I had occasion to attend the NIKSUN World Wide Security and Mobility Conference (WWSMC) on July 9, 2012 in Princeton, NJ. The day's closing speaker was Mr. Barry Lyons, CISSP, Cyber Architect, Northrop Grumman Information Systems, on the topic of "STUXNET/FLAME: The Next Generation of Hideous Cyber Attacks." During the Q&A session at the end of the talk, I questioned Barry's characterization of the STUXNET components as "new" and "game changing" and asked him what led him to believe this was the case, especially since prior research (such as in voting machines) had already revealed many similar vulnerabilities and potential exploits. In response, he hopped down off of the stage (he was wearing a wireless microphone), traveled through a large portion of the audience to just in front of where I was sitting, and asserted that voting machines were somehow different because they were "computers." (The talk as well as the Q&A portion was recorded by IEEEtv, and I will provide a link when it becomes available, to the Risks Digest.) I thought that readers of Risks would be interested in seeing my follow-up email message to Mr. Lyons (prompted by his suggestion that we should continue the conversation later), along with his insightful reply (at the bottom): - - --- Original Message ----- Subject: Your Stuxnet Talk Date: Tue, 10 Jul 2012 11:18:59 -0400 From: RTMercuri <email@example.com> To: firstname.lastname@example.org Barry -- Apparently I hit a nerve last evening with my question about the potential exploits of programmable logic controllers having been warned about, years prior to the advent of Stuxnet. Upon returning home, I glanced through my Ph.D. dissertation (Electronic Vote Tabulation: Checks & Balances, publicly defended October 27, 2000 at the School of Engineering and Applied Science of the University of Pennsylvania, freely downloadable at http://www.cis.upenn.edu/grad/documents/mercuri-r.pdf), and located (pages 49-50) the portion of the paragraph that I had recalled writing some 12 years ago, as follows: "But just because tampering with the software may not be the easiest method does not mean that it has not or will not be done. Thompson's [Footnote: Ken Thompson, "Reflections on Trusting Trust," Communications of the ACM, August 1984] implication is that the hooks and backdoors, particularly those within compilers and operating systems, exist and have already been proliferated invisibly throughout the industry. Under this view, software rigging is assumed to have already happened, rather than just a speculative possibility. One could extend these assumptions as well to the hardware. Presently there is nothing that restricts vendors from using custom integrated circuit chips in the DREs [Direct Recording Electronic voting machines], and some do, even for the CPUs. It is not inconceivable that a crafty individual could devise a set of microcoded instructions that would be activated only under certain situations. Reliance on any particular vendor or brand of components would therefore increase vulnerability. Some chips now even permit internally reconfigurable microcode as well as microarchitecture, and such a self-modifying CPU could erase any trace of its own subroutines once they were executed. With election dates and times being well-known and predictable, this could occur within the space of microseconds during the voting session." This description is most certainly generically predictive of targeted long-term attacks on specialized hardware, from particular vendors, established in air-gapped networks, that can exploit vulnerabilities such as those presented with programmable logic controllers. As well, numerous researchers (including Harri Hursti in 2005 and Ed Felten in 2006) have repeatedly demonstrated that removable memory units (such as those that establish ballot configurations for elections) can be compromised such that the system will generate false reports, as well as assist in the dissemination of malware that is transferable from machine to machine. The parallels to Stuxnet are clearly obvious. I had thought that you would welcome the opportunity to explain, or at least acknowledge, to the WWSMC conference audience, the fact that many salient aspects of the Stuxnet approach were indeed exploits of long-known vulnerabilities. Instead, I was rather surprised that you chose to continue with head-in-the-sand assertions that Stuxnet was somehow new and also a "game changer." I recognize that it is embarrassing that your employer, Northrop Grumman (and many other large firms relied on by the U.S. and other governments to provide security advice and protection), was caught with its pants down in being unaware of particular design flaws common to many critical infrastructure systems (including those that elect the officials that authorize payment for your security analysis and training contracts with our tax dollars). But to pretend that the possibility of such attacks had not been well-publicized by highly-regarded computer security experts, years before Stuxnet, is foolhardy, since it perpetuates the illusion that systems developers need not keep abreast of all such advance warnings in the scientific