘could be hacked like any other software and circumvented,’ giving access to cockpit avionics – the machinery that pilots use to fly the plane.

That itself reflects doubts about how well an industry used to focusing on physical safety understands cybersecurity, where the threat is less clear and constantly changing.

The U.S. National Research Council this month issued a report on aviation communication systems saying that while the Federal Aviation Administration, the U.S. regulator, realized cybersecurity was an issue, it ‘has not been fully integrated into the agency’s thinking, planning and efforts.’

The chairman of the research team, Steven Bellovin of Columbia University, said the implications were worrying, not just for communication systems but for the computers running an aircraft. ‘The conclusion we came to was they just didn’t understand software security, so why would I think they understand software avionics?’ he said in an interview.

SLOW RESPONSE

This, security researchers say, can be seen in the slow response to their concerns.

The International Civil Aviation Organisation (ICAO) last year highlighted long-known vulnerabilities in a new aircraft positioning communication system, ADS-B, and called for a working group to be set up to tackle them.

Researchers like Haines have shown that ADS-B, a replacement for radar and other air traffic control systems, could allow a hacker to remotely give wrong or misleading information to pilots and air traffic controllers.

And that’s just the start. Aviation security consultant Butts said his company, QED Secure Solutions, had identified vulnerabilities in ADS-B components that could give an attacker access to critical parts of a plane.

But since presenting his findings to vendors, manufacturers and the industry’s security community six months ago he’s had little or no response.

‘This is just the tip of the iceberg,’ he says.

(Additional reporting by Siva Govindasamy; Editing by Ian Geoghegan)”

BBC: Beyond the Breach

The script of my Reuters story on cybersecurity. Podcast available here (

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

)

If you’re getting tired of internet security companies using images of padlocks, moats, drawbridges and barbed wire in their ads, then chances are you won’t have to put up with them much longer.

Turns out that keeping the bad guys out of your office network has largely failed. All those metaphors suggesting castles, unassailable battlements, locked doors are being quietly replaced by another shtick: the bad guys are in your network, but we’ll find them, watch what they do, and try to ensure they don’t break anything or steal anything valuable.

Which is slightly worrying, if you thought firewalls, antivirus and the like were going to save you.

You’re probably tired of the headlines about cybersecurity breaches: U.S. insurer Anthem Inc saying hackers may have made off with some 80 million personal health records, while others raided Sony Pictures’ computers and released torrents of damaging emails and employee data.

Such breaches, say people in the industry, show the old ways have failed, and now is the chance for younger, nimbler companies selling services to protect data and outwit attackers. These range from disguising valuable data, diverting attackers up blind alleys, and figuring out how to mitigate breaches once the data has already gone. It’s a sort of cat and mouse game, only going on inside your computers.

Cybersecurity, of course, is big business. $70 billion was spent on it last year.

Of course, we’re partly to blame. We insist on using our tablets and smartphones for work; we access Facebook and LinkedIn from the office. All this offers attackers extra opportunities to gain access to their networks.

But it’s also because the attackers and their methods have changed. Cyber criminals and spies are being overshadowed by politically or religiously motivated activists, and these guys don’t want to just steal stuff, they want to hurt their victim. And they have hundreds of ways of doing it.

And they’re usually successful. All these new services operate on the assumption that the bad guy is already inside your house, as it were. And may have been there months. Research by IT security company FireEye found that “attackers are bypassing conventional security deployments almost at will.” Across industries from legal to healthcare it found nearly all systems had been breached.

Where there’s muck there’s brass, as my mother would say. Funding these start-ups are U.S- and Europe-based venture capital firms which sense another industry ripe for disruption.

Google Ventures and others invested $22 million in ThreatStream in December, while Bessemer Venture Partners last month invested $30 million in iSIGHT Partners.

Companies using these services aren’t your traditional banks and  whatnot. UK-based Darktrace, which uses maths and machine learning to spot abnormalities in a network that might be an attack, has a customers like a British train franchise and a Norwegian shipping insurer.

