Tag Archive | Stuxnet

Stuxnet Attack on Iran was Illegal? Read more inside…

The North Atlantic Treaty Organization’s (NATO) researchers have uncovered a serious reality in the Stuxnet case against Iran (brought on by the US and Israel). NATO’s researchers call it an “act of force”, which was apparently an illegal move.

“Acts that kill or injure persons or destroy or damage objects are unambiguously uses of force” and likely violate international law, according to the Tallinn Manual on the International Law Applicable to Cyber Warfare, a study produced by international legal experts at the request of NATO’s Cooperative Cyber Defense Center of Excellence in Estonia.

Apparently, it is prohibited, “according to the U.N. charter, the use of force is prohibited, except in self-defense,” says Michael N. Schmitt, a lead author on The Tallinn Manual on the International Law Applicable to Cyber Warfare.

According to the Washington Times, The international group of researchers who wrote the manual were unanimous that Stuxnet — the self-replicating cyberweapon that destroyed Iranian centrifuges that were enriching uranium — was an act of force, said Mr. Schmitt, professor of international law at the U.S. Naval War College in Newport, R.I.

Also, the article stated that neither Israel nor the United States has publicly acknowledged being behind Stuxnet, but anonymous U.S. national security officials have told news outlets that the two countries worked together to launch the attack, which set the Iranian nuclear program back as much as two years, according to some estimates.

A manual produced by 20 researchers in NATO, as well as some legal scholars and senior military lawyers, details 300 pages worth of important cybersecurity analysis.

“We wrote it as an aid to legal advisers to governments and militaries, almost a textbook,” Schmitt told the paper. “We wanted to create a product that would be useful to states to help them decide what their position is. We were not making recommendations, we did not define best practice, we did not want to get into policy,” he said.

More detailed investigation is probable in this matter.

Another missing link in Stuxnet Reveals Earlier Infection Time

Stuxnet, the government malware believed to have been created by a dual-venture of the US and Israel, and the one used to attack the Iran nuclear enrichment facility, is now believed to have an earlier attack link. It is believed now that sometime in 2008 was when the facility may have been in progress of attacks from Stuxnet.

Iran leaders met in Kazakhstan this week to discuss with members of the UN Security Council the nuclear program. The researchers there announced a new variant of the sophisticated Stuxnet cyberweapon.

Some have noted that the US and Israel may have partnered way before doing similar activities to try to take down the nuclear enrichment program in Iran.

The new variant was designed as a different attack vector against the centrifuges for the uranium enrichment program, versus later versions released. This “new variant” was apparently released in 2007. Here we are six years later, knowing the discovery of such variant. This shows that the current versions of Stuxnet were made in 2009, which means this variant now recognized predated the original code that researchers found. Therefore, its first version may have been in 2007. That tells security experts this: Stuxnet was attacking much earlier than previously thought.

Still to make a rebuttal, Iran is awaiting and planning new cyberwarriors, which can construct cyberattacks and cyberterrorism on the US.

Looking in the code of the 2007 version, it was used for Siemens PLCs, which are used in the Iran nuclear enrichment program in Natanz. It was aimed at sabotaging the valves’ operations, by controlling the flow of uranium.

The list of new information goes on. According to Wired Magazine, the new finding, described in a paper released by Symantec on Tuesday (.pdf), resolves a number of longstanding mysteries around a part of the attack code that appeared in the 2009 and 2010 variants of Stuxnet but was incomplete in those variants and had been disabled by the attackers.

Will 2013 Be a Challenging Year for Computer Security?

Much of the attention in 2013 in computer security will be mainly focused on industrial control systems (ICS), Android, and the all new Windows 8 OS. With the dealings of malware like Stuxnet and other government threats, to the normal hackers and attackers on consumer devices – it will be a challenge in both business and consumer markets.

Supervisory software runs on dedicated workstations and programmable hardware devices, and this is called a control system. They’re used to monitor and control many different operations, such as power grids, trains, airplanes, water distribution systems, military installations, and many more. Many times, control systems are used in critical infrastructures, especially systems for big populations that depend on electricity, clean water, transportation, etc.

Many worries that we’d be watching in 2013 that other security authorities are watching as well include the rise of more government malware. Especially, when it comes to control systems, which are believed to be widely targeted and surveyed.