literature. Certainly, rogue government agents, malcontents, and recreational hackers, have their ears to the ground in monitoring these computer security discussions, as their proof-of-concept attacks continue to illustrate. This started with the Morris Worm in 1988, with its exploit of UNIX security flaws previously exposed by the hacker's father (some believe that the elder Morris may have intentionally put his son up to the challenge or conveniently provided the tools and information necessary to perform the attack, after the scientist's earlier admonishments in this regard were not taken seriously by the technical community). Indeed, Robert Sr.'s remarks (to the NY Times, November 5, 1988), that the worm "has raised the public awareness to a considerable degree" and that "it is likely to make people more careful and more attentive to vulnerabilities in the future," are not much different, especially in their naivete, from your "game changer" assertions. As you continue in your role as a security evangelist, I would urge you to modify your take-home messages, such as in talks on Stuxnet and other NextGen attacks, to include warnings that the development of malware does not occur in a vacuum. Security experts need to be as well-informed (if not more so) on the evolving exploitable design flaws, as those who intend to compromise it already are. If not, then we are most certainly conceding the future CyberWars to the opposition. In fact, we may have already lost the upcoming battles. Good predictive security means that fewer reactive band-aids should need to be used and less loss may occur. In this regard, Dr. Pruthi and his colleagues at NIKSUN are to be commended for raising the bar on "knowing the unknown" especially by bringing such warnings to the attention of the security community while there is still time to consider redesigns, instead of encouraging reliance on after-the-fact mitigation methods. I welcome your thoughts and hope to continue this dialogue. Rebecca Mercuri, Ph.D., Notable Software, Inc. -—----- Reply -------- Subject: Re: EXT :Your Stuxnet Talk Date: Tue, 10 Jul 2012 16:10:52 +0000 From: Lyons, Barry (IS) <email@example.com> To: 'firstname.lastname@example.org' <email@example.com> Dear Dr. Mercuri, Wishing you success in all endeavors. Barry Lyons, CISSP Sent from BlackBerry - please forgive errors.
http://j.mp/M4qHis (Technology Review via NNSquad) "The firm gathers publicly available voter files from all 50 states and supplements this with records of political donations and other profiles purchased from commercial data brokers, says CEO Jeff Dittus. Then, working with about 100 high-traffic websites that register their users, they can match the offline data to the online identities of individuals." While I generally feel that way too much angst is directed Web site ad personalization and related tracking, the creepy line is breached for me when non-Web activities (and related identity linkages at some level) are merged with online actions, especially without users' active notification and specific informed consent. This is particularly of concern when political activities are involved, since the main goal of such systems seems to be to pitch what cynical observers of the political process might call personalized lies. The underlying technology is not new. I've been publicly discussing what I consider to be abuses in this realm by Aristotle, in postings I've made since late in the last century! And to see Aristotle now salivating at the prospect of how online voting would play into all this has to be one of the most chilling warnings against the utterly unworkable and dangerous concept of online voting that has yet been explicitly stated, albeit unintentionally.
Interesting story from aero-news.net [Thanks to Ira Rimso.n] A JetBlue A320 on a flight from Las Vegas to New York Tuesday reportedly lost two of its three hydraulic systems during the flight, which forced the pilot to circle an area south the Nevada city for four hours burning off enough fuel to make a safe landing. Passengers described the experience as the airplane "careening wildly through the sky" as it made steep turns and "lurched from side to side." One of the pilots of the plane told ATC that "we've lost two hydraulic systems," and declared an emergency, according to a report in the New York Post. JetBlue confirmed that the incident occurred. The plane, which had just departed from Las Vegas, carried five hours of fuel. The A320 is unable to dump fuel, so the pilot had to stay airborne while it was burned off. One passenger described the flight as "four hours of hell." Another described "an obvious metal screeching" just as the airplane lifted off from McCarran International Airport. Dave Esser, an ERAU professor based in Florida, said that the side-to-side swerving was a likely sign of a loss of lateral control. But Esser said the passengers were not in serious danger because of the backup systems and redundancies built into the Airbus. However, an Airbus manual indicated that the simultaneous failure of two hydraulic systems is "improbable in operation." The airplane did eventually land safely. The FAA and NTSB will conduct an investigation.
Daiichi (Yurman, RISKS-28.87) In RISKS-28.87, Dan Yurman tries to reassure us about the state of the Spent Fuel Pool in Reactor Building 4 at Fukushima Daiichi nuclear power plant. Yurman cites an article by Will Davis on a blog at the American Nuclear Society. Yurman's note seems to me to be little more than propaganda, and Davis's account is flawed. There are obvious reasons to continue to worry about the state of this Spent Fuel Pool (SFP4), about its structural stability, as well as the continued viability of its ad-hoc cooling system. As far as I know, there is no public hazard analysis of the state of SFP4; neither do I know of an engineering assessment of it independent of Tepco. Such an independent assessment seems to me to be required. There are instances in which engineering representations in which Tepco has been involved, for example assessing the INES Level of the situation at Reactors 5 and 6, have misled as to the true situation. That is surely something which would have been noted in an adequate report on engineering performance, yet Tepco has recently produced one and "exonerates itself", according to the New York Times' Hirok Tabuchi. http://www.nytimes.com/2012/06/21/world/asia/tepco-operator-of-fukushima-exonerates-itself-in-report.html It "never hid information, never underplayed the extent of fuel meltdown and certainly never considered abandoning the ravaged site. It asserts that government interference in the disaster response created confusion and delays." The worst case outcome of a structural failure of SFP4 is nowhere near benign, as Davis suggests. The chances of that worst-case outcome are neither zero nor negligible. These two observations alone suffice to vitiate the claims of Yurman and Davis. I wrote an extended essay at http://www.abnormaldistribution.org/2012/06/05/concerns-about-spent-fuel-pool-4-at-fukushima-daiichi/ Peter Bernard Ladkin, University of Bielefeld and Causalis Limited
[From Richard I. Cook, MD] http://naiic.go.jp/en/report/ http://naiic.go.jp/en/about/chairmans-message/ Chairman's message “...nuclear power became an unstoppable force, immune to scrutiny by civil society. Its regulation was entrusted to the same government bureaucracy responsible for its promotion. At a time when Japan's self-confidence was soaring, a tightly knit elite with enormous financial resources had diminishing regard for anything `not invented here.' “This conceit was reinforced by the collective mindset of Japanese bureaucracy, by which the first duty of any individual bureaucrat is to defend the interests of his organization. Carried to an extreme, this led bureaucrats to put organizational interests ahead of their paramount duty to protect public safety. “Only by grasping this mindset can one understand how Japan's nuclear industry managed to avoid absorbing the critical lessons learned from Three Mile Island and Chernobyl; and how it became accepted practice to resist regulatory pressure and cover up small-scale accidents. It was this mindset that led to the disaster at the Fukushima Daiichi Nuclear Plant...''
and a 20+ minute show goes off in 15 seconds.... I'm shocked to read that: Garden State co-owner August Santore spoke to KPBS media partner Channel 10 News. He said the mishap wasn't due to human error or firework technology, but to a corrupt computer file. <http://www.kpbs.org/news/2012/jul/05/sd-bay-fireworks-show-major-misfire/> [Corrupt, eh? I'm really shocked that a computer file would be so evil. PGN]
Last Tuesday, 19 Jun 2012, the Royal Bank of Scotland upgraded a computer system associated with transaction processing. It didn't go well. The transaction-processing system, which apparently processes up to 10 million transactions per day, was not able to keep up with demand. *The Guardian* is reporting that up to 13 million customers of RBS and subsidiary banks, including NatWest and Ulster Bank, have been unable to access account information. Payments, including automatic payments on loans, have not been made. The Financial Services Authority, which regulates banking and finance in GB, is demanding a "complete account" of the problems. The bank branches have been opened later hours until 7pm, to enable personal transactions for people after work, and were also open Sunday, for which 7,000 temporary staff were hired, according to the Guardian. I have no technical details. The public reports seem to be somewhat shy of details. I don't know whether it is SW, HW, or SW+HW, and I don't know which system is involved; whether it is the transaction-processing system itself or some other interconnected system. Stephen Hester, chief executive of RBS, says the bank is "well on the way to recovery" from the problems. Reports from customers on Monday, 25 June, were that many were no longer experiencing problems. Suppose that such computerised highly-connected transaction-processing systems have been in place for 40 years (Wikipedia suggests that the first "modern" ATMs, which were enabled for simultaneous transaction processing, came into use in 1972 in the UK, although I remember them first from Wells Fargo Bank in California in the mid-late 1970's.) At 8,760 hours in the year (or 8,784 in a leap year), 40 years represents about 350,000 operating hours. Looking at it another way, if there is a major system upgrade once a week, then 40 years represents about 20,000 system upgrades. Not that these figures give much of a guide to reliability (for example, the systems have changed almost unrecognisably in this time), upgrading a running TP system seems not to be an operation which one would call ultrareliable, given the meaning of that term in the critical-systems community. Peter Bernard Ladkin, Causalis Limited and University of Bielefeld [Also noted by Wendy Grossman. PGN] http://www.guardian.co.uk/technology/2012/jun/25/how-natwest-it-meltdown
Companies are of course responsible for problems caused by shortcuts, mistakes, malfeasance. But it's not clear who's the villain here—if there is one. Offshoring jobs is mentioned but not conclusively implicated. The company's mostly apologetic tone seems appropriate (though more explanation would have helped) and the last couple sentences are correct: Things go wrong. Things go wrong in technology. We have to learn the lessons from what went wrong here and try to make then less likely to happen in the future. RBS computer failure condemns man to spend weekend in the cells - Telegraph [Source: *The Telegraph*] http://www.telegraph.co.uk/finance/personalfinance/consumertips/banking/9355467/RBS-computer-failure-condemns-man-to-spend-weekend-in-the-cells.html Gabriel Goldberg, Computers and Publishing, Inc. firstname.lastname@example.org 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433
http://seekingalpha.com/article/699681-big-cloud-lessons-from-a-bad-weekend?source=yahoo "Yelp (YELP), Reddit, and LinkedIn (LNKD) all suffered problems from the addition of a "leap second" at midnight on Saturday, aimed at synchronizing Internet time with the atomic clocks of real time. Those systems with configurations expecting 60 second minutes were knocked down, and although they quickly got back up it was embarrassing."