But it’s early days. Most companies still blithely think they’re immune, either because they think they don’t have anything worth stealing or deleting, or because they think a firewall and an antivirus program are enough.

And of course, there’s another problem. As cyber breaches get  worse, and cybersecurity becomes a more valuable business, expect the hype, marketing and dramatic imagery to grow, making it ever more confusing for the lay person to navigate.

I’ve not seen them yet, but I’m guessing for these new companies the shield and helmet images will be replaced by those of SAS commandos, stealthily patrolling silicon corridors. Or maybe it’ll be Tom, laying mousetraps for his nemesis. Might be apt: Jerry the cheese thief always seemed to win.

Reuters: Beyond the Breach

My piece on disruption in the cybersecurity space. Too many companies and ideas to mention in Reuter-space, but it’s a start.  Thanks to Ian Geohegan, as ever, for his editing touch.  

Beyond the breach: cyberattacks force a defense strategy re-think | Reuters

(Reuters) – A barrage of damaging cyberattacks is shaking up the security industry, with some businesses and organizations no longer assuming they can keep hackers at bay, and instead turning to waging a guerrilla war from within their networks.

U.S. insurer Anthem Inc last week said hackers may have made off with some 80 million personal health records. Also, Amy Pascal said she would step down as co-chairman of Sony Pictures Entertainment, two months after hackers raided the company’s computers and released torrents of damaging emails and employee data.

Such breaches, say people in the industry, offer a chance for younger, nimbler companies trying to sell customers new techniques to protect data and outwit attackers. These range from disguising valuable data, diverting attackers up blind alleys, and figuring out how to mitigate breaches once the data has already gone.

“Suddenly, the music has completely changed,” said Udi Mokady, founder of U.S.-based CyberArk. “It’s not just Sony, it’s a culmination of things that has turned our industry around.”

Worldwide spending on IT security was about $70 billion last year, estimates Gartner. ABI Research reckons cybersecurity spending on critical infrastructure alone, such as banks, energy and defense, will reach $109 billion by 2020.

Several things are transforming the landscape. Corporations have been forced to allow employees to use their own mobile phones and tablets for work, and let them access web-based services like Facebook and Gmail from office computers. All this offers attackers extra opportunities to gain access to their networks.

And the attackers and their methods have changed.

Cyber criminals and spies are being overshadowed by politically or religiously motivated activists, says Bryan Sartin, who leads a team of researchers and investigators at Verizon Enterprise Solutions, part of Verizon Communications. “They want to hurt the victim, and they have hundreds of ways of doing it,” he said in a phone interview.

CLOSING THE DOOR

The result: companies can no longer count on defending themselves with decades-old tools like firewalls to block traffic and antivirus software to catch malware, and then assume all traffic that does make it within the network is legitimate.

Research by IT security company FireEye last month, for example, found that “attackers are bypassing conventional security deployments almost at will.” Across industries from legal to healthcare it found nearly all systems had been breached.

“Once an attacker has made it past those defenses they’re in the gooey center, and getting around is relatively simple,” said Ryan Wager, director of product management at vArmour.

Attackers can lurk inside a network for half a year before being detected. “That’s like having a bad guy inside your house for six months before you know about it,” says Aamir Lakhani, security strategist at Fortinet Inc, a network security company.

Security start-ups have developed different approaches based on the assumption that hackers are already, or soon will be, inside the network.

Canada-based Camouflage, for example, replaces confidential data in files that don’t need it, like training databases, with fictitious but usable data. This makes attackers think they have stolen something worthwhile. U.S.-based TrapX Security creates traps of ‘fake computers’ loaded with fake data to redirect and neutralize attacks.

California-based vArmour tries to secure data centers by monitoring and protecting individual parts of the network. In the Target Corp breach during the 2013 holiday shopping season, for example, attackers were able to penetrate 97 different parts of the company’s network by moving sideways through the organization, according to vArmour’s Wager.

