29 September 2010

2010: Weaponized Cyberwar has arrived

The recent series of reports on the Stuxnet worm shows that Information Security specialists are facing a whole new order of threats, none of which were unexpected. Hidden inside its 600 kb payload are all sorts of tricks and traps, which have amazed and impressed every researcher who's looked into it.

First, this is not a normal worm. It uses something known as "zero-day" vulnerabilities -- undisclosed or as yet undiscovered vulnerabilities, usually found in Windows or its associated software (Adobe Flash and Acrobat have been particularly egregious in this regard.)

Unlike most other malware, however, Stuxnet deploys (according to Symantec) a total of four new zero-day defects in Windows -- a major achievement for any virus. But it doesn't stop there -- in addition, it includes two stolen certificates used to sign drivers, taken from a couple of Taiwanese manufacturers.

Recent research suggests that Stuxnet also hides itself among specialized files (known as Siemens SIMATIC Step 7), and even after being cleaned using regular techniques, it can re-infect PCs which use such software.

Why Step 7? Because this malware is highly targeted -- it focuses its effort on reaching Windows PCs with attached PLCs -- Programmable Logic Controllers, which are heavily used in industrial control processes, power plants -- and not surprisingly, nuclear laboratories.

Which has led many commentators to suspect that the target of Stuxnet is one, very specific, and highly sensitive location -- the Bushehr nuclear power plant in Iran. This view is supported by the analysis of Symantec's Patrick Fitzgerald, whose team found that 58.8 per cent of infections were in Iran, 18.2 per cent in Indonesia, 8.3 per cent in India, 2.6 per cent in Azerbaijan and 1.6 per cent in the US.

Furthermore, the payload for this worm is heavily customized to focus on one very specific configuration of PLC logic -- to the extent that the PLC will be ignored if it doesn't match exactly. What this implies is that a particular target was in mind. It's only speculation, but it could be linked to nuclear centrifuges, or critical cooling systems associated with the production of nuclear fuel.

Why, and more importantly, who has the capability and the motivation to do something like this? The sophistication of Stuxnet strongly suggests we are dealing with a small, highly skilled team, using intelligence about a specific target. Furthermore, this team has the resources to buy or discover independently four new zero-day vulnerabilities (which are valuable items in underground hacking markets), as well as stealing two signing certificates.

The only logical conclusion is a government-based cyberwar team. The likely candidates are the USA (CIA or NSA) and Israel (Mossad or IDF Unit 8200) -- both of whom are likely to wish to disrupt Iranian nuclear developments. We'll probably never know for sure, but there does seem to be a strong correlation of the worm's spread with delays in Bushehr's operations.

Why is this significant? Well, it exposes several well-known risks, and some new ones. First, Siemens' reluctance to change default passwords for its software, fearing collateral damage due to stupid administrators. Secondly, one of the primary vectors for infection was the AUTORUN "feature" of Windows, meaning that every USB key inserted into a computer is a potential plague vector (and which also provides a way to infect computers not attached to the Internet.)

The biggest risk here in my view is that we have been given a glimpse of the future of Cyberwar -- a threat which I have in the past considered negligible, but now think is starting to build. It's as if we are snorkeling just below the surface on a peaceful blue ocean, and have just seen a great monster in the depths below us, rising out of the darkness. This monster is military-grade cyberwar, and the consequences will be more investment in such weapons, and potential collateral damage as the titans of the deep struggle together.

28 February 2010

Wi-fi Hacking

Check out this SlideShare Presentation, about the problems and risks associated with Wi-Fi.

24 January 2010

ADB driver for Android development

I've been getting into Android development recently, and while the development environment includes an emulator, it's not quite as efficient as using the real thing. Until now, I've been building a run configuration which creates an external APK, then I've transferred that to my HTC Dream and used Linda Manager to install it.

What I'm testing now is the USB ADB interface. I saw this being used in a Google developer video, and it looks rather cool, although it was tricky to install.

These are the steps I used:

1) Inside the Eclipse environment, go to the Window/Android SDK menu option. Select Available Packages, and download the USB Driver Package, revision 3.

2) Go into Control panel, select your Android phone driver (or detect it new if not already done), and select the file android_winusb.inf (which on my system lives in the path C:\Documents and Settings\Administrator\Desktop\android-sdk_r04-windows\android-sdk-windows\usb_driver). Install that, and reboot Windows. (I'm also going to test this with OSX when I change to a Macbook Pro next month for development.)

3) Ensure you have set android:debuggable="true" in the Manifest.xml of your application.

