That's pretty funny! Do you think maybe he missed the "STOP_WARNING- - It is all Fictitious - Continue to story part" ?
From WAPO link on the World Net Daily Site: http://www.washingtonpost.com/wp-dyn/content/article/2010/10/01/AR201010... "The antivirus security firm Symantec analyzed the worm this summer and, by taking control of servers it had been connected to, determined that the malware had infected about 45,000 computers around the world. Most of those infected - about 30,000 - were in Iran. Those computers were not the targets, but the finding suggested that the target was nearby.
Speculation has focused on Iran's nuclear enrichment facilities, and this week Iranian officials said they suspect a foreign organization or nation designed the worm. "
=============================
"Because of the worm's reach and complexity and the huge investment required to write the code, Alipour [Hamid Alipour, deputy head of Iran's Information Technology Co.] said he thinks the virus was designed by a foreign organization or country. "The writer has had access to industrial information which is not available to IT experts," he said, stressing that an ordinary group of hackers could not have designed the virus. http://www.washingtonpost.com/wp-dyn/content/article/2010/09/27/AR201009...
Gee, I wonder what country that may be? Some country that is really good at computer security? H_m-m-m...
It would have to be a foreign organization or country that has, in addition to industrial information not available to IT experts, unlimited chutzpah.
A computer 'worm' contains the instruction sequence necessary to propogate itself as well as the instruction sequence that does the damage. The first step significant step in defending against such a worm is reverse-engineering -- converting the "machine code" that the computer executes into "assembly code" which lists the instructions being executed.
And therefore, using a worm as a weapon of war is, in the words of one of my most security-savvy computer-friends, "one of the stupidest things anyone has ever done anywhere". It is, as he put it, "like dropping an atomic bomb, then showering the survivors with leaflets explaining how to build an atomic bomb". He reckons the probability of this worm being revamped and used as an offensive weapon by the Iranians (or terrorists connected with Iran) as 100%. "How could they NOT use it?" he asked. "They're pissed off and they have the code!"
We decided it was not a good idea to buy any industrial control systems anytime soon.
"He reckons the probability of this worm being revamped and used as an offensive weapon by the Iranians (or terrorists connected with Iran) as 100%"
So, kinda like throwing a grenade in the room where the fights happening? Just causing as much damage as you can to whatever side? or plain stupid with unlimited chutzpah? or something more sinister?
However ... to continue the grenade analogy, this would be like throwing a *self-replicating* grenade -- because the survivors of the attack will have all the grenades they will need, forever.
It looks from here as if this worm is intended to knock out the Iranian fuel processing facility at Bushehr. What will it do when it gets in there? Who knows? One potential scenario is for it to shut down the cooling system and run everything else until the facility literally melts itself. Of course other scenarios are possible as well.
The 'rationale' for this 'attack' would be that if Bushehr could be demolished from within, via worm, then it wouldn't "have" to be nuked. (I don't buy the notion that it *has* to be taken out, but for those who do, this would appeal as a less violent method than a direct attack -- with less lethal fallout, at least in the short term).
But the boomerang effect of using *intellectual property* as a weapon in this way is that using the weapon gives away the "intellectual property", that is, the secrets required for the design, and therefore it empowers the "enemy" with the knowledge that previously had been an advantage to one side only.
I am getting the sinister intent with regard to knocking out the Iranian fuel processor. What I am questioning is if they knew about the "self replicating" grenade when they threw it in. Were they deliberately looking to give the code away (for more sinister and more destructive reasons than just taking out the reactor) or was this just a massive screw up on their part that will come back to bite them and the rest of us on the ass?
I know zip about computers and code but it seems to me a screw up and israel are trying to get out in front of it and do some face saving, damage control and even (chutzpah) threaten the Chinese whom they've just done a currency deal with.
The thing that I always come back to is that those that are seriously into power necessarily have to be seriously deluded as to their own capabilities and also to the reality of their environment.
"...those that are seriously into power necessarily have to be seriously deluded as to their own capabilities..."
Well, I was thinking something like that (while I make spaghetti ). Are we witnessing unlimited chutzpah from the minds of psychopaths, doing what's worked for them in the past and unable to anticipate the outcome of their actions?
I'm seriously hoping so, McJ. I'm seriously hoping that they come to bitterly regret writing it up in the NYT complete with reference to the Book of Esther. That puts their fingerprints all over it. Beautiful irony in that reference.
Question for WP - if these lunatics own or control through their extensive financial network Siemen's, why would they need to hack the system? Could they not have put the necessary backdoors and code bombs (or whatever you call them!) in the original programme?
Apparently they couldn't put the code bomb in the system before the system was built, so they are trying to do it this way instead.
Speaking of insanity and chutzpah, one potential side-effect of such an attack could be the destruction of industrial control systems all over the world. In other words, not only is it a good idea not to buy any industrial control systems anytime soon, it might also be a good idea to stop needing products made by sophisticated manufacturing systems ... because some day not too far from now, all such systems could be toast.