For other problems to be faced include intense rises of mobile malware, particularly in the Android marketplace. The problem is that Android malware is becoming more widespread. It looks like hackers are retrying some old methods of Windows operating system exploitation on Android devices. This can prove to become a big problem to watch out for.

The big issue with Android attacks also seems to point at privilege escalation attacks, which like to work through malicious apps installed by the user to gain root access and take control of the device. With hundreds of millions of Android devices already infected since its birth, the size of botnets have gotten to be big, and there may still be a lot of devices infected.

Also, keep in mind that when you use a smartphone, you’re leaking a lot of information. This is mainly through App usage, which most of them collect a bit of data from your phone. It isn’t exactly personally-identifiable information, however, it’s enough to make some people nervous.

Android is very open, and you can download apps from almost anywhere for Android. This is much like Windows OS has been. But, that’s a whole different long story.

Windows 8 will be a challenge for security, because researchers, hackers, security experts, etc. want to get in on testing just how secure it is.

Read more about threats in 2013

Kaspersky secure operating system in production

Kaspersky Lab is currently working on their own operating system from scratch, which includes the ability to help monitor business and government servers, further protecting them from government malware attacks. Government malware include Stuxnet, Flame, Duqu, Gauss, etc.

The whole point of the OS is to protect the various complex industrial systems we see today, especially in government facilities, corporations, and other industrial sectors.

Many government agencies are in fear that their systems/servers are still compromised, and without a good operating system, these systems/servers may still be at risk. Meanwhile, some companies/government facilities are overwhelmed with the idea of having to update their programs, keep patches up-to-date, etc., and also keeping the system continually running. Therefore, a secure operating system is a good plan to be in the works.

Kaspersky Lab held the operating system as a secret for quite a while, but now will be releasing information and updates: “Quite a few rumors about this project have appeared already on the Internet, so I guess it’s time to lift the curtain (a little) on our secret project and let you know (a bit) about what’s really going on,” Eugene Kaspersky, CEO of Kaspersky Lab, said in a blog post.

Apparently, the protocols SCADA (Supervisory Control and Data Acquisition) and PLCs (Programmable Logic Controllers) don’t require authentication to access them, which present a huge security risk. With that in mind, the secure OS will work on making that more of a secure approach.

With these new ideas into a secure OS, it will pave the way for a greater security realm in the industrial, corporate, governmental sectors, etc.

 

Cyberwar continues, Attacks on Iran infrastructure slows Internet access

Various parts of the Islamic Republic were disrupted yesterday (their Internet access) after hackers attacked Iran’s infrastructure and communications companies. “Yesterday we had a heavy attack against the country’s infrastructure and communications companies which has forced us to limit the Internet,” the secretary of the High Council of Cyberspace, Mehdi Akhavan Behabadi, is said by Reuters as having told the Iranian Labour News Agency about the issues.

Some officials claim that their Internet access in Iran is constantly disrupted by cyberattacks, however, the ones yesterday were the most noticeable. This attack would be one of the largest cyberattacks so far, after several gigabytes of traffic overwhelmed the Iranian infrastructure. This is still widely accusative that the US and Israel could be involved, as a response to the nuclear program developed by Iran.

It is noticed also that the cyberwar is heating up for Iran, and that Iran could be constructing counterattacks, such as the recent one against US banks. All of these concentrated attacks are all part of military plans, which are developing “cyber warriors” or a “cyber army”. As always, news about cyberwar will continue to be on this blog.

 

Senator blames Iran for attacks against US banks

US Senator Joe Lieberman blamed Iran for the attacks against US banks last Friday, with thoughts that Iran did so out of revenge for the Stuxnet case. The victims of last week’s attacks included Bank of America and JPMorgan Chase. Although not attacked, speculation is that CitiGroup has been a target over the past year. All of these denial of service campaigns seemed to have begun in late 2011.

In C-SPAN’s taping of “Newsmakers,” Lieberman labeled the recent DDoS attacks against the banks a “powerful example of our vulnerability”.

Now, from the perspective of Lieberman, it makes sense to make such claims. When we reported in June about a potential US and Israeli connection for malwares like Flame and Stuxnet, labeled “Operation Olympic Games”, we saw the counterattack that continued cyberwarfare between Iran and the US (as well as other countries). This could be just one of possibly many counterattacks from Iran, and it’s going to be quite dangerous to companies that are vulnerable to cyberattack.

