What's new

US killer spy drone controls switch to Linux

Flame: A glimpse into the future of war
Claims of cyberwar are overblown, but things are definitely heating up in regard to international conflicts where malware is replacing drone strikes.
If you roll your eyes at the term "Digital Pearl Harbor," you have my sympathy. We've been warned about the specter of an enemy attack via bits and bytes for several decades, with no real evidence that this is a realistic possibility and not mere hype.

Still, a new worm that's been spying on infected computers in the Middle East has been called a "cyberweapon," and while we're not talking outright combat, it's clear that malware is increasingly playing a part in geopolitical diplomacy and conflict.

This week brought news of not the first, nor the second, but the third known piece of advanced malware that appears to be government or nation-state sponsored. We have Stuxnet, its simpler cousin Duqu, and now we have "Flame." These three pieces of malware are hard evidence of cyberspying and, in the case of Stuxnet, sabotage of Iran's nuclear program with malware to preempt a military strike, according to a New York Times article based on reporter David Sanger's new book.

The article, which relies on information from unnamed U.S. government sources, confirms long-held speculation that Stuxnet (and likely Duqu) was developed by the U.S., probably in collaboration with Israel. (Israel has denied involvement in both Stuxnet and Flame, while the U.S. has not outright distanced itself from either. Meanwhile, the U.S. Cyber Emergency Response Team says there's no evidence that Flame is related to Stuxnet or Duqu or that it targets industrial control systems. (PDF) And the Department of Homeland Security declined to answer questions about Flame beyond providing this statement: "DHS was notified of the malware and has been working with our federal partners to determine and analyze its potential impact on the U.S.")

How ironic but not at all surprising that Americans have been the ones most vocal in raising the alarms about cyberwar and yet the U.S. may have launched the first cyberstrikes. The U.S. may be a leader in cyber-geopolitical affairs, but it's also a huge target. The U.S. government and private companies have been under attack in the form of electronic espionage, primarily from China, experts and victims say. Source code and other sensitive data has been pilfered in stealth cybermaneuvers conducted against Google, RSA, defense contractors, critical infrastructure operators, and others based on company statements, research in recent government reports, and info from security firms like Symantec and McAfee.

It will take months if not years for researchers to fully dissect Flame, which has been called "the most sophisticated cyberweapon yet unleashed." Infections have been concentrated in Iran and other Middle Eastern countries, and it seems designed mostly for spying. It leaves a backdoor on computers and can be instructed to spread itself via USB thumb drive, network shares, or a shared printer spool vulnerability. It uses various methods of encryption and data compression and has at least 20 different components that are used to command it to do things like sniff network traffic, take screenshots, record audio conversations, log keystrokes, and gather information from nearby Bluetooth devices. Experts believe more modules are in the wild. There are more than 80 command-and-control servers being used to send instructions to infected computers.

The malware isn't an entirely new beast really, and the individual functions aren't uncommon. But the size of the program, the fact that it has so many different functions, and its modularity make it fairly unique. An attacker can mix and match components at will. Flame may have remained hidden for as long as five years. And it could be only the tip of the iceberg; there's no reason to think there haven't been other pieces of malware that have thus far escaped detection, or that have been detected but kept under wraps. Flame's emergence isn't game changing necessarily, but it does give an indication of how far geopolitically motivated malware has come and who might be ahead in that "arms race," as well as give a glimpse of what the future holds.

"Everybody has known for 10 years in government circles that cyberespionage is profitable and that it is happening at an enormous pace. This is confirmation for the public that very sophisticated attacks are prevalent," said Stewart Baker, former assistant secretary of policy at the Department of Homeland Security and now a partner practicing cyberlaw in the Washington, D.C., office of Steptoe & Johnson.

"For most intelligence agencies and governments what is interesting is the specifics of the techniques that are being used. I'm sure there are agencies that are learning a lot from them," Baker warned. "This is bad for sophisticated countries that have secrets to protect, like the U.S. and Western Europe, and for the Chinese and Russians too. And it's probably good for countries like North Korea and Iran that are going to go to school with this tool."

"Stuxnet, Conficker, and Duqu and now with Flame added to that, it suggests we're in a new era here," agreed Scott Borg, director of the nonprofit research institute U.S. Cyber Consequences Unit. "I'm not at all surprised by Flame."

Borg has been following this stuff for a long time. Even before Stuxnet hit the news two years ago, Borg made prescient remarks to the effect that Israel's weapon of choice would be malware that would give the country the ability to interfere with Iran's nuclear program without launching a massive military strike, he identified the uranium enrichment centrifuges as the most likely target and suggested that a contaminated USB stick would be a likely vehicle for sneaking the program into a building, among other predictions that came true with Stuxnet.