No doubt, the israelis will talk their way around a lot of the responsibility for this (after as good as claiming credit) but hopefully enough sticks to bring it home to enough people (and enough people in power) that humanity just can't afford to let these people run around loose; that their nuclear weapons and their murderous institutions need to be put under adult supervision.
if the morons in Russia and China who have recently made deals with the israelis are thrown out of office by their more sensible compatriots and that shitty little country becomes isolated as a pariah state.
http://techpinger.com/2010/09/stux-net-worm-is-a-us-cyber-weapon-against... "...said Rieger, chief technology officer at GSMK, a maker of encrypted mobile phones. Rieger estimates that the worm would have required a team of as many as 10 skilled programmers working for about six months to build it, at a cost of at least $3 million."
"Stuxnet works by exploiting previously unknown security holes in Microsoft’s Windows operating system. It then seeks out a component called Simatic WinCC, manufactured by Siemens, which controls critical factory operations. The malware even uses a stolen cryptographic key belonging to the Taiwanese semiconductor manufacturer RealTek to validate itself in high-security factory systems."
"Stuxnet works by exploiting previously unknown security holes in Microsoft’s Windows operating system."
A Microsoft Windows Operating system inside Iran's nuclear facitity? Who cares about the unknown security holes? What about the known ones? What about the known fact that Microsoft systems are developed in tandem with the NSA and who knows who else. The Iranians wouldn't be dumb enough to use Microsoft, would they? Would they?
But then again, what about all the people out there (apologies to all those i'm insulting in here) who pay good money for Microsoft systems plus money on top of that for virus protection when Ubuntu and plenty of other Linux distributions are available for FREE. You don't need anti-virus software because they (Linux based systems) don't have the hidden code and the backdoors built in so the NSA can't get into your computer.
I remember reading some years ago that during the invasion of Iraq, most if not all, of the computer systems running the infrastructure in the country went down.
I think if I were running Iran, I'd ban Microsoft from the whole country and develop all the systems needed from within the country using Linux or Unix. How hard is that?
That's a really good point James. Why would they be using Microsoft Windows to run a super high security nuclear facility? It actually doesn't make sense but then I don't know anything about industrial control systems. Would industries normally use MS Windows for this especially with all the known securities holes and other problems with the operating system? For example, would Windows be used for controlling electricity distribution? I remember a few years back when they was a huge blackout in Ontario and some of the eastern US states that was partially caused by a computer malfunction (I believe). Would that have been a Windows based system?
In February 2004, the U.S.-Canada Power System Outage Task Force released their final report, placing the main cause of the blackout on FirstEnergy Corporation's failure to trim trees in part of its Ohio service area. The report states that a generating plant in Eastlake, Ohio (a suburb of Cleveland) went offline amid high electrical demand, putting a strain on high-voltage power lines (located in a distant rural setting) which later went out of service when they came in contact with "overgrown trees". The cascading effect that resulted ultimately forced the shutdown of more than 100 power plants.[8]
Computer failure
A software bug known as a race condition existed in General Electric Energy's Unix-based XA/21 energy management system. Once triggered, the bug stalled FirstEnergy's control room alarm system for over an hour. System operators were unaware of the malfunction; the failure deprived them of both audio and visual alerts for important changes in system state.[9][10] After the alarm system failure, unprocessed events queued up and the primary server failed within 30 minutes. Then all applications (including the stalled alarm system) were automatically transferred to the backup server, which itself failed at 14:54. The server failures slowed the screen refresh rate of the operators' computer consoles from 1–3 seconds to 59 seconds per screen. The lack of alarms led operators to dismiss a call from American Electric Power about the tripping and reclosure of a 345 kV shared line in northeast Ohio. Technical support informed control room personnel of the alarm system failure at 15:42.[11]
Siemens SIMATIC "WinCC" or Siemens "Step 7” software vulnerabilities
Number: AV10-023 Date: 27 July 2010
Purpose
The purpose of this advisory is to raise awareness of recently discovered malware targeting Siemens SIMATIC "WinCC" or Siemens "Step7” control system software.
Assessment
Supervisory Control and Data Acquisition (SCADA) systems that use Siemens SIMATIC WinCC or Step7 software are vulnerable to newly discovered pieces of malware. SIMATIC WinCC HMI is a scalable process-visualization system for monitoring automated processes. SIMATIC STEP 7 is an engineering software used in the programming and configuration of SIMATIC programmable controllers. Both of these products are widely used in many critical infrastructure sectors.
Affected Systems:
All Siemens WinCC or Step7 systems currently residing on the following affected Windows Operating Systems:
* Windows XP Service Pack 3
* Windows XP Professional x64 Edition Service Pack 2
* Windows Server 2003 Service Pack 2
* Windows Server 2003 x64 Edition Service Pack 2
* Windows Server 2003 with SP2 for Itanium-based Systems
* Windows Vista Service Pack 1 and Windows Vista Service Pack 2
* Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
* Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
* Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
* Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
* Windows 7 for 32-bit Systems
* Windows 7 for x64-based Systems
* Windows Server 2008 R2 for x64-based Systems
* Windows Server 2008 R2 for Itanium-based Systems
The vulnerability is associated with the use of a hard coded password to protect the database used by these applications, and which became publicly known. The vulnerability has been exploited in the wild leveraging USB portable device and a recently announced zero day vulnerability in the Windows Operating System (MS Knowledge Base Article 2286198).This vulnerability has been assigned the CVE identifier CVE-2010-2568.
