John Romant's Technology Blog

If it's technology, I want to know about it.

Category Archives: Cyber Warfare

Duqu Virus attacks Iran. All facilities and equipment are said to be “cleaned”.

On Sunday Iran has indicated that the Duqu Virus (click here to learn about the Duqu super virus) has been detected, but the depth of the contamination is currently unknown. The director of Iran’s Passive Defense Organization, Gholam Reza Jalali, says that the Islamic Republic has produced an antivirus software protecting software and hardware systems of governmental centers against the  Duqu super virus.  All facilities and equipment, which were affected with this virus, have been cleaned, and the virus is under control, Gholam Reza Jalali told IRNA on Sunday.

Side note,  I wander how much the Iranian Duqu anti-virus will go for on the open market ?  I also wander if Iran is still using Siemens control systems.  Sounds like a film plot in the making.

follow me on twitter: @johnromant

“Duqu” virus created from original Stuxnet Code. Researchers Warn of Impending Cyber Attack.

PHOTO: Researchers claim a new virus, dubbed "Duqu", could be the first step in a new Stuxnet-like cyber attack.

By LEE FERRAN
Oct. 18, 2011

A new computer virus using “nearly identical” parts of the cyber superweapon Stuxnet has been detected on computer systems in Europe and is believed to be a precursor to a new Stuxnet-like attack, a major U.S.-based cyber security company said today.

Stuxnet was a highly sophisticated computer worm that was discovered last year and was thought to have successfully targeted and disrupted systems at a nuclear enrichment plant in Iran. At the time, U.S. officials said the worm’s unprecedented complexity and potential ability to physically sabotage industrial control systems — which run everything from water plants to the power grid in the U.S. and in many countries around the world — marked a new era in cyber warfare.

Though no group claimed responsibility for the Stuxnet worm, several cyber security experts have said it is likely a nation-state created it and that the U.S. and Israel were on a short list of possible culprits.

READ: Could Cyber Superweapon Be Turned on the U.S.?

Whoever it was, the same group may be at it again, researchers said, as the authors of the new virus apparently had access to original Stuxnet code that was never made public.

The new threat, discovered by a Europe-based research lab and dubbed “Duqu”, is not designed to physically affect industrial systems like Stuxnet was, but apparently is only used to gather information on potential targets that could be helpful in a future cyber attack, cyber security giant Symantec said in a report today.

“Duqu shares a great deal of code with Stuxnet; however, the payload is completely different,” Symantec said in a blog post.

READ: Beware the Cyber War Boomerang?

Duqu is designed to record key strokes and gather other system information at companies in the industrial control system field and then send that information back to whomever planted the bug, Symantec said.

If successful, the information gleaned from those companies through Duqu could be used in a future attack on any industrial control system in the world where the companies’ products are used — from a power plant in Europe to an oil rig in the Gulf of Mexico.

“Right now it’s in the reconnaissance stage, you could say,” Symantec Senior Director for Security Technology and Response, Gerry Egan, told ABC News. “[But] there’s a clear indication an attack is being planned.”

Duqu is also not designed to spread on its own…continue reading.

Predator and Reaper Drone Virus Hits U.S. Fleet.

By Noah Shachtman

A computer virus has infected the cockpits of America’s Predator and Reaper drones, logging pilots’ every keystroke as they remotely fly missions over Afghanistan and other warzones.

The virus, first detected nearly two weeks ago by the military’s Host-Based Security System, has not prevented pilots at Creech Air Force Base in Nevada from flying their missions overseas. Nor have there been any confirmed incidents of classified information being lost or sent to an outside source. But the virus has resisted multiple efforts to remove it from Creech’s computers, network security specialists say. And the infection underscores the ongoing security risks in what has become the U.S. military’s most important weapons system.

“We keep wiping it off, and it keeps coming back,” says a source familiar with the network infection, one of three that told Danger Room about the virus. “We think it’s benign. But we just don’t know.”

Military network security specialists aren’t sure whether the virus and its so-called “keylogger” payload were introduced intentionally or by accident; it may be a common piece of malware that just happened to make its way into these sensitive networks. The specialists don’t know exactly how far the virus has spread. But they’re sure that the infection has hit both classified and unclassified machines at Creech. That raises the possibility, at least, that secret data may have been captured by the keylogger, and then transmitted over the public internet to someone outside the military chain of command.

Drones have become America’s tool of choice in both its conventional and shadow wars, allowing U.S. forces to attack targets and spy on its foes without risking American lives. Since President Obama assumed office, a fleet of approximately 30 CIA-directed drones have hit targets in Pakistan more than 230 times; all told, these drones have killed more than 2,000 suspected militants and civilians, according to the Washington Post. More than 150 additional Predator and Reaper drones, under U.S. Air Force control, watch over the fighting in Afghanistan and Iraq. American military drones struck 92 times in Libya between mid-April and late August. And late last month, an American drone killed top terrorist Anwar al-Awlaki — part of an escalating unmanned air assault in the Horn of Africa and southern Arabian peninsula.