According to the New York Times article, the Bush administration turned to malware as an alternative to launching a military strike against Iran and the Obama administration continued with the operation, which was code-named Olympic Games. However, while malware might save lives in the short term, it doesn't mean it's necessarily the safer and smarter choice in the long run, Borg and other experts say.

"Cyber can be a much better alternative," Borg said, noting that the Russian cybercampaign against Georgia in 2008 targeted communication and media sites with Distributed Denial of Service attacks and spared them from air strikes. "That's an example where a cyberstrike was less destructive and a more humane way to carry out a mission," he said.

Related stories

Behind the 'Flame' malware spying on Mideast computers (FAQ)
Obama takes cyberwarfare to new level, report says
Flame virus could attack other nations
Wording in cyberwar bill begs question: Who's in charge?

But there's nothing to stop an aggressor from using both online and offline attacks. "If you are planning drone strikes, what better intelligence could you ask for than a tool that will turn on a camera and microphone of a machine in your enemy's possession to let you know who is there and what is going on?" Borg said.

One big problem with Flame is that the malware authors didn't use code obfuscation, which means it can easily be dissected and re-used by any organization with some advanced programming skills and experience, which would include a large number of nation-states and terrorist groups, according to Borg. Stuxnet can be (and likely has been) reverse engineered, but its limited functions make it less of a danger. "That's a terrible mistake" on the part of the creators, Borg said. "This is a general purpose tool. It has a lot of modules that will do a lot of things... This is not a good thing to have released into the world in a form that is decipherable."

Even though Flame doesn't initially appear to be designed for sabotage, there may be components in the wild that would give it that function. "If it's that sophisticated, it can probably have physical manifestations as well," said Greg Garcia, principal of the Garcia Cyber Partners consulting firm and a former assistant secretary of cybersecurity at the Department of Homeland Security. "It could have consequences that are even broader and potentially more deadly than a drone strike if you think about infiltrating and corrupting control systems that are managing critical operations, whether it's electrical grids, water purification, or transportation systems."

Garcia speculated that Flame could have been meant to send a message, a sort of muscle flexing exercise. "It might be probes for the purpose of reducing confidence in the information systems of certain networks," he said. "We're watching you and you're not safe." But Borg doesn't buy the psychological ops theory. "It doesn't fit the way it was deployed, the thoroughness of the way it was erased (from machines to cover its tracks), the limited number of machines" it infected, he said.

Borg declined to speculate which country is behind Flame but said he suspects it was created by "friendly forces." "The countries capable of writing these kinds of tools, the short list is: China, Russia, U.S., Britain, Germany, Israel, and probably Taiwan," he said. The code, which at 20 megabytes is huge compared with Stuxnet and other malware, most likely required hundreds of people to be working on it for many months, he said.

The very elements that make cyberattacks launched by groups like Anonymous and other hackers problematic as forms of political protest -- the inability to prove who did it and for anyone to take credit for it -- make these cyberactions by governments problematic too. These stealth cyberattacks not only may result in unintended consequences and victims but they also may fail to serve as a deterrent or as bargaining sticks.

"Do the same rules (of war) apply in cyberspace?" Columbia University computer science professor Steven Bellovin wonders in a blog post. "One crucial difference is the difficulty of attribution: It's very hard to tell who launched a particular effort. That in turn means that deterrence doesn't work every well."

Each new cyberthreat or incident launched by a purported government or nation-state will set the course for this debate. The Internet is redefining our lives and actions in unexpected ways -- e-commerce has put storefronts out of business, e-mail has made fax machines obsolete, smartphones have changed the face of photography and personal communications, and Facebook has evolved the notion of a "friend." New digital capabilities can also help people do more harm to each other in times of conflict or avoid physical suffering.

"We have been talking in the government and the Department of Defense about what constitutes cyberoffense in the 21st century and what are the boundaries," said Garcia of Garcia Cyber Partners. "I think those boundaries are going to be slowly defined by default and in practice, and maybe this is going to be one of those indicators."

Don't expect the Stuxnet-Duqu-Flame triumvirate to scare anyone straight though. The perception of threat or possibility for danger in cybersecurity hasn't been enough in the past to merit much action on the part of responsible parties, be they electricity providers or the untold corporate networks that are hacked daily. "There is no shortage of information that says we have a problem," said Herb Lin, chief scientist at the Computer Science and Telecom Board at The National Academies. "People like me have been complaining about the fact that Stuxnet was possible for 20 years and nobody listened. Is this enough of a wakeup call? Maybe. But there have been a lot of other wakeup calls and people just put the snooze button back on."