4) In the Settings/Applications/Development menu of your Android phone, set USB debugging to true.

5) Now in Eclipse, when choosing your Run Configuration, your Device Chooser should now have a new entry, assuming your phone is plugged in via a USB cable.

The result of this is that ADB can now directly update and run new applications on the fly on your own phone!

16 January 2010

Spanish, Gender and Computers

Something a little lighthearted for this bleak Saturday morning...

A Teacher was explaining to her class that in Spanish, unlike English, nouns are designated as either masculine or feminine. 'House' for instance, is feminine: 'la casa.' 'Pencil,' however, is masculine: 'el lapiz.'

A student asked, 'What gender is 'computer'?'

Instead of giving the answer, the teacher split the class into two groups, male and female, and asked them to decide for themselves whether 'computer' should be a masculine or a feminine noun. Each group was asked to give four reasons for its recommendation.

The men's group decided that 'computer' should definitely be of the feminine gender ('la computadora'), because:
1. No one but their creator understands their internal logic;
2. The native language they use to communicate with other computers is incomprehensible to everyone else;
3. Even the smallest mistakes are stored in long term memory for possible later retrieval;
4. As soon as you make a commitment to one, you find yourself spending half your paycheck on accessories for it.

The women's group, however, concluded that computers should be Masculine ('el computador'), because:
1. In order to do anything with them, you have to turn them on;
2. They have a lot of data but still can't think for themselves;
3. They are supposed to help you solve problems, but half the time they ARE the problem;
4. As soon as you commit to one, you realize that if you had waited a little longer, you could have gotten a better model.

The women won...

06 January 2010

Thoughts on airport security

After traveling to the USA this week, and seeing the security measures first hand, I am concerned that they remain largely ineffective, and mostly constitute window-dressing. It's as if someone said: "We have to do something." And then they did something, or anything which might help.

In my view, a sophisticated and determined attacker can easily bypass the current measures, even with the new backscatter scanners. This article in the UK's Independent newspaper suggest some serious issues with the technology, and question whether it is really fit for purpose.

A basic knowledge of the technology suggests that such systems are interested only in detecting explosive material with relatively high density. Since thin cloth (such as clothing) is transparent, then the obvious response by attackers will be to create thin layers of some suitable material, impregnate it with PETN, then stitch it into clothing. The bomber then simply needs to remove the item of clothing (for example, a turban or sari), and wrap it into a very tight bundle to increase density.

Remember, we don't need much more than 80 grams to disrupt structural integrity, according to some tests.

What about the detonator? Well, it should be recalled that many laptop batteries have been recalled by the manufacturer for their tendency to spontaneously ignite. I would think that an ingenious terrorist might find a way to rig a laptop battery to function as some form of detonator -- even while powering a laptop sufficiently to show that it works if TSA screeners become suspicious. Of course, laptops themselves have lots of places where high-density materials might be stored internally.

There isn't really an easy answer here. I suspect the TSA has many good people working on this, and are doing the best they can. However, I tend to agree with the cynical view that only two things have significantly improved airplane security in the past ten years: locks on cabin doors, and a recognition by passengers that they may well need to take matters into their own hands if a situation arises -- as one brave Dutchman did on Christmas day in the skies near Detroit.

03 January 2010


I began my journey to St. Louis at 5 a.m. this morning. All went smoothly, despite long queues at Vienna's Schwechat Airport. The sunrise over a sea of cloud was beautiful. I'm now waiting for my next flight.

I am taking photos, and will be blogging regularly on this trip. I will be in St. Louis for two months, where I will be teaching a couple of courses at Webster University -- Telecommunications and Mathematics for Computer Science. I'm also working on some software ideas, which I'd love to see implemented on the Android environment.

Here's a poem by the Welsh poet Dylan Thomas, which has long been a favourite of mine:

Do not go gentle into that good night,
Old age should burn and rave at close of day;
Rage, rage against the dying of the light.

Though wise men at their end know dark is right,
Because their words had forked no lightning they
Do not go gentle into that good night.

Good men, the last wave by, crying how bright
Their frail deeds might have danced in a green bay,
Rage, rage against the dying of the light.

Wild men who caught and sang the sun in flight,
And learn, too late, they grieved it on its way,
Do not go gentle into that good night.

Grave men, near death, who see with blinding sight
Blind eyes could blaze like meteors and be gay,
Rage, rage against the dying of the light.

And you, my father, there on the sad height,
Curse, bless me now with your fierce tears, I pray.
Do not go gentle into that good night.
Rage, rage against the dying of the light.