01 November 2009

CyberSecurity Weekend roundup for 1st November 2009

There have been quite a few security and risk-related stories this past week, which raise all sorts of questions about public perception of the theme of CyberSecurity.

Let's start with this one: http://www.wired.com/threatlevel/2009/10/gawker/

To summarise, a well-organised criminal gang is using paid advertising to distribute its malware through popular, respectable web sites. One of the challenges facing malware distributors, is how to get the ordinary person (who wouldn't visit a dodgy web site) to become infected. The answer is to be included in a popular website (which Gawker certainly qualifies for) as part of their advertising, then use a known Adobe vulnerability to foist its payload on the unsuspecting victim.

The fake ads, ostensibly from Suzuki, caused browsers to crash and malware to be installed. Gawker have published their correspondence with the fakers, showing them to be skilled and knowledgable in the media business -- not obvious script kiddies or foreigners with poor English. A similar scam targeted the New York Times recently.

In fact, the hackers were displaying quite competent social engineering techniques (including registering plausibly-near domain names for their email responses), in order to get an opportunity to deliver their payload. This is an excellent example of a blended attack -- social engineering, plus an exploit of a known vulnerability in Flash, plus a malware solution to be later used to steal identities and gain access to accounts and funds. In my view, this shows a high degree of coordination and professionalism, which is becoming a dominant characteristic of modern Cyber criminals -- and suggests a degree of specialization, and also possibly separate commercial illegal entities working together for fun and profit.

The second story, also from Wired, suggests that there is something of a disconnect between security planning and technology procurement, particularly in the energy sector.

It is well known that years of neglect and under-investment have left the US power distribution infrastructure in a vulnerable and delicate state (although not as bad as many other countries.)

According to the article,
“Smart grid” refers to the transition from the current, outdated power-grid infrastructure to a more technologically advanced structure that allows expanded real-time monitoring and energy delivery that’s more efficient and cost effective for utilities and consumers. The technology promises to solve a number of problems, but it also (as the Illinois press release states) could “introduce new problems, such as increasing the vulnerability to cyber attack as power grid resources become increasingly linked to the internet.”


One of the challenges of engineering new technology (such as the Smart Grid concept, with its intelligent monitoring) is to ensure that adequate security mechanisms are designed-in from the beginning, rather than being an afterthought -- much as UNIX had security pretty much from the beginning, while Windows security was very much bolted on later.

For me, CyberSecurity in the critical infrastructure protection business must be Job #1 -- to ensure that by design, the infrastructure is built with adequate redundancy and resiliance, able to cope with multiple cascade failures, extremes of weather and malaicious attack. The big issue here is only partly one of cost -- because make no mistake, anticipating and mitigating all possible risks can be expense -- but it is also one of the mindset. Where huge investments are being made, those with a responsibility to make associated decisions need to take into account risks of sabotage, insider attacks and even simple human error -- all of which have in the past caused serious problems, with associated loss of life.

Following up on this year's attacks apparently from North Korea, South Korea's spy agency has reported that the origin has indeed been traced back to that country.

Personally, I am not convinced. It's far too easy for competent hackers to mask their IP addresses through a long chain of anonymous proxies, which would then be programmed to wipe out all traces long before the attack has finished. It's a little too convenient for the South Korean intelligence officials to be able to attribute such an attack to North Korea -- although Occam's Razor does suggest it is the most likely party to want to commit such attacks.

I guess the issue for me here is whether such attacks are truly useful to a State actor such as North Korea -- even one so vilified and long associated with funding terrorism and "dirty tricks." At the most, I see this as a "me too" operation, where the NORKs are reading press reports about the "big boys" engaging in CyberWarfare investment and training, and deciding that they want to play too as a matter of national prestige, much as they joined the informal "Nuclear Club" by detonating a low-yield nuclear weapon.

These days, the capabilities being exercised by state actors and non-state actors seem to be converging. For example, a recent UN investigation into the legality of the US use of drones to carry out "targeted killings" raises some questions (beyond those of customary international law) about whether such use of force is a terrorist act, when not carried out in the theater of war.

Legally (and I'm no scholar of law), I wonder if the UN-sanctioned war action in Afghanistan can justify killings that cross the border in Pakistan -- even if it's compellingly clear that "terrorists" are well-ensconced in that region, and actively participating in actions that clearly deserve the label of terrorism.

My thinking here though is more about the fact that many other countries are deploying their own versions of these UAVs, some of which include ordinance capable of destroying cars or buildings. How long will it be before non-state actors (i.e., the local Al-Queda cell) are signing up for model-aeroplane classes, and buying Chinese UAVs in the black market to act as delivery systems for their Weapon of Mass Destruction Du Jour?

Now some old news -- which I guess will now be part of history. François Mitterand, the French president who committed a terrorist act in 1985, complained that Margaret Thatcher blackmailed him with the threat of a nuclear strike in South America in order to get the disable codes for the French-designed Exocet missiles being used by the Argentinians against the British.

This is an interesting story from the point of view that weapons systems often may have a built-in "kill switch" that may be used by their designer to disable their operation -- a concern shared by the Pentagon.. As an article in IEEE Spectrum suggested, it seems likely that the Israelis successfully used something similar in 2007, when their jets bombed a suspected Syrian nuclear installation -- and the Syrian radar seemed to mysteriously malfunction, or go offline. Of course, the techniques of electronic warfare, jamming, and sending spurious "ghost" signals have been widely known since the Cold War, but it's tempting to wonder just how many Trojan Horses remain covertly buried deep in the electronic bowels of the weapons systems that we still depend upon.

Some of the examples given include:
  • In 2004, Thomas C. Reed, an Air Force secretary in the Reagan administration, wrote that the United States had successfully inserted a software Trojan horse into computing equipment that the Soviet Union had bought from Canadian suppliers. Used to control a Trans-Siberian gas pipeline, the doctored software failed, leading to a spectacular explosion in 1982.
  • Crypto AG, a Swiss maker of cryptographic equipment, was the subject of intense international speculation during the 1980s when, after the Reagan administration took diplomatic actions in Iran and Libya, it was widely reported in the European press that the National Security Agency had access to a hardware back door in the company’s encryption machines that made it possible to read electronic messages transmitted by many governments.
  • According to a former federal prosecutor, who declined to be identified because of his involvement in the operation, during the early ’80s the Justice Department, with the assistance of an American intelligence agency, also modified the hardware of a Digital Equipment Corporation computer to ensure that the machine — being shipped through Canada to Russia — would work erratically and could be disabled remotely.