No doubt, more theories about Flame will be coming out in the future as additional technical information is unveiled. Kaspersky Labs has scheduled an online news conference for 6 a.m. PT on Monday to reveal new forensics it has done on the malware's command-and-control infrastructure used for communication between the attackers and the infected computers.
l

Cyber Spy Program Flame Compromises Key Microsoft Security System
The cyber espionage super bug Flame compromised a key Microsoft security system, the company has now revealed, prompting Microsoft to issue an emergency patch to its millions of customers because of fears of what one expert called potential "collateral damage" from the U.S. and Israel's cyber war against Iran.

In an alert issued late Sunday, Microsoft told customers that the authors of Flame -- a highly sophisticated surveillance computer virus discovered on networks in the Middle East and Iran -- had figured out how to use Microsoft's own security system to forge digital security certificates, which then allowed the malicious code to spread undetected by anti-virus programs. Digital certificates are in part designed to authenticate interactions online and help protect computer networks from being accessed by unauthorized users.

Microsoft fixed the security breach, but was also forced to add the compromised certificates to its own growing list of "untrusted" certificates.

Microsoft said that since Flame was such a precisely targeted attack, a vast majority of customer systems that use digital certificates -- which includes U.S. government and financial institutions -- were not in danger of being infected, but said it had to take action because the same technique could be used by other "less sophisticated attackers to launch more widespread attacks."

While no country or group has taken responsibility for Flame, cyber security experts who have analyzed the code said it appears to be the latest volley in an advanced cyber campaign targeting Iran and was most likely developed by a wealthy nation-state -- leading many to suspect the involvement of the U.S. or Israeli governments. Five different U.S. government agencies declined to comment to ABC News about those allegations and the Israeli government has reportedly denied any link to the virus.

Former White House counter-terrorism advisor and ABC News consultant Richard Clarke said that the possible future attack that Microsoft warned about is the inevitable collateral damage seeping out from the Iran campaign.

"This may be an example of how U.S. and Israeli cyber war has the blowback effect that threatens the security of American networks," said Clarke, author of "Cyber War."

Clarke initially raised concerns about the hidden risks of cyber war in early 2010 after researchers discovered Stuxnet, an unprecedented offensive cyber weapon that is believed to have physically damaged an Iranian nuclear facility. Stuxnet's complexity stunned and concerned experts including Michael Assante, President of the National Board of Information Security Examiners of the U.S., who told a Congressional committee in 2010 that after it was revealed, Stuxnet could serve as a "blue print" for other groups hoping to replicate part or all of that weapon.

READ: Beware the Cyber War Boomerang?

A Congressional report compiled in 2010 warned, "It is widely believed that terrorist organizations do not currently posses the capability or have [not] made the necessary arrangements with technically savvy organizations to develop a Stuxnet-type worm. However... Stuxnet's design revelations may make it easier for terrorist organizations to develop such capabilities in the future."

Last week The New York Times reported that Stuxnet was a product of America's long-term cyber campaign against Iran and President Obama was personally concerned about the damage Stuxnet could do after it accidentally seeped online and started replicating around the world.

Researchers at the Russia-based cyber security firm Kaspersky Labs who were among the first to analyze Flame said similarities to Stuxnet in technique and targeting have led them to believe that the two were developed by the same entity as parallel projects.

The same day Microsoft revealed their security breach, the Israeli military made an unusual public announcement, saying they have "been engaged in cyber activity consistently and relentlessly, gathering intelligence and defending its own cyber space."

"Additionally if necessary the cyber space will be used to execute attacks and intelligence operations," Sunday's announcement said.

Obama Order Sped Up Wave of Cyberattacks Against Iran
WASHINGTON — From his first months in office, President Obama secretly ordered increasingly sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment facilities, significantly expanding America’s first sustained use of cyberweapons, according to participants in the program.
Hasan Sarbakhshian/Associated Press



Mr. Obama decided to accelerate the attacks — begun in the Bush administration and code-named Olympic Games — even after an element of the program accidentally became public in the summer of 2010 because of a programming error that allowed it to escape Iran’s Natanz plant and sent it around the world on the Internet. Computer security experts who began studying the worm, which had been developed by the United States and Israel, gave it a name: Stuxnet.

At a tense meeting in the White House Situation Room within days of the worm’s “escape,” Mr. Obama, Vice President Joseph R. Biden Jr. and the director of the Central Intelligence Agency at the time, Leon E. Panetta, considered whether America’s most ambitious attempt to slow the progress of Iran’s nuclear efforts had been fatally compromised.

“Should we shut this thing down?” Mr. Obama asked, according to members of the president’s national security team who were in the room.