Suggested action
Siemens has released a fix to address this specific issue, found in reference D below. CCIRC recommends that organizations liaise with the administrators/maintainers of affected assets and commence requisite remediation planning/implementation as soon as possible.
The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.
For general information, please contact Public Safety Canada's Public Affairs division at:
(if that's not an oxymoron, McJ!) Windows, eh?! Unbelievable!
AP at Twelfth Bough has an excellent post up on this with some top links. From this one we learn that the hackers used stolen digital certificates to gain access. But could these have come directly from Siemens?
From another of AP's links comes this quote-
"The Stuxnet worm, dubbed the world's first cyber superweapon, may have been originated from German giant Siemens, says a senior technology consultant at system security developer Sophos.
The worm may have been written by someone with detailed knowledge of Siemens' computer systems, Graham Cluley said on Friday.
Speaking to Computer and technology news website, V3, Cluley said the person may possibly be a current or former employee of the German industrial giant whose control systems are widely used to manage industrial facilities such as oil rigs and power plants.
"The message I got was that it appears to have been written by someone with inside knowledge of how Siemens' systems work," he said after attending the Virus Bulletin 2010 conference in Vancouver in Canada. "
From my limited knowledge and reading, it seems to have been designed to go viral. Of course, it not only targets Iran but Iran's allies and business partners as well; Russia and China amongst them. Hey guys, say hello to your new best friend, israel! Same for you, India and Indonesia.
The article almost crows about Israel being responsible. This is significant coming from the NYT. (If israel didn't want to be seen as responsible, it would not be in the NYT. Oh, Hubris, what have you done?!). It also tries to implicate Russia as being the vehicle of delivery and quotes Siemens as not doing business with Iran.
Alexander Machowetz, a spokesman in Germany for Siemens, said the company did no business with Iran’s nuclear program. “It could be that there is equipment,” he said in a telephone interview. “But we never delivered it to Natanz.”(no, of course, you didn't. ed) But Siemens industrial controllers are unregulated commodities that are sold and resold all over the world — the controllers intercepted in Dubai traveled through China, according to officials familiar with the seizure. (who shall remain nameless, of course, and who dob in their other new best friend, China.)
Sun Tzu's "The Art of War" is required reading for all senior military officers in China. One of SunTzu's tenets is that you must watch your allies closer than your enemy. Good luck, israel!
Oh, and btw, israel does a lot of business with Iran via Dubai.
OT here, but I guy over on our Canadian FB site was arguing what a wonderful guy Bill Gates was giving away so much money and all. And that he was good at it because he was such a successful business man and demanded results. He call him a "ruthless humanitarian". Now there's an oxymoron for you!
Excellent writing, WP. But it's becoming addictive; the more I get the more I want! (Come to think of it, wasn't Holmes partial to a certain substance? Or was that Doyle himself?)
thanks for the links James. i'm turning this over and over in my mind, and i'm thinking they either 1) want to take everything down just like with the economy, a la the Samson Option; or 2) they just want to have that threat hanging over everyone's head as in Cold War Mutually Assured Destruction. ?? i assume that if the israelis really did it they are the experts on game theory and they ran it through their simulations and therefore have some confidence that this will work out well for them. hopefully they made a mistake with their assumptions.
if they worked in conjunction with some Russians they may have been outsmarted. we can always hope. in any case it seems to close off a whole branch of the decision tree leading to war with Iran (good, although that's no guarantee they won't stop talking about it), while opening up an entirely new set of problems which has caught many people by surprise. so they have the rest of the world on the back foot at the moment. but as i said, possibly they didn't think it all through and they will be the ones who end up on the back foot. for instance, i really don't think the chinese would be amused since they are making all sorts of arrangements with israel and this appears to be a form of extortion, which people tend to resent.
"this appears to be a form of extortion, which people tend to resent."
Yes, it can lead to less than warm feelings, I believe, AP!
Hubris, I think, is about projecting an image of power, even invincibility. They, no doubt, think it enhances their position for current and future negotiations. So, imnho, there's is much to your two suggestions because both the Samson Option and MAD have been admitted as being negotiating strategies.
Game theory, as you say. It works fine until the 'game is up'; till the 'encryption key' is found where by the 'good option' or the 'lesser of two evils' (in this case, giving israel whatever it wants) is then seen for what it is - the greater evil.
Wired is reporting that the hard coded password (the Cryptographic Key) used to protect the database in Siemens Simatic WinCC SCADA system, which runs on Windows operating systems, has been available online since at least 2008. It was published online to the Siemens technical forum in both Germany and Russia by an anonymous poster named Cyber. It was apparently deleted shortly thereafter by a Siemens moderator.
Chris Wysopal from Veracode, a company that examines code for both developers and users to find out how secure their code is, had this to say about Siemens:
"Siemens has put their customers at risk with this egregious vulnerability in their software. Worse, in my book however, is all the customers who purchased the software not knowing of its risk. Software customers that are operating SCADA systems on critical infrastructure or their factories with the WinCC Software had a duty to their customers and shareholders to not purchase this software without proper security testing.