Cyberattacks will continue with DDoS and other hacks, and it could target almost any major organization around the world. The main idea is to craft the correct cybersecurity strategies, and be aware of any attack vectors (like if there are too many people trying to hack in to the networks). It’s important to learn from issues like this, and be able to adapt the latest strategies for businesses. Which means: If you don’t have a director for information security at your major company, it’s about time to get one and soon!

Keep all of your devices FULLY safe from hackers:

Buy Now!

New TDL4 variant affecting government, ISPs, etc.

TDL4 is the newest type of the TDSS rootkit, which is a classic rootkit malware/virus that has been infecting computers and constructing a botnet since 2006. Now, with its new dangerous properties, it has the ability to sneak in to government agency computers, ISPs, and even popular companies. It uses stealthy properties and exploits to get itself installed, where it can hide itself in a different partition on the computer or create its own partition.

The new threat, which has been assigned the generic name DGAv14 until its true nature is clarified, has affected at least 250,000 unique victims so far, including 46 of the Fortune 500 companies, several government agencies and ISPs, the Damballa researchers said in a research paper released Monday.

In collaboration with researchers from the Georgia Tech Information Security Center (GTISC), the Damballa researchers registered some of the domain names the new threat was attempting to access and monitored the traffic it sent to them.

TDL4, also known as TDSS, is considered to be one of the most sophisticated malware threats ever created and used by cybercriminals – without counting threats like Stuxnet, Flame,Gauss and others that are believed to have been created by nation states for cyberespionage purposes.

TDL4 is part of a category of malware known as bootkits – boot rootkits – because it infects the hard disk drive’s Master Boot Record (MBR), the sector that contains information about a disk’s partition table and the file systems. The code that resides in the MBR is executed before the OS actually starts.

Much of this information pulled from TechWorld.

 

One of the newer partition infections includes a dropper located at c:\windows\svchost.exe

 

Protect your computer from rootkits by the makers of TDSSKiller, Kaspersky Lab for only $59.95 (a $79.95 value):

 

Kaspersky Internet Security 2012

Flame malware command-and-control servers reveal earlier origins, among other links

Government malware, Flame, Stuxnet, etc. is expanding and becoming more of a problem. Computer systems are getting even more inventive, but not at the alarming rate that dangerous malware is expanding. There may be more links other than Stuxnet for Flame.

First, computer systems are created for specific purposes, and have been for about forty years now. However, some of the newer computer systems are created to become like robots, which means that the computer system works on its own without user intervention. But, what happens when malware targets the core computer systems of oil industries, energy companies, military plants, etc.? It can cause dangerous and severe consequences if the system were to become compromised.

Second, the Flame malware became uprising just this past May, where it infected over 1000 computers, according to Kaspersky Lab. The victims of the first attack included governmental organizations, educational institutes, and personal users. Most of the attacks were central over West Asia, including Iran, Israel, Syria, Saudi Arabia, Egypt, among others. Supporting a kill command, which would eliminate all traces of the malware from the computer attacked, this command was sent soon after the malware’s exposure. Right now, there are no reported active infections of Flame, or other variants being created.

However, there are derivatives of the Flame malware being created. We reported a few weeks ago about Shamoon being actively distributed using its skiddie approach. There are other links that were recently found (like Gauss) that can relate Flame to command-and-control usage back to 2006. Which means this Flame project could be as much as 6 years old, or is related to malware from then.

Instead of looking like a botnet interface, the Flame command centers look more like content-management systems (CMS), and have many other new approaches. One of its approaches included the three fraudulent certificates, which Microsoft patched to block them back in June.

More news about the findings and C&C servers were fully unveiled to the recent Flame investigation by Kaspersky Lab and the news from Symantec (PDF). Researchers at Kaspersky Lab state they were suspicious about the findings of a development link to Stuxnet back in June, when communication was eavesdropped between the team.

Some of the key developers behind all of this situation include speculation of the US & Israel combined. However, there is no known evidence backing these claims, except for what researchers can reveal about coding types and other methods used.