Told it was unclear how much the Iranians knew about the code, and offered evidence that it was still causing havoc, Mr. Obama decided that the cyberattacks should proceed. In the following weeks, the Natanz plant was hit by a newer version of the computer worm, and then another after that. The last of that series of attacks, a few weeks after Stuxnet was detected around the world, temporarily took out nearly 1,000 of the 5,000 centrifuges Iran had spinning at the time to purify uranium.

This account of the American and Israeli effort to undermine the Iranian nuclear program is based on interviews over the past 18 months with current and former American, European and Israeli officials involved in the program, as well as a range of outside experts. None would allow their names to be used because the effort remains highly classified, and parts of it continue to this day.

These officials gave differing assessments of how successful the sabotage program was in slowing Iran’s progress toward developing the ability to build nuclear weapons. Internal Obama administration estimates say the effort was set back by 18 months to two years, but some experts inside and outside the government are more skeptical, noting that Iran’s enrichment levels have steadily recovered, giving the country enough fuel today for five or more weapons, with additional enrichment.

Whether Iran is still trying to design and build a weapon is in dispute. The most recent United States intelligence estimate concludes that Iran suspended major parts of its weaponization effort after 2003, though there is evidence that some remnants of it continue.

Iran initially denied that its enrichment facilities had been hit by Stuxnet, then said it had found the worm and contained it. Last year, the nation announced that it had begun its own military cyberunit, and Brig. Gen. Gholamreza Jalali, the head of Iran’s Passive Defense Organization, said that the Iranian military was prepared “to fight our enemies” in “cyberspace and Internet warfare.” But there has been scant evidence that it has begun to strike back.

The United States government only recently acknowledged developing cyberweapons, and it has never admitted using them. There have been reports of one-time attacks against personal computers used by members of Al Qaeda, and of contemplated attacks against the computers that run air defense systems, including during the NATO-led air attack on Libya last year. But Olympic Games was of an entirely different type and sophistication.

It appears to be the first time the United States has repeatedly used cyberweapons to cripple another country’s infrastructure, achieving, with computer code, what until then could be accomplished only by bombing a country or sending in agents to plant explosives. The code itself is 50 times as big as the typical computer worm, Carey Nachenberg, a vice president of Symantec, one of the many groups that have dissected the code, said at a symposium at Stanford University in April. Those forensic investigations into the inner workings of the code, while picking apart how it worked, came to no conclusions about who was responsible.

A similar process is now under way to figure out the origins of another cyberweapon called Flame that was recently discovered to have attacked the computers of Iranian officials, sweeping up information from those machines. But the computer code appears to be at least five years old, and American officials say that it was not part of Olympic Games. They have declined to say whether the United States was responsible for the Flame attack.

US Navy buys Linux to guide drone fleet
The US Navy has signed off on a $27,883,883 contract from military contractor Raytheon to install Linux ground control software for its fleet of vertical take-off and landing (VTOL) drones.

The contract covers the Naval Air Station at Patuxent River in Maryland, which has already spent $5,175,075 beginning to install Linux systems. The no-bid contract was awarded to finish the work and get the Navy's drone fleet fully operational using a Linux backbone.

The Navy's only listed VTOL drone is the Northrup-Grumman MQ8B Fire Scout, which is designed to be carried by frigates and to provide electro-optical and infrared reconnaissance over a range of 110 miles, while allowing five hours on station. The Navy plans a fleet of 168 of the drones; some are currently deployed scouting-out drug shipments in the Caribbean, but can also be fitted 70mm rockets as needed for other missions.
US Navy MQ8B Fire Scout

US Navy Fire Scout scouts and fires

While the US military has been a growing user of Linux, the contract might also have something to do with the swabbies learning from the mistakes made by the flyboys and girls in the US Air Force. After a malware attack on the Air Force's Windows-based drone-control system last year, there has been a wholesale move to Linux for security reasons.

"If I would need to select between Windows XP and a Linux based system while building a military system, I wouldn't doubt a second which one I would take," F-Secure's security researcher Mikko Hypponen pointed out at the time.

As for those worried over GPL licensing, the US Department of Defense is well ahead of you. The DOD has already issued guidelines on the use of open source code in its systems, and says the matter is in hand.

"The US government can directly combine GPL and proprietary/classified software into a single program arbitrarily, as long as the result is never conveyed outside the U.S. government, but this approach should not be taken lightly," it states. "When taking this approach, contractors hired to modify the software must not retain copyright or other rights to the result (else the software would be conveyed outside the US government.)
 
.
After letting loose Stuxnet and Flame, they are now preparing for retaliations??
 
.

Latest posts

Pakistan Defence Latest Posts

Back
Top Bottom