Commercial Drones and GPS Spoofers a Bad Mix Researchers at the University of Texas at Austin Radionavigation Laboratory have successfully demonstrated that a drone with an unencrypted GPS system can be taken over by a person wielding a GPS spoofing device. You can see a video accompanying a Fox News story on it, as well as a video here of an experiment conducted by the researchers, led by Professor Todd Humphreys. Humphreys and company were recently invited by the U.S. Department of Homeland Security (DHS) to demonstrate whether their capability to successfully spoof commercial GPS systems in the laboratory could work in the field. ... The UT researchers took equipment costing about $1000 to the White Sands Missile Range in New Mexico last week and showed observers from both the Federal Aviation Administration (FAA) and DHS how control of a test drone could be taken away from its original overseers. The UT researchers, as the above article notes, have been able to take control of basically every type of unencrypted commercial GPS system in their laboratory. rest: http://spectrum.ieee.org/riskfactor/aerospace/aviation/commercial-drones-and-gps-spoofers-a-bad-mix popular news article: http://rt.com/usa/news/texas-1000-us-government-906/ Note that this is _unencrypted_ GPS, but that's a hefty chunk of the users. [Also noted by Paul Saffo. PGN]
http://j.mp/MvhBKv (ars technica via NNSquad) "The exploit, described in a paper to be presented at the CRYPTO 2012 conference in August, requires just 13 minutes to extract a secret key from RSA's SecurID 800, which company marketers hold out as a secure way for employees to store credentials needed to access confidential virtual private networks, corporate domains, and other sensitive environments. The attack also works against other widely used devices, including the electronic identification cards the government of Estonia requires all citizens 15 years or older to carry, as well as tokens made by a variety of other companies."
A ruling from the Minnesota Supreme Court means that defendants will not be able to use the source code for the Intoxilyzer breath-test machine in their legal defense. (These machines are used to determine blood alcohol levels for DUI cases, and are known colloquially as breathalyzers.) An earlier ruling found that the source code contained bugs, including one that caused the proximity of a cell phone during testing to affect results. However, the Supreme Court ruled that the Intoxilyzer was accurate by a preponderance of the evidence. http://minnesota.publicradio.org/collections/special/columns/news_cut/archive/2012/06/minnesota_supreme_court_limits.shtml http://www.startribune.com/local/160533855.html An earlier, including mention that the replacement devices include their source code: http://www.startribune.com/local/158324965.html
http://j.mp/NGWeTb (RAND [PDF] via NNSquad) "Cyberwar is nothing so much as the manipulation of ambiguity. The author explores these topics in detail and uses the results to address such issues as the pros and cons of counterattack, the value of deterrence and vigilance, and other actions the United States and the U.S. Air Force can take to protect itself in the face of deliberate cyberattack."
http://j.mp/MUYSag (BBC [Video]) "France is switching off its groundbreaking Minitel service which brought online banking, travel reservations, and porn to millions of users in the 1980s. But then came the worldwide web. Minitel has been dying slowly and the plug will be pulled on Saturday."
http://j.mp/LuEiK7 (BBC via NNSquad) "The government is to consider putting extra pressure on computer users to filter out pornography when setting up Internet accounts. Ministers are suggesting that people should automatically be barred from accessing unsuitable adult material unless they actually choose to view it. It is one of several suggestions being put out for a consultation on how to shield children from pornography. Websites promoting suicide, anorexia and self-harm are also being targeted." The good old UK police state mentality marches on. And of course, if you ask to have the blocks lifted, you automatically go on Her Majesty's government "pervert" list.
Please report problems with the web pages to the maintainer