Much of the articles by Kaspersky Lab and Symantec include the following speculations as well:

  • Four programmers at least tag-teamed on the job of development as their nicknames were left in the code.
  • One-server called home 5000 victim machines during just a one-week period in May, suggesting at least 10,000 victims.
  • The infections weren’t just focused on one-group of organizations or people, but in separate groups of targets in many countries.
  • Many of the targets focused a lot on Iran and Sudan.
  • Different custom protocols were used to communicate with the servers, not just one protocol. Meaning that there were at least four different protocols used to communicate to the servers.
  • Tons of data was stolen, which 5.5 GBs was reported in just one week of data-mining from the malware.
  • The attackers are either mining for government information, or attempting to gain military intelligence.

The developers behind the Flame malware have a lot more secrets, which are being unveiled. More ties are being linked to Stuxnet and Flame, and when the information becomes available, it’ll be here on seCURE Connexion’s blog. The Flame developers obviously have a lot of nerve developing these cyber-weapons. But, many politicians and security experts have warned of this information warfare for years. Here we are at the peak!

To protect your computer from hackers, use Kaspersky’s PURE Total Security:
Kaspersky PURE Total Security

Thickening Digital/SSL Certifications (mini-whitepaper)

English: A candidate icon for Portal:Computer ...

Current malware trends seem to be focusing on certificate stealing by forgery. Certificate forgery is one of the current plaguing problems since 2011. Ever since last year, CAs have shown high risk issues for certificate forgery. From Stuxnet to Flame, certificate forgery has been on the rise big time.

Normally, web browsers and operating systems keep a copy of a certificate and “pin it” to an identity called a Public Key. So, as Microsoft knows this issue, they have issued their own Automatic Revocation Updater (Win. Vista SP2+). Through this, Windows is able to specifically flag certain certificates that are known to be malicious.

How Microsoft trusts RSAs, certificates, etc.:

“Public key based cryptographic algorithms strength is determined based on the time taken to derive the private key using brute force methods. The algorithm is deemed to be strong enough when the time required to derive private key is prohibitive enough using the computing power at disposal. The threat landscape continues to evolve.  As such, we are further hardening our criteria for the RSA algorithm with key length less than 1024 bits. To further reduce the risk of unauthorized exposure of sensitive information, Microsoft has created a software update that will be released in August 2012 for the following operating systems: Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2,” Hudson  said.

Now, top CA companies for online certificates, including Comodo, NGINX, GlobalSign, DigiCert, etc., have enhanced online revocation systems to check for malicious attempts in certification.

NGINX provides an explanation:

Today GlobalSign, DigiCert, Comodo and Nginx Inc. announced a joint effort and a sponsored development contract, to enhance the NGINX open source Web server to support OCSP-stapling. This collaboration further advances the SSL ecosystem by improving the privacy, reliability and revocation checking for all websites using the NGINX web server—currently run by more than 25 percent of the top 1,000 websites, and by 70,000,000 websites on the Internet overall.

“The team at NGINX is delighted that GlobalSign, DigiCert and Comodo support the OCSP stapling enhancement to the NGINX webserver,” said Igor Sysoev CTO and principal architect at NGINX, “We have been continuously working on enhancements to NGINX that increase performance, reliability and security. With improved SSL functionality we expect the vast majority of our customers to share our enthusiasm for increased safety on the Internet.”

Continued here

Now, if it’s all the same to you, an alternative system, like Convergence, is in order. This is a good replacement for certificates for online. See this link for more info.

See more good reading below…

Avoid troubles with malware entirely by purchasing Malwarebytes’ Anti-Malware.

Cyberwar for Iran Heating Up

Apparently, Iran’s intelligence minister has blamed key countries, US, UK, and Israel for plotting a cyberattack against the country.

Also, earlier this month, The New York Times reported that President Obama ordered similar attacks on the super-computers that run Iran’s nuclear plants.

According to Reuters, “Based on obtained information, America and the Zionist regime (Israel) along with the MI6 planned an operation to launch a massive cyber attack against Iran’s facilities following the meeting between Iran and the P5+1 in Moscow,” Iran’s English-language Press TV quoted him as saying.

Another crazy issue would be that since Iranian leaders could not talk to the US/UK/Israel, they assumed an attack was planned. I guess what they don’t know WILL hurt them…right?

What is big about this, is the fact that the cyberwar between the US-based allies (UK + Israel + US) and Iran is heating up. Prepare for more stories like this here on seCURE Connexion!

%d bloggers like this: