The Glade 4.0

"Turn the lights down, the party just got wilder."
It is currently Sun Nov 24, 2024 5:36 am

All times are UTC - 6 hours [ DST ]




Post new topic Reply to topic  [ 54 posts ]  Go to page 1, 2, 3  Next
Author Message
 Post subject: Cyber Warfare
PostPosted: Mon Oct 25, 2010 6:54 pm 
Offline
User avatar

Joined: Thu Sep 03, 2009 3:08 am
Posts: 6465
Location: The Lab
Interesting article about Stuxnet..

This is a blog post I found on someones LinkedIn profile. I'm not presenting as an authoritative source, but as a discussion point on the potential for cyber warfare. It probably doesn't need to be in Hellfire, but I figured I'd play it safe.

Posted without commentary

http://warintel.blogspot.com/2010/10/st ... 20-30.html

Gerald The Internet Anthropologist wrote:
Stuxnet 2.0

We were going to write about the next generation of Stuxnet.
But realized the Iranian Reactor Stuxnet is the 2.0 version.

This paradigm was developed from paradigm Intel, BSU's
and OSINT.

US to Iran CHECKMATE:

From our post of 10/17/2009 03:27:00 PM
http://warintel.blogspot.com/2009/10/ir ... -fail.html

The trade publication Nucleonics Week, let me summarize an article that appeared in its Oct. 8 issue. It reported that Iran's supply of low-enriched uranium -- the potential feedstock for nuclear bombs -- appears to have certain "impurities" that "could cause centrifuges to fail" if the Iranians try to boost it to weapons grade.

The impurities, certain metallic fluoride compounds, would interfere with centrifuge enrichment" at Iran's facility at Natanz

From one of our sources inside the beltway.

"Their uranium is highly contaminated with molybdenum hexafluoride (MoF6)."

If they try and use it in the centrifuges it destroys them. Iran took it all out and dumped it, they have no idea how it happened.

Our hypothesis is Stuxnet 1.0 did the deed.

And the current version of Stuxnet is 2.0, and was meant to be discovered.

Version 1.0 is much stealthier, and as of yet still undiscovered.

Version 2.0 exposure alone will stop Iran from trying to produce nukes.

2.0 is built for persistence, Iran still can't get rid of it, if it exist on any of the PC's or control machines it will reinfect everything, unless you kill every instance of it all at once.

1.0 is much stealthier and has to date still avoided exposure. And is hiding through Irans infrastructure, and if Iran is successful in killing 2.0 then the invisible will reinfect 2.0 all over again, Iran's Nuclear bomb program is doomed.

And if Iran knows 2.0 is looking they will not try and restart a bomb program. They might try and rebuild the reactors and centrifuges but run the risk of infection
they can't seem to kill.

Our report from the Russians indicated Stuxnet successfully hit 1368 of 5000 centrifuges at the uranium enrichment plant at Natanz, as well as disrupted launch date of nuclear plant at Bushehr.

At this point Iran cannot even start an enrichment program to make a nuke. Every time they do the product destroys the centrifuges.

And they don't know why or how.

Their head scientist that is the head of the Atomic Energy Organization of Iran , Gholam Reza Aghazadeh (Gholam Reza Aghazadeh) resigned without explanation. The Regime viewed him as a failure.


This is the second time Iran has tried to enrich product approaching nuclear bomb grade and is the second time their centrifuges have been destroyed trying.

Check Mate, Iran is helpless before the cyber techno-threat.

Stuxnet has crippled the Iranian Nuclear program for the foreseeable future.

As the sanctions cripple the economy. Next move "Green Party" regime, change. Its up to you now.


Top
 Profile  
Reply with quote  
 Post subject: Re: Cyber Warfare
PostPosted: Mon Oct 25, 2010 7:26 pm 
Offline
Commence Primary Ignition
User avatar

Joined: Thu Sep 03, 2009 9:59 am
Posts: 15740
Location: Combat Information Center
Why would the Iranians have their centrifuge control systems on systems attached to the internet?

_________________
"Hysterical children shrieking about right-wing anything need to go sit in the corner and be quiet while the adults are talking."


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Oct 25, 2010 8:11 pm 
Offline
Lean, Mean, Googling Machine
User avatar

Joined: Thu Sep 03, 2009 9:35 am
Posts: 2903
Location: Maze of twisty little passages, all alike
They wouldn't have to. Stuxnet spreads by infected USB drives.

I work for an engineering company that, among other things, designs SCADA systems, so I've been keeping an eye on the Stuxnet saga. I don't know if Iran's uranium enrichment was the target or not, but I'll say this -- Stuxnet is goddamn creepy. And the more I learn about it, the more difficult it is to believe that it could have been created by anything other than a state-sponsored agency of some kind. Hell, no one has even managed to break all of its encryption yet (and it was discovered over a year ago), so we still don't know precisely what it does or who it's targeting. However, what is clear from the parts that have been decrypted is that it does have a specific target it looks for on a continual basis (every 5 seconds, I believe), and then...does something. We don't know -- that's one the parts that still hasn't been decrypted.

What's more, Stuxnet was first discovered in the wild in mid-2010. However, once the world knew what to look for, existing infected systems revealed versions dating back as far as mid-2009. The damn thing survived for 12 months straight without being detected by anyone. In and of itself, that's an amazing feat of malware engineering. But when we also consider that many of its targets were very sensitive government systems ... yeah. But the creepiness doesn't end there. When those early versions were finally analyzed, one of the driver components had a compile-time stamp of Jan 1, 2009. This rather strongly suggests that there are even earlier versions of Stuxnet somewhere out there. And yet, so far no one has managed to discover them. I'm not sure I can adequately emphasis how bizarre it is that a family of malware could undergo such intense scrutiny, and yet still have strains remain hidden in the wild for nearly 2 years.

And that's really only scratching the surface of the bizarre, highly sophisticated, and improbable features that Stuxnet has. I don't know if Iran is the target or not, but it seems unlikely to me that this could have been a private endeavor.

_________________
Sail forth! steer for the deep waters only!
Reckless, O soul, exploring, I with thee, and thou with me;
For we are bound where mariner has not yet dared to go,
And we will risk the ship, ourselves and all.


Top
 Profile  
Reply with quote  
 Post subject: Re: Cyber Warfare
PostPosted: Mon Oct 25, 2010 8:20 pm 
Offline

Joined: Sat Sep 05, 2009 1:28 pm
Posts: 476
Location: The 10th circle
Diamondeye wrote:
Why would the Iranians have their centrifuge control systems on systems attached to the internet?


If that's actually the case, then the answer of course is because most people are idiots. No 'mission critical' computer system within any society should be connected to the internet.


Top
 Profile  
Reply with quote  
 Post subject: Re:
PostPosted: Mon Oct 25, 2010 8:21 pm 
Offline
Commence Primary Ignition
User avatar

Joined: Thu Sep 03, 2009 9:59 am
Posts: 15740
Location: Combat Information Center
Stathol wrote:
They wouldn't have to. Stuxnet spreads by infected USB drives.


Ok that would work, but once you cleaned it off once, couldn't you just shut off all your USB ports and be fairly certain that it wouldn't get abck on if you specifically authorized each device?

That's what the Army did after problems with infected USB drives.

_________________
"Hysterical children shrieking about right-wing anything need to go sit in the corner and be quiet while the adults are talking."


Top
 Profile  
Reply with quote  
 Post subject: Re:
PostPosted: Mon Oct 25, 2010 8:24 pm 
Offline

Joined: Sat Sep 05, 2009 1:28 pm
Posts: 476
Location: The 10th circle
Stathol wrote:
...clip...


So what's your opinion? If you believe this is state-sponsored, which 'state' produced this? US? Israel? China? Russia?


Top
 Profile  
Reply with quote  
 Post subject: Re: Re:
PostPosted: Mon Oct 25, 2010 9:53 pm 
Offline
Lean, Mean, Googling Machine
User avatar

Joined: Thu Sep 03, 2009 9:35 am
Posts: 2903
Location: Maze of twisty little passages, all alike
Diamondeye wrote:
Ok that would work, but once you cleaned it off once, couldn't you just shut off all your USB ports and be fairly certain that it wouldn't get abck on if you specifically authorized each device?

That's what the Army did after problems with infected USB drives.

Unfortunately, it's not quite that simple. I should have said that initial infection is spread by infected USB keys. Once a system is infected, it will seek to infect other machines over LAN, in particular looking for a machine on the local network with internet access. Once it finds one, it can update (and if necessary, re-infect) the local network via either C&C servers (they all went offline after Stuxnet was discovered) or, failing that, from its own peer-to-peer protocol.

But part of the problem, here, is dealing with "once you cleaned it off". Because Stuxnet functions as a rootkit, and still has significant portions of un-analyzed code, and is known to have multiple "dropper" components, you can't really be sure that a host, once infected, is ever really "clean" again. And then multiply that by all of the computers and PLCs the infect machine is potentially connected to, and all of the computers and PLCs those are connected to ...

Given the sophistication exhibited by Stuxnet thus far, I wouldn't even count on being able to get rid of it by a "naive" OS reload. Pretty much the only sure solution is to nuke it from orbit, and by that, I mean actually zeroing the hard drive of every computer and PLC on the network, and rebuilding completely from scratch. Problem is, you can't just (easily) do that when the whole purpose of your network is to control critical infrastructure and/or potentially very dangerous nuclear systems.

And, of course, if Stuxnet really is the result of state-sponsored cyber-warfare, then you can never really be sure that you don't have someone sabotaging the system from the inside.

Slythe wrote:
So what's your opinion? If you believe this is state-sponsored, which 'state' produced this? US? Israel? China? Russia?

I can't say that I really have one. That depends heavily on who its target is. Stuxnet pulls certain information out of Siemen's WinCC/PCS 7 databases, builds a fingerprint from it, compares it to a target fingerprint, and then takes some as of yet unknown action if they match -- presumably something Very Bad(TM). But the fingerprinting system is basically a hash of some kind; you can't "reverse" the target from the fingerprint.

This points back to my speculation above that whoever Stuxnet is targeting has every reason to suspect a man on the inside. The only way to build the target fingerprint in the first place would be to have very specific field data from the target SCADA system -- data that shouldn't be accessible from off-site in any reasonably secure facility. To me this one of the aspects that really points to state-sponsored activity. If the target is military or national, getting a man on the inside would be very difficult for Joe Q. Hacker. If the target is private industry or just some municipal system, then it could be the work of a disgruntled employee, etc., but that theory is hard to swallow based on the sheer complexity of Stuxnet.

So without knowing the target, it's really hard to say. Initial infection analysis seemed to indicate that the epicenter was Iran. If we speculate that this was, in fact, the target, then the most likely culprits are Israel or the U.S. I'd say that the former is probably more likely than the latter, and that "both" is somewhere in between. I'm not buying any of the supposed "Israel connections" in the code itself, but that doesn't change their position in the list of suspects, frankly.

On the other hand, there are now lots of infections of China. I tend to not think China is the target because these appear to be late infections, but there are a few a counter-arguments to suggest China as a target:

1) Stuxnet's drivers are digitally signed with stolen certificates belonging to JMicron and Realtek; both are Taiwanese chip manufacturers. Neither has been able to determine how the certificates were stolen. One of the more interesting theories notes that both companies have offices in Hsinchu Science Park, and suggests that the inability to find any electronic intrusion to explain the theft could imply physical espionage. It's interesting, but I'm not sure that's anything but a red herring. If you pick any two Taiwanese chip manufacturers, I'm sure you'll find a similar connection somewhere. It's a small world. And the lack of evidence for an electronic theft could simply indicate that the culprit was very good. Given the skill with which the rest of Stuxnet was executed, that's a very real possibility.

2) One of the original C&C servers was located in Malaysia (the other was in Denmark, though). It's a pretty weak connection given how easily even amateur hackers can acquire or subvert a server in pretty much any country in the world, but we don't have much else to go on.

As an aside, what's interesting to me about 1) and 2) is not what they might say about the potential target, but simply the fact that both trails have yielded absolutely nothing. Regardless of how the certificates were stolen, it's impressive that someone could pull it off not once, but twice, without leaving any evidence behind. As to the C&C servers, the lack of fringerprints there is a bit less impressive than the certificate theft, but it's still worth noting. Following the C&C trail has busted a number of "expert" crackers out there, including (most notriously) the NetSky guy. Again, to me this points to a level of expertise that's a little hard to attribute to conventional cracker groups -- even very good ones.

Final thought: whoever owns the target system almost certainly knows they were the target. Supposing that it were Iran, what would they do with that information? I really don't know. Normally, I'd say that they're not the type to shy away from an opportunity to point the finger at Israel or the U.S., but I'm not sure what they could hope to accomplish by doing so. Whoever the target is, if the speculation is correct that Stuxnet is being targeted via inside information, then I'm guessing it would be in their best interest not to acknowledge their awareness.

_________________
Sail forth! steer for the deep waters only!
Reckless, O soul, exploring, I with thee, and thou with me;
For we are bound where mariner has not yet dared to go,
And we will risk the ship, ourselves and all.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Oct 25, 2010 11:40 pm 
Offline

Joined: Wed Sep 02, 2009 10:49 pm
Posts: 3455
Location: St. Louis, MO
Stathol, since you seem to have an interest, you may want to consider participating in the SCADAsec mailing list http://news.infracritical.com/mailman/listinfo/scadasec

_________________
Image


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Oct 26, 2010 8:40 am 
Offline
adorabalicious
User avatar

Joined: Thu Sep 03, 2009 10:54 am
Posts: 5094
Disconnect all inter-connectivity. Take out the data mediums at the hardware level - replace them one at a time. Once all are replaced re-enable interconnectivity.

Long, slow, expensive but certain.

_________________
"...but there exists also in the human heart a depraved taste for equality, which impels the weak to attempt to lower the powerful to their own level and reduces men to prefer equality in slavery to inequality with freedom." - De Tocqueville


Top
 Profile  
Reply with quote  
 Post subject: Re:
PostPosted: Tue Oct 26, 2010 9:24 am 
Offline
User avatar

Joined: Tue Sep 08, 2009 9:36 am
Posts: 4320
Elmarnieh wrote:
Disconnect all inter-connectivity. Take out the data mediums at the hardware level - replace them one at a time. Once all are replaced re-enable interconnectivity.

Long, slow, expensive but certain.


Not necessarily. As soon as you replace one data medium, it will likely be infected by the remaining data mediums.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Oct 26, 2010 9:44 am 
Offline
User avatar

Joined: Fri Feb 05, 2010 11:59 am
Posts: 3879
Location: 63368
Lots of times industrial equipment is required to be networked together just to manage the operations. A standalone CNC mill ... would just stand there. You have to get the work files from the CAD design workstation there somehow, you're certainly not going to program it where it stands. The workstation needs management too... a single station can be managed, but when you multiply the infrastructure by thousands it's more problematic. Slip in an infected USB drive, or a workstation ethernet card with infected firmware, or even a networked printer... pwned.

I have no idea how these centrifuges or other infected systems actually work, but I'd not be surprised if there were similarities.

_________________
In time, this too shall pass.


Last edited by Taskiss on Tue Oct 26, 2010 9:47 am, edited 1 time in total.

Top
 Profile  
Reply with quote  
 Post subject: Re: Re:
PostPosted: Tue Oct 26, 2010 9:46 am 
Offline
adorabalicious
User avatar

Joined: Thu Sep 03, 2009 10:54 am
Posts: 5094
Aizle wrote:
Elmarnieh wrote:
Disconnect all inter-connectivity. Take out the data mediums at the hardware level - replace them one at a time. Once all are replaced re-enable interconnectivity.

Long, slow, expensive but certain.


Not necessarily. As soon as you replace one data medium, it will likely be infected by the remaining data mediums.



By what remaining data mediums? We've disconnected it from everything else and are replacing the data hardware itself. Unless the virus can live in unpowered copper wire itself - its gone.

_________________
"...but there exists also in the human heart a depraved taste for equality, which impels the weak to attempt to lower the powerful to their own level and reduces men to prefer equality in slavery to inequality with freedom." - De Tocqueville


Top
 Profile  
Reply with quote  
 Post subject: Re:
PostPosted: Tue Oct 26, 2010 10:34 am 
Offline
Lean, Mean, Googling Machine
User avatar

Joined: Thu Sep 03, 2009 9:35 am
Posts: 2903
Location: Maze of twisty little passages, all alike
Taskiss wrote:
*words*

Yeah, pretty much this. If you found that you had an infection within a large-scale industrial system like an oil refinery...ugh. Doing a complete shutdown, reload, and restart of every computer and PLC in the entire system could take weeks, if not longer. The cost would easily be in the millions, and if anything was missed, it could all have been in vain.

_________________
Sail forth! steer for the deep waters only!
Reckless, O soul, exploring, I with thee, and thou with me;
For we are bound where mariner has not yet dared to go,
And we will risk the ship, ourselves and all.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Oct 26, 2010 1:57 pm 
Offline
Has a plan
User avatar

Joined: Fri Sep 04, 2009 2:51 pm
Posts: 1584
They don't make viruses for the abacus. Just sayin'

_________________
A man who has nothing for which he is willing to fight, nothing which is more important than his own personal safety, is a miserable creature and has no chance of being free unless made and kept so by the exertions of better men than himself. ~ John Stuart Mill


Top
 Profile  
Reply with quote  
 Post subject: Re:
PostPosted: Tue Oct 26, 2010 2:01 pm 
Offline
User avatar

Joined: Wed Sep 02, 2009 7:59 pm
Posts: 9412
Hannibal wrote:
They don't make viruses for the abacus. Just sayin'

Sure they do. Ebola.

_________________
"Aaaah! Emotions are weird!" - Amdee
"... Mirrorshades prevent the forces of normalcy from realizing that one is crazed and possibly dangerous. They are the symbol of the sun-staring visionary, the biker, the rocker, the policeman, and similar outlaws." - Bruce Sterling, preface to Mirrorshades


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Oct 26, 2010 2:18 pm 
Offline
Manchurian Mod
User avatar

Joined: Fri Sep 04, 2009 9:40 am
Posts: 5866
When you get right down to it, they do. How do you think a computer works?

_________________
Buckle your pants or they might fall down.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Oct 26, 2010 2:19 pm 
Offline
Has a plan
User avatar

Joined: Fri Sep 04, 2009 2:51 pm
Posts: 1584
So you're saying Ebola was engineered in order to get rid of the abacus? You best be citin sources or Imma call ya out on it foo.

_________________
A man who has nothing for which he is willing to fight, nothing which is more important than his own personal safety, is a miserable creature and has no chance of being free unless made and kept so by the exertions of better men than himself. ~ John Stuart Mill


Top
 Profile  
Reply with quote  
 Post subject: Re:
PostPosted: Tue Oct 26, 2010 4:49 pm 
Offline
User avatar

Joined: Wed Sep 02, 2009 7:59 pm
Posts: 9412
Hannibal wrote:
So you're saying Ebola was engineered in order to get rid of the abacus? You best be citin sources or Imma call ya out on it foo.

No, but it spreads via the abacus vector, and destroys the abacus' CPU.

_________________
"Aaaah! Emotions are weird!" - Amdee
"... Mirrorshades prevent the forces of normalcy from realizing that one is crazed and possibly dangerous. They are the symbol of the sun-staring visionary, the biker, the rocker, the policeman, and similar outlaws." - Bruce Sterling, preface to Mirrorshades


Top
 Profile  
Reply with quote  
 Post subject: Re: Re:
PostPosted: Tue Oct 26, 2010 5:22 pm 
Offline
Has a plan
User avatar

Joined: Fri Sep 04, 2009 2:51 pm
Posts: 1584
Kaffis Mark V wrote:
Hannibal wrote:
So you're saying Ebola was engineered in order to get rid of the abacus? You best be citin sources or Imma call ya out on it foo.

No, but it spreads via the abacus vector, and destroys the abacus' CPU.


Easily prevented by not licking your abacus. Or washing your hands after letting someone else use your abacus.

_________________
A man who has nothing for which he is willing to fight, nothing which is more important than his own personal safety, is a miserable creature and has no chance of being free unless made and kept so by the exertions of better men than himself. ~ John Stuart Mill


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Oct 26, 2010 5:29 pm 
Offline
Manchurian Mod
User avatar

Joined: Fri Sep 04, 2009 9:40 am
Posts: 5866
Not with the soaps typically available in societies that still rely on the abacus as the primary means of computation.

_________________
Buckle your pants or they might fall down.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Tue Oct 26, 2010 5:44 pm 
Offline
Has a plan
User avatar

Joined: Fri Sep 04, 2009 2:51 pm
Posts: 1584
Ok, don't touch your mucous membranes after touching your abacus. Of course maybe Ebola is just bleach in the gene pool.

_________________
A man who has nothing for which he is willing to fight, nothing which is more important than his own personal safety, is a miserable creature and has no chance of being free unless made and kept so by the exertions of better men than himself. ~ John Stuart Mill


Top
 Profile  
Reply with quote  
 Post subject: Re:
PostPosted: Tue Oct 26, 2010 9:16 pm 
Offline
Commence Primary Ignition
User avatar

Joined: Thu Sep 03, 2009 9:59 am
Posts: 15740
Location: Combat Information Center
Corolinth wrote:
Not with the soaps typically available in societies that still rely on the abacus as the primary means of computation.


If they use abacuses for computation they probably don't have TV either so I doubt they would have soaps at all.

_________________
"Hysterical children shrieking about right-wing anything need to go sit in the corner and be quiet while the adults are talking."


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Oct 27, 2010 7:26 am 
Offline

Joined: Fri Sep 04, 2009 10:27 am
Posts: 2169
How does molybdenum hexafluoride destroy the centrifuges?


Top
 Profile  
Reply with quote  
 Post subject: Re: Cyber Warfare
PostPosted: Wed Oct 27, 2010 7:49 am 
Offline
Commence Primary Ignition
User avatar

Joined: Thu Sep 03, 2009 9:59 am
Posts: 15740
Location: Combat Information Center
I'm going to guess that the centrifuges (which are highly precise pieces of equipment) are calibrated around a specific mass-volume ratio and around specific sizes of molecules for the substances to be centrifuged. When they get the wrong substances being centrifuged, it tears up that highly precise machinery.

_________________
"Hysterical children shrieking about right-wing anything need to go sit in the corner and be quiet while the adults are talking."


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Wed Oct 27, 2010 8:16 am 
Offline
User avatar

Joined: Fri Feb 05, 2010 11:59 am
Posts: 3879
Location: 63368
http://lewis.armscontrolwonk.com/archiv ... o-the-bomb

Quote:
Richard Stone in this week’s Science Magazine further documents the problems that Iran is having purifying hex at its Uranium Conversion Facility (UCF) near Esfahan:

Creating purified UF6, which can be fed as a gas into centrifuges for isotope separation, would be a much bigger one. According to an official at the U.S. State Department, Iran has struggled to convert UF4 into UF6, a dangerous process involving highly toxic and corrosive fluorine gas. The official also claims that Iranian UF4 is tainted with large amounts of molybdenum and other heavy metals. These oxyfluoride impurities in UF6 “might condense” and thereby “risk blockages” of valves and piping, an IAEA specialist told Science.

_________________
In time, this too shall pass.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 54 posts ]  Go to page 1, 2, 3  Next

All times are UTC - 6 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 301 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group