We should ask the question, “Why didn’t Siemens fix the hard coded password vulnerability when it was first publicly disclosed?” They waited 2+ years and started to fix it only after a worm exploited it. We should also ask the question, “Is it negligence when you don’t fix a critical known vulnerability and wait for your customers to get exploited?”
Why indeed! Was it negligence or was it by design? And why didn't Mircrosoft release a patch for Windows?
He also points out that hard-coding a secret password or cryptograpic key into your program is #11 on the CWE/SANS Top 25 Most Dangerous Software Errors, an industry standard list that Veracode contributed to.
CWE stand for Common Weakness Enumeration and is a community developed dictionary of software weakness types. A list of the 'Top 25 Most Dangerous Programming Errors' was recently released.
The list is the result of collaboration between the SANS Institute, MITRE, and many top software security experts in the US and Europe with the support of the US Department of Homeland Security's National Cyber Security Division. The list gives "detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them." See here.
“Hard-coding a secret password or cryptograpic key into your program is bad manners, even though it makes it extremely convenient – for skilled reverse engineers. While it might shrink your testing and support budgets, it can reduce the security of your customers to dust. If the password is the same across all your software, then every customer becomes vulnerable if (rather, when) your password becomes known. Because it’s hard-coded, it’s usually a huge pain for sysadmins to fix. And you know how much they love inconvenience at 2 AM when their network’s being hacked – about as much as you’ll love responding to hordes of angry customers and reams of bad press if your little secret should get out. Most of the CWE Top 25 can be explained away as an honest mistake; for this issue, though, customers won’t see it that way. Another way that hard-coded credentials arise is through unencrypted or obfuscated storage in a configuration file, registry key, or other location that is only intended to be accessible to an administrator. While this is much more polite than burying it in a binary program where it can’t be modified, it becomes a Bad Idea to expose this file to outsiders through lax permissions or other means.” Emphasis mine.
After just a little bit of googling, I was able to figure out that the hard coded password vulnerability (that has now been exploited to create our first example of weaponized software, a cyber missile in the form of the Stuxnet worm) is common knowledge amongst the cyber security world. Further more, you can carry this weapon around on a USB stick.
How can this be? It boggles the mind that Iran could be using this software for their nuclear plant or that thousands of critical utilities and manufacturing facilities around the world are at risk because they are using a piece of software which contains a well known, extremely serious security risk.
A commenter at the Veracode site had this to say. "[It was] obviously done on purpose, a backdoor left for someone special to use someday, and someday is today."
just amazing how these things happen at a world class company like Siemens. Very Regrettable, to be sure. i would think there must be some Human Error in there too.
Yes, McJ, I'll add my voice to AP's here. Well done! It looks like this is another case of determining complicity through seeing what should have happened and didn't.
Gee, I wonder if israeli companies use Siemens WinCC controllers? I wonder if they use Windows, period? It might account for some of the lunacy of putting this worm out there to be decoded and reused.
Thanks all for your kind words. I have some more information coming about Siemens and Iran and I am debating whether to put it in a comment of a blog post. It takes a little bit of explanation but I'm not sure where it is going. It is interesting never the less.
"LIHOP or MIHOP?"
Well this afternoon I was leaning towards LIHOP, tonight after my reading I'm leaning the other way.
I seem to be doing a bit of leaning these days, I may need a new pair of flip-flops.
Her mother named her after Eileen Dover, the late lamented bungee jumper. I was afraid that reference would fall flat on its face! As Eileen often did. She liked a tipple or two and often went for a topple or two, too.
And yes, what are you doing up this late no wonder you are wobbling all over the place.
You have a never ending supply of those, don't you?
"what are you doing up this late no wonder you are wobbling all over the place"
Well, Eileen Dover and I pulled on that ball of string and it began to unravel. So, I chased it and now I'm feeling a little tired and tipsy trying to figure out where it is going next.
I was going to try and write this up tonight but I think it will have to wait until tomorrow when I'm not so tired.
Comments
That's pretty funny! Do you
That's pretty funny! Do you think maybe he missed the "STOP_WARNING- - It is all Fictitious - Continue to story part" ?
From WAPO link on the World Net Daily Site: http://www.washingtonpost.com/wp-dyn/content/article/2010/10/01/AR201010...
"The antivirus security firm Symantec analyzed the worm this summer and, by taking control of servers it had been connected to, determined that the malware had infected about 45,000 computers around the world. Most of those infected - about 30,000 - were in Iran. Those computers were not the targets, but the finding suggested that the target was nearby.
Speculation has focused on Iran's nuclear enrichment facilities, and this week Iranian officials said they suspect a foreign organization or nation designed the worm. "
=============================
"Because of the worm's reach and complexity and the huge investment required to write the code, Alipour [Hamid Alipour, deputy head of Iran's Information Technology Co.] said he thinks the virus was designed by a foreign organization or country. "The writer has had access to industrial information which is not available to IT experts," he said, stressing that an ordinary group of hackers could not have designed the virus. http://www.washingtonpost.com/wp-dyn/content/article/2010/09/27/AR201009...
Gee, I wonder what country that may be? Some country that is really good at computer security? H_m-m-m...
who do you think it could be?
It would have to be a foreign organization or country that has, in addition to industrial information not available to IT experts, unlimited chutzpah.
A computer 'worm' contains the instruction sequence necessary to propogate itself as well as the instruction sequence that does the damage. The first step significant step in defending against such a worm is reverse-engineering -- converting the "machine code" that the computer executes into "assembly code" which lists the instructions being executed.
And therefore, using a worm as a weapon of war is, in the words of one of my most security-savvy computer-friends, "one of the stupidest things anyone has ever done anywhere". It is, as he put it, "like dropping an atomic bomb, then showering the survivors with leaflets explaining how to build an atomic bomb". He reckons the probability of this worm being revamped and used as an offensive weapon by the Iranians (or terrorists connected with Iran) as 100%. "How could they NOT use it?" he asked. "They're pissed off and they have the code!"
We decided it was not a good idea to buy any industrial control systems anytime soon.
AHHH - very interesting
"unlimited chutzpah" -
"He reckons the probability of this worm being revamped and used as an offensive weapon by the Iranians (or terrorists connected with Iran) as 100%"
So, kinda like throwing a grenade in the room where the fights happening? Just causing as much damage as you can to whatever side? or plain stupid with unlimited chutzpah? or something more sinister?
I think it is much more sinister...
and more directed than a grenade.
However ... to continue the grenade analogy, this would be like throwing a *self-replicating* grenade -- because the survivors of the attack will have all the grenades they will need, forever.
It looks from here as if this worm is intended to knock out the Iranian fuel processing facility at Bushehr. What will it do when it gets in there? Who knows? One potential scenario is for it to shut down the cooling system and run everything else until the facility literally melts itself. Of course other scenarios are possible as well.
The 'rationale' for this 'attack' would be that if Bushehr could be demolished from within, via worm, then it wouldn't "have" to be nuked. (I don't buy the notion that it *has* to be taken out, but for those who do, this would appeal as a less violent method than a direct attack -- with less lethal fallout, at least in the short term).
But the boomerang effect of using *intellectual property* as a weapon in this way is that using the weapon gives away the "intellectual property", that is, the secrets required for the design, and therefore it empowers the "enemy" with the knowledge that previously had been an advantage to one side only.
I am getting the sinister
I am getting the sinister intent with regard to knocking out the Iranian fuel processor. What I am questioning is if they knew about the "self replicating" grenade when they threw it in. Were they deliberately looking to give the code away (for more sinister and more destructive reasons than just taking out the reactor) or was this just a massive screw up on their part that will come back to bite them and the rest of us on the ass?
I know zip about computers
I know zip about computers and code but it seems to me a screw up and israel are trying to get out in front of it and do some face saving, damage control and even (chutzpah) threaten the Chinese whom they've just done a currency deal with.
The thing that I always come back to is that those that are seriously into power necessarily have to be seriously deluded as to their own capabilities and also to the reality of their environment.
from the mind of psychopaths
"...those that are seriously into power necessarily have to be seriously deluded as to their own capabilities..."
Well, I was thinking something like that (while I make spaghetti ). Are we witnessing unlimited chutzpah from the minds of psychopaths, doing what's worked for them in the past and unable to anticipate the outcome of their actions?
Esther and the NYT
I'm seriously hoping so, McJ. I'm seriously hoping that they come to bitterly regret writing it up in the NYT complete with reference to the Book of Esther. That puts their fingerprints all over it. Beautiful irony in that reference.
Question for WP - if these lunatics own or control through their extensive financial network Siemen's, why would they need to hack the system? Could they not have put the necessary backdoors and code bombs (or whatever you call them!) in the original programme?
Apparently they couldn't
Apparently they couldn't put the code bomb in the system before the system was built, so they are trying to do it this way instead.
Speaking of insanity and chutzpah, one potential side-effect of such an attack could be the destruction of industrial control systems all over the world. In other words, not only is it a good idea not to buy any industrial control systems anytime soon, it might also be a good idea to stop needing products made by sophisticated manufacturing systems ... because some day not too far from now, all such systems could be toast.
thanks WP
No doubt, the israelis will talk their way around a lot of the responsibility for this (after as good as claiming credit) but hopefully enough sticks to bring it home to enough people (and enough people in power) that humanity just can't afford to let these people run around loose; that their nuclear weapons and their murderous institutions need to be put under adult supervision.
Wouldn't it be nice
if the morons in Russia and China who have recently made deals with the israelis are thrown out of office by their more sensible compatriots and that shitty little country becomes isolated as a pariah state.
Ya, that would be nice!
Ya, that would be nice!
cryptographic key
http://techpinger.com/2010/09/stux-net-worm-is-a-us-cyber-weapon-against...
"...said Rieger, chief technology officer at GSMK, a maker of encrypted mobile phones. Rieger estimates that the worm would have required a team of as many as 10 skilled programmers working for about six months to build it, at a cost of at least $3 million."
"Stuxnet works by exploiting previously unknown security holes in Microsoft’s Windows operating system. It then seeks out a component called Simatic WinCC, manufactured by Siemens, which controls critical factory operations. The malware even uses a stolen cryptographic key belonging to the Taiwanese semiconductor manufacturer RealTek to validate itself in high-security factory systems."
What is the cryptographic key?