“You need to make sure that when you close the door, the criminal is actually on the other side of the door,” he said.

‘THREAT INTELLIGENCE’

Funding these start-ups are U.S- and Europe-based venture capital firms which sense another industry ripe for disruption.

Google Ventures and others invested $22 million in ThreatStream in December, while Bessemer Venture Partners last month invested $30 million in iSIGHT Partners. Both companies focus on so-called ‘threat intelligence’ – trying to understand what attackers are doing, or plan to do.

Clients are starting to listen.

Veradocs‘ CEO and co-founder Ajay Arora says that while his product is not officially live, his firm is already working with companies ranging from hedge funds to media entertainment groups to encrypt key documents and data.

UK-based Darktrace, which uses math and machine learning to spot abnormalities in a network that might be an attack, has a customer base that includes Virgin Trains, Norwegian shipping insurer DNK and several telecoms companies.

But it’s slow going. Despite being open for business since 2013, it’s only been in the past six months that interest has really picked up, says Darktrace’s director of technology Dave Palmer. 

“The idea that indiscriminate hacking would target all organizations is only starting to get into the consciousness.”

Scammers Scam Gmail Scam Filters

This amused me. A scam message got through Gmail’s eagle-eyed scam filters telling me to update my account details. That’s not unusual. But was it because the scammers added their own assurance that they had already done the filtering?

image

It says:

**************************************************************************
This footnote confirms that this email message has been scanned by New Google Mail-SeCure for the presence of malicious code, vandals & computer viruses.
**************************************************************************

Well that’s alright then.

Southeast Asia’s Viral Infection

Southeast Asia is fast developing a reputation as the most dangerous place on the Internet. It’s not a reputation the region can afford to have.

By one count Thailand has risen to be the country with the most number of malware infections, by one account, and by another to be the second, all in the past few months.

PandaLabs’ report on the second quarter of 2011 [PDF] lists Thailand as having the second highest rate of malware infection (after China) with nearly 57% of computers scanned by their antivirus software as being infected. The global average is about 40%. Thailand was second in the previous quarter too, but with an even higher infection rate, of 65%. Most of these infections seem to come from worms.

Indeed, this trend seems to have started last year. The AntiPhishing Working Group’s report for the second half of 2010 lists as top in terms of infected countries–nearly 67%, higher than China’s 63%. (I should point out that the chief analyst for the APWG is Luis Corrons, who is technical director of PandaLabs, so the source of this data may actually be one place.)

Indonesia, meanwhile, now equals the United States as the highest single source of Distributed Denial of Service attacks, according to data from Kaspersky (Expect More DDoS Attacks Tomorrow, published on Monday):

The US and Indonesia topped the rating with each country accounting for 5% of all DDoS traffic. The US’s leading position is down to the large number of computers in the country – a highly attractive feature for botmasters. Meanwhile, the large number of infected computers in Indonesia means it also ranks highly in the DDoS traffic rating. According to data from Kaspersky Security Network, Kaspersky Lab’s globally-distributed threat monitoring network, in Q2 2011 almost every second machine (48%) in Indonesia was subjected to a local malware infection attempt.

A couple of points here:

  • Indonesia has a lot fewer computers connected to the Internet compared to the U.S.: about 40 million vs 245 million. This means that Indonesia is generating 5 times as much DDOS traffic per computer as the U.S.
  • The discrepancies in the infection rates between Kaspersky and Panda are artifacts of the way these companies measure these things. Basically, as far as I understand, they gather data from users, so a lot depends on just how popular that particular piece of antivirus software is in the country, and on factors such as the likelihood of people actually using antivirus software.

The Kaspersky report shows that Southeast Asia features heavily in the proportion of DDOS traffic:

  • Indonesia 5%
  • Philippines 4%
  • Vietnam 4%
  • Thailand 4%
  • Singapore 4%
  • Malaysia 3%

Internet traffic optimizer Akamai, meanwhile, reported that [PDF, may have to answer a short survey before reading] Burma (Myanmar) accounted for 13% of the world’s attack traffic (i.e. DDOS traffic). This was the first time that Burma appeared on the list. I’ve spoken to Akamai and they’re not clear why this is the case, but they did point to the fact that their data covers the first quarter of 2011, a few months after a massive DDOS attack on Burma which happened to coincide with the country’s elections.

The suspicion at the time that this was self-inflicted: basically pro-government hackers preventing Burmese from using the Internet to get alternative sources of election information. Makes sense. Akamai’s theory is that this traffic that they saw in the first quarter of this year was residual traffic from those massive attacks. But the truth is that no one knows.

More generally, it’s not good that Southeast Asia is now becoming this malware and DDOS capital. There are lots of reasons for it, which I’ll be exploring as part of a project in the months to come.

Full version of the Kaspersky report: DDoS attacks in Q2 2011 – Securelist

Stuck on Stuxnet

By Jeremy Wagstaff (this is my weekly Loose Wire Service column for newspaper syndication)

We’ve reached one of those moments that I like: When we’ll look back at the time before and wonder how we were so naive about everything. In this case, we’ll think about when we thought computer viruses were just things that messed up, well, computers.

Henceforward, with every mechanical screw-up, every piston that fails, every pump that gives out, any sign of smoke, we’ll be asking ourselves: was that a virus?

I’m talking, of course, about the Stuxnet worm. It’s a piece of computer code–about the size of half an average MP3 file–which many believe is designed to take out Iran’s nuclear program. Some think it may already have done so.

What’s got everyone in a tizzy is that this sort of thing was considered a bit too James Bond to actually be possible. Sure, there are stories. Like the one about how the U.S. infected some software which a Siberian pipeline so it exploded in 1982 and brought down the whole Soviet Union. No-one’s actually sure that this happened–after all, who’s going to hear a pipeline blow up in the middle of Siberia in the early 1980s?–but that hasn’t stopped it becoming one of those stories you know are too good not to be true.

And then there’s the story about how the Saddam Hussein’s phone network was disabled by US commandos in January 1991 armed with a software virus, some night vision goggles and a French dot matrix printer. It’s not necessarily that these things didn’t happen–it’s just that we heard about them so long after the fact that we’re perhaps a little suspicious about why we’re being told them now.

But Stuxnet is happening now. And it seems, if all the security boffins are to be believed, to open up a scary vista of a future when one piece of software can become a laser-guided missile pointed right at the heart of a very, very specific target. Which needn’t be a computer at all, but a piece of heavy machinery. Like, say, a uranium enrichment plant.

Stuxnet is at its heart just like any other computer virus. It runs on Windows. You can infect a computer by one of those USB flash drive thingies, or through a network if it finds a weak password.

But it does a lot more than that. It’s on the look out for machinery to infect—specifically, a Siemens Simatic Step 7 factory system. This system runs a version of Microsoft Windows, and is where the code that runs the programmable logic controllers (PLCs) are put together. Once they’re compiled, these PLCs are uploaded to the computer that controls the machinery. Stuxnet, from what people can figure out, fiddles around with this code within the Siemens computer, tweaking it as it goes to and comes back from the PLC itself.

This is the thing: No one has seen this kind of thing before. Of course, we’ve heard stories. Only last month it was reported that the 2008 crash of a Spanish passenger jet, killing 154 people, may have been caused by a virus.

But this Stuxnet thing seems to be on a whole new level. It seems to be very deliberately targeted at one factory, and would make complex modifications to the system. It uses at least four different weaknesses in Windows to burrow its way inside, and installs its own software drivers—something that shouldn’t happen because drivers are supposed to be certified.

And it’s happening in real time. Computers are infected in Indonesia, India, Iran and now China. Boffins are studying it and may well be studying it for years to come. And it may have already done what it’s supposed to have done; we may never know. One of the key vulnerabilities the Trojan used was first publicized in April 2009 in an obscure Polish hacker’s magazine. The number of operating centrifuges in Iran’s main nuclear enrichment program at Natanz was reduced significantly a few months later; the head of Iran’s Atomic Energy Organization resigned in late June 2009.

All this is guesswork and very smoke and mirrors: Israel, perhaps inevitably, has been blamed by some. After all, it has its own cyber warfare division called Unit 8200, and is known to have been interested, like the U.S., in stopping Iran from developing any nuclear capability. And researchers have found supposed connections inside the code: the word myrtle, for example, which may or may not refer to the Book of Esther, which tells of a Persian plot against the Jews, and the string 19790509, which may or may not be a nod to Habib Elghanian, a Jewish-Iranian businessman who was accused of spying for Israel and was executed in Iran on May 9, 1979.

Frankly, who knows?

The point with all this is that we’re entering unchartered territory. It may all be a storm in a teacup, but it probably isn’t. Behind all this is a team of hackers who not only really know what they’re doing, but know what they want to do. And that is to move computer viruses out of our computers and into machinery. As Sam Curry from security company RSA puts it:

This is, in effect, an IT exploit targeted at a vital system that is not an IT system.

That, if nothing else, is reason enough to look nostalgically back on the days when we didn’t wonder whether the machinery we entrusted ourselves to was infected.

The Trojan That Never Was

image

How not to handle a PR debacle, Part 767:

Avast, the free antivirus I’ve been using, and recommending, for while, has lost my confidence by a double whammy: mis-identifying pretty much every executable on my computer as a Trojan, and then not telling me about it.

Apparently an update to the software will misidentify a lot of files as containing the Trojan Win32:Delf-MZG, suggesting you do a boot scan to clear out infections. Do so, and you’ll likely find that Avast will be deleting a lot of major program files, including those in the Windows directory.

This is bad, because these are what are called false positives—i.e. not infected. An update to the Avast virus database created the error—and has, apparently, since been corrected with a further update. But not before hundreds, maybe thousands, of users, did what I did: boot scan and religiously delete
“infected” files.

You won’t, at the moment, know any of this from Avast.

Their blog hasn’t been updated since November 30. There’s nothing on their home page to suggest there’s a problem: the website lists the latest update and doesn’t indicate there’s been a problem.

But do a Google or twitter search and you get a sense of the frustration:

Twitter is throwing up a tweet every couple of minutes:

image

Yahoo! Answers is exhibiting similar frustrations. Even Avast’s own forums are lively with confusion.

The point here is that everyone makes mistakes. But Avast don’t seem to have helped their users to avoid panic by not only correcting the problem but in trying to ensure that their users find out about it easily and quickly.

This is not excusable in this era of the real time web. Twitter is the obvious choice, but there’s no sign of Avast on its official twitter feed since November 30. (see screenshot above.) Avast should be using all channels to reach its users.

Antirvirus is just an extreme example—it’s an industry that is used to updating its product on the fly. But security is also about informing its users—and Avast, sadly, is not much different from most companies that think they can brush over glitches and pretend they never happened.

A mea culpa is in order, and a promise that this isn’t going to happen. Crying wolf on viral infections is not a good security procedure.

Virus Grounds French Fighters

Here’s more evidence of how vulnerable armed forces are to software attacks, intended or not. The French navy’s fighter jets “were unable to download their flight plans after databases were infected by a Microsoft virus they had already been warned about several months beforehand,” according to the Telegraph:

However, the French navy admitted that during the time it took to eradicate the virus, it had to return to more traditional forms of communication: telephone, fax and post.

Naval officials said the “infection”‘ was probably due more to negligence than a deliberate attempt to compromise French national security. It said it suspected someone at the navy had used an infected USB key.

Last month, you may recall, a virus closed down the British Ministry of Defence.

French fighter planes grounded by computer virus – Telegraph