Microsoftheaded
Cryptographic Key
"Stuxnet works by exploiting previously unknown security holes in Microsoft’s Windows operating system."
A Microsoft Windows Operating system inside Iran's nuclear facitity? Who cares about the unknown security holes? What about the known ones? What about the known fact that Microsoft systems are developed in tandem with the NSA and who knows who else. The Iranians wouldn't be dumb enough to use Microsoft, would they? Would they?
But then again, what about all the people out there (apologies to all those i'm insulting in here) who pay good money for Microsoft systems plus money on top of that for virus protection when Ubuntu and plenty of other Linux distributions are available for FREE. You don't need anti-virus software because they (Linux based systems) don't have the hidden code and the backdoors built in so the NSA can't get into your computer.
I remember reading some years ago that during the invasion of Iraq, most if not all, of the computer systems running the infrastructure in the country went down.
I think if I were running Iran, I'd ban Microsoft from the whole country and develop all the systems needed from within the country using Linux or Unix. How hard is that?
good point James
That's a really good point James. Why would they be using Microsoft Windows to run a super high security nuclear facility? It actually doesn't make sense but then I don't know anything about industrial control systems. Would industries normally use MS Windows for this especially with all the known securities holes and other problems with the operating system? For example, would Windows be used for controlling electricity distribution? I remember a few years back when they was a huge blackout in Ontario and some of the eastern US states that was partially caused by a computer malfunction (I believe). Would that have been a Windows based system?
FirstEnergy Blackout
Here we go...these guys were using a Unix based system.
"Findings: http://en.wikipedia.org/wiki/Northeast_Blackout_of_2003
In February 2004, the U.S.-Canada Power System Outage Task Force released their final report, placing the main cause of the blackout on FirstEnergy Corporation's failure to trim trees in part of its Ohio service area. The report states that a generating plant in Eastlake, Ohio (a suburb of Cleveland) went offline amid high electrical demand, putting a strain on high-voltage power lines (located in a distant rural setting) which later went out of service when they came in contact with "overgrown trees". The cascading effect that resulted ultimately forced the shutdown of more than 100 power plants.[8]
Computer failure
A software bug known as a race condition existed in General Electric Energy's Unix-based XA/21 energy management system. Once triggered, the bug stalled FirstEnergy's control room alarm system for over an hour. System operators were unaware of the malfunction; the failure deprived them of both audio and visual alerts for important changes in system state.[9][10] After the alarm system failure, unprocessed events queued up and the primary server failed within 30 minutes. Then all applications (including the stalled alarm system) were automatically transferred to the backup server, which itself failed at 14:54. The server failures slowed the screen refresh rate of the operators' computer consoles from 1–3 seconds to 59 seconds per screen. The lack of alarms led operators to dismiss a call from American Electric Power about the tripping and reclosure of a 345 kV shared line in northeast Ohio. Technical support informed control room personnel of the alarm system failure at 15:42.[11]
Public Safety Canada Advisory Re: Siemans SIMATIC "WINCC"
Public Safety Canada
publicsafety.gc.ca
Siemens SIMATIC "WinCC" or Siemens "Step 7” software vulnerabilities
Number: AV10-023
Date: 27 July 2010
Purpose
The purpose of this advisory is to raise awareness of recently discovered malware targeting Siemens SIMATIC "WinCC" or Siemens "Step7” control system software.
Assessment
Supervisory Control and Data Acquisition (SCADA) systems that use Siemens SIMATIC WinCC or Step7 software are vulnerable to newly discovered pieces of malware. SIMATIC WinCC HMI is a scalable process-visualization system for monitoring automated processes. SIMATIC STEP 7 is an engineering software used in the programming and configuration of SIMATIC programmable controllers. Both of these products are widely used in many critical infrastructure sectors.
Affected Systems:
All Siemens WinCC or Step7 systems currently residing on the following affected Windows Operating Systems:
* Windows XP Service Pack 3
* Windows XP Professional x64 Edition Service Pack 2
* Windows Server 2003 Service Pack 2
* Windows Server 2003 x64 Edition Service Pack 2
* Windows Server 2003 with SP2 for Itanium-based Systems
* Windows Vista Service Pack 1 and Windows Vista Service Pack 2
* Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2
* Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
* Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
* Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
* Windows 7 for 32-bit Systems
* Windows 7 for x64-based Systems
* Windows Server 2008 R2 for x64-based Systems
* Windows Server 2008 R2 for Itanium-based Systems
The vulnerability is associated with the use of a hard coded password to protect the database used by these applications, and which became publicly known. The vulnerability has been exploited in the wild leveraging USB portable device and a recently announced zero day vulnerability in the Windows Operating System (MS Knowledge Base Article 2286198).This vulnerability has been assigned the CVE identifier CVE-2010-2568.
Suggested action
Siemens has released a fix to address this specific issue, found in reference D below. CCIRC recommends that organizations liaise with the administrators/maintainers of affected assets and commence requisite remediation planning/implementation as soon as possible.
References:
A. http://www.microsoft.com/technet/security/advisory/2286198.mspx
B. http://www.tofinosecurity.com/professional/siemens-pcs7-wincc-malware
C. http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-...
D. http://support.automation.siemens.com/WW/llisapi.dll/csfetch/43876783/sy...
Checksum:
E. http://support.automation.siemens.com/WW/llisapi.dll/csfetch/43876783/ch...
Note to Readers
The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca
Top Digging, McJ
(if that's not an oxymoron, McJ!) Windows, eh?! Unbelievable!
AP at Twelfth Bough has an excellent post up on this with some top links. From this one we learn that the hackers used stolen digital certificates to gain access. But could these have come directly from Siemens?
From another of AP's links comes this quote-
"The Stuxnet worm, dubbed the world's first cyber superweapon, may have been originated from German giant Siemens, says a senior technology consultant at system security developer Sophos.
The worm may have been written by someone with detailed knowledge of Siemens' computer systems, Graham Cluley said on Friday.
Speaking to Computer and technology news website, V3, Cluley said the person may possibly be a current or former employee of the German industrial giant whose control systems are widely used to manage industrial facilities such as oil rigs and power plants.
"The message I got was that it appears to have been written by someone with inside knowledge of how Siemens' systems work," he said after attending the Virus Bulletin 2010 conference in Vancouver in Canada. "
From my limited knowledge and reading, it seems to have been designed to go viral. Of course, it not only targets Iran but Iran's allies and business partners as well; Russia and China amongst them. Hey guys, say hello to your new best friend, israel! Same for you, India and Indonesia.
As for who is responsible Twelfth Bough has this link to the NYT
The article almost crows about Israel being responsible. This is significant coming from the NYT. (If israel didn't want to be seen as responsible, it would not be in the NYT. Oh, Hubris, what have you done?!). It also tries to implicate Russia as being the vehicle of delivery and quotes Siemens as not doing business with Iran.
Alexander Machowetz, a spokesman in Germany for Siemens, said the company did no business with Iran’s nuclear program. “It could be that there is equipment,” he said in a telephone interview. “But we never delivered it to Natanz.”(no, of course, you didn't. ed)
But Siemens industrial controllers are unregulated commodities that are sold and resold all over the world — the controllers intercepted in Dubai traveled through China, according to officials familiar with the seizure. (who shall remain nameless, of course, and who dob in their other new best friend, China.)
Sun Tzu's "The Art of War" is required reading for all senior military officers in China. One of SunTzu's tenets is that you must watch your allies closer than your enemy. Good luck, israel!
Oh, and btw, israel does a lot of business with Iran via Dubai.
Morons using oxymorons
Top Digging - "(if that's not an oxymoron, McJ!)"
It just may be.
OT here, but I guy over on our Canadian FB site was arguing what a wonderful guy Bill Gates was giving away so much money and all. And that he was good at it because he was such a successful business man and demanded results. He call him a "ruthless humanitarian". Now there's an oxymoron for you!
barely on topic
The long-awaited next installment is up now, and I hope you'll enjoy "Chapter 9: Diversionary Tactics", as "Sherlock Holmes and the Alderney Street Mystery" continues ...
Addiction on Baker St.
Excellent writing, WP. But it's becoming addictive; the more I get the more I want! (Come to think of it, wasn't Holmes partial to a certain substance? Or was that Doyle himself?)
Thanks, James.
My deepest desire is to ensnare you in a mystery!
Holmes did take a bit of cocaine occasionally -- to relieve boredom -- but he was not addicted to it.
He WAS addicted to tobacco, however, and the stronger the better.
updated version of MAD?
thanks for the links James. i'm turning this over and over in my mind, and i'm thinking they either 1) want to take everything down just like with the economy, a la the Samson Option; or 2) they just want to have that threat hanging over everyone's head as in Cold War Mutually Assured Destruction. ?? i assume that if the israelis really did it they are the experts on game theory and they ran it through their simulations and therefore have some confidence that this will work out well for them. hopefully they made a mistake with their assumptions.
if they worked in conjunction with some Russians they may have been outsmarted. we can always hope. in any case it seems to close off a whole branch of the decision tree leading to war with Iran (good, although that's no guarantee they won't stop talking about it), while opening up an entirely new set of problems which has caught many people by surprise. so they have the rest of the world on the back foot at the moment. but as i said, possibly they didn't think it all through and they will be the ones who end up on the back foot. for instance, i really don't think the chinese would be amused since they are making all sorts of arrangements with israel and this appears to be a form of extortion, which people tend to resent.
"this appears to be a form of
"this appears to be a form of extortion, which people tend to resent."
Yes, it can lead to less than warm feelings, I believe, AP!
Hubris, I think, is about projecting an image of power, even invincibility. They, no doubt, think it enhances their position for current and future negotiations. So, imnho, there's is much to your two suggestions because both the Samson Option and MAD have been admitted as being negotiating strategies.
Game theory, as you say. It works fine until the 'game is up'; till the 'encryption key' is found where by the 'good option' or the 'lesser of two evils' (in this case, giving israel whatever it wants) is then seen for what it is - the greater evil.
Well known security vulnerability
Wired is reporting that the hard coded password (the Cryptographic Key) used to protect the database in Siemens Simatic WinCC SCADA system, which runs on Windows operating systems, has been available online since at least 2008. It was published online to the Siemens technical forum in both Germany and Russia by an anonymous poster named Cyber. It was apparently deleted shortly thereafter by a Siemens moderator.
Chris Wysopal from Veracode, a company that examines code for both developers and users to find out how secure their code is, had this to say about Siemens:
"Siemens has put their customers at risk with this egregious vulnerability in their software. Worse, in my book however, is all the customers who purchased the software not knowing of its risk. Software customers that are operating SCADA systems on critical infrastructure or their factories with the WinCC Software had a duty to their customers and shareholders to not purchase this software without proper security testing.
We should ask the question, “Why didn’t Siemens fix the hard coded password vulnerability when it was first publicly disclosed?” They waited 2+ years and started to fix it only after a worm exploited it. We should also ask the question, “Is it negligence when you don’t fix a critical known vulnerability and wait for your customers to get exploited?”
Why indeed! Was it negligence or was it by design? And why didn't Mircrosoft release a patch for Windows?
He also points out that hard-coding a secret password or cryptograpic key into your program is #11 on the CWE/SANS Top 25 Most Dangerous Software Errors, an industry standard list that Veracode contributed to.
CWE stand for Common Weakness Enumeration and is a community developed dictionary of software weakness types. A list of the 'Top 25 Most Dangerous Programming Errors' was recently released.
The list is the result of collaboration between the SANS Institute, MITRE, and many top software security experts in the US and Europe with the support of the US Department of Homeland Security's National Cyber Security Division. The list gives "detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them." See here.
This is what the CWE/SANS Top 25 Most Serious Software Errors has to say about hard coded passwords:
“Hard-coding a secret password or cryptograpic key into your program is bad manners, even though it makes it extremely convenient – for skilled reverse engineers. While it might shrink your testing and support budgets, it can reduce the security of your customers to dust. If the password is the same across all your software, then every customer becomes vulnerable if (rather, when) your password becomes known. Because it’s hard-coded, it’s usually a huge pain for sysadmins to fix. And you know how much they love inconvenience at 2 AM when their network’s being hacked – about as much as you’ll love responding to hordes of angry customers and reams of bad press if your little secret should get out. Most of the CWE Top 25 can be explained away as an honest mistake; for this issue, though, customers won’t see it that way. Another way that hard-coded credentials arise is through unencrypted or obfuscated storage in a configuration file, registry key, or other location that is only intended to be accessible to an administrator. While this is much more polite than burying it in a binary program where it can’t be modified, it becomes a Bad Idea to expose this file to outsiders through lax permissions or other means.” Emphasis mine.
After just a little bit of googling, I was able to figure out that the hard coded password vulnerability (that has now been exploited to create our first example of weaponized software, a cyber missile in the form of the Stuxnet worm) is common knowledge amongst the cyber security world. Further more, you can carry this weapon around on a USB stick.
How can this be? It boggles the mind that Iran could be using this software for their nuclear plant or that thousands of critical utilities and manufacturing facilities around the world are at risk because they are using a piece of software which contains a well known, extremely serious security risk.
A commenter at the Veracode site had this to say. "[It was] obviously done on purpose, a backdoor left for someone special to use someday, and someday is today."
The Samson option.
btw Right now, I'm leaning towards the Samson option.
good stuff McJ
just amazing how these things happen at a world class company like Siemens. Very Regrettable, to be sure. i would think there must be some Human Error in there too.
btw Right now, I'm leaning
btw Right now, I'm leaning towards the Samson option.
Don't do it, McJ.
Put the gun down. We can talk.
lol
LIHOP or MIHOP?
Yes, McJ, I'll add my voice to AP's here. Well done! It looks like this is another case of determining complicity through seeing what should have happened and didn't.
Gee, I wonder if israeli companies use Siemens WinCC controllers? I wonder if they use Windows, period? It might account for some of the lunacy of putting this worm out there to be decoded and reused.
Thanks all for your kind
Thanks all for your kind words. I have some more information coming about Siemens and Iran and I am debating whether to put it in a comment of a blog post. It takes a little bit of explanation but I'm not sure where it is going. It is interesting never the less.
"LIHOP or MIHOP?"
Well this afternoon I was leaning towards LIHOP, tonight after my reading I'm leaning the other way.
I seem to be doing a bit of leaning these days, I may need a new pair of flip-flops.
Eileen Toophare
Maybe put it in the front page if it requires a bit of space, McJ. It is turning out to be quite a ball of string.
HAHAHAHA- It's getting late
HAHAHAHA-
It's getting late here and I looked at that and thought who the heck is Eileen Toophare and what does she have to do with this.
Her mother named her after
Her mother named her after Eileen Dover, the late lamented bungee jumper. I was afraid that reference would fall flat on its face! As Eileen often did. She liked a tipple or two and often went for a topple or two, too.
And yes, what are you doing up this late no wonder you are wobbling all over the place.
You have a never ending
You have a never ending supply of those, don't you?
"what are you doing up this late no wonder you are wobbling all over the place"
Well, Eileen Dover and I pulled on that ball of string and it began to unravel. So, I chased it and now I'm feeling a little tired and tipsy trying to figure out where it is going next.
I was going to try and write this up tonight but I think it will have to wait until tomorrow when I'm not so tired.
Post new comment