But despite their widespread use, the drone systems are known to have security flaws. Many Reapers and Predators don’t encrypt the video they transmit to American troops on the ground. In the summer of 2009, U.S. forces discovered “days and days and hours and hours” of the drone footage on the laptops of Iraqi insurgents. A $26 piece of software allowed the militants to capture the video.

The lion’s share of U.S. drone missions are flown by Air Force pilots stationed at Creech, a tiny outpost in the barren Nevada desert, 20 miles north of a state prison and adjacent to a one-story casino. In a nondescript building, down a largely unmarked hallway, is a series of rooms, each with a rack of servers and a “ground control station,” or GCS. There, a drone pilot and a sensor operator sit in their flight suits in front of a series of screens. In the pilot’s hand is the joystick, guiding the drone as it soars above Afghanistan, Iraq, or some other battlefield.

Some of the GCSs are classified secret, and used for conventional warzone surveillance duty. The GCSs handling more exotic operations are top secret. None of the remote cockpits are supposed to be connected to the public internet. Which means they are supposed to be largely immune to viruses and other network security threats.

But time and time again, the so-called “air gaps” between classified and public networks have been bridged, largely through the use of discs and removable drives. In late 2008, for example, the drives helped introduce the agent.btz worm to hundreds of thousands of Defense Department computers. The Pentagon is still disinfecting machines, three years later.

Use of the drives is now severely restricted throughout the military. But the base at Creech was one of the exceptions, until the virus hit. Predator and Reaper crews use removable hard drives to load map updates and transport mission videos from one computer to another. The virus is believed to have spread through these removable drives. Drone units at other Air Force bases worldwide have now been ordered to stop their use.

In the meantime, technicians at Creech are trying to get the virus off the GCS machines. It has not been easy. At first, they followed removal instructions posted on the website of the Kaspersky security firm. “But the virus kept coming back,” a source familiar with the infection says. Eventually, the technicians had to use a software tool called BCWipe to completely erase the GCS’ internal hard drives. “That meant rebuilding them from scratch” — a time-consuming effort...continue reading at source.


Protected: The Syndication of Online Reputation Destruction.

This content is password protected. To view it please enter your password below:

Is World War III Going To Be Started via Cyber Warfare? Pentagon is Prepairing.

The Pentagon, headquarters of the United State...

Image via Wikipedia

By Anna Mulrine,
Staff writer, CSMonitor

(AXcess News) Washington – The Pentagon is rapidly preparing for cyberwar in the face of alarming and growing threats, say senior defense officials, who add that sophisticated attacks have prompted them to take the striking step of investigating the feasibility of expanding NATO‘s collective defense tenet to include cyberspace.

But as such planning intensifies, the military is struggling with some basics of warfare – including how to define exactly what, for starters, constitutes an attack, and what level of cyberattack warrants a cyber-reprisal.

“I mean, clearly if you take down significant portions of our economy we would probably consider that an attack,” William Lynn, the deputy secretary of defense, said recently. “But an intrusion stealing data, on the other hand, probably isn’t an attack. And there are [an] enormous number of steps in between those two.”

Today, one of the challenges facing Pentagon strategists is “deciding at what threshold do you consider something an attack,” Mr. Lynn said. “I think the policy community both inside and outside the government is wrestling with that, and I don’t think we’ve wrestled it to the ground yet.”

Equally tricky, defense officials say, is how to pinpoint who is doing the attacking. And this raises further complications that go to the heart of the Pentagon’s mission. “If you don’t know who to attribute an attack to, you can’t retaliate against that attack,” noted Lynn in a recent discussion at the Council on Foreign Relations.

As a result, “You can’t deter through punishment, you can’t deter by retaliating against the attack.” He lamented the complexities that make cyberwar so different from, say, “nuclear missiles, which of course come with a return address.”

How to pinpoint the source of a cyberattack is a subject being discussed by Pentagon officials with their counterparts in Britain, Canada, and Australia, among others, in advance of the upcoming NATO summit in Lisbon in November, at which cyberwarfare is an item on the agenda. Officials from NATO member states are also discussing such fundamental issues as how to share information and exchange related technologies, illustrating that the concept of a collective cyberwarfare defense is still in its infancy.

Lynn is among those working to develop the Pentagon’s new cyberstrategy, which is focusing both on how to defend the military’s classified networks as well as how to protect the Internet itself.

This upending of some key tenets of military doctrine is prompting the Pentagon to look to some surprising new places for strategic models of cyberdefense, including public health. “A public health model has some interesting applications,” Lynn said. “Can we use the kinds of techniques we use to prevent diseases? Could those be applied to the Internet?”

To that end, the Pentagon is now researching means of introducing internal defenses to the Internet so that it acts more like a human organism. When it’s hit with a virus, for example, it might mutate to fend it off. Such strategies are meant to “shift the advantage much more to the defender and away from the attacker,” Lynn said.

The problem is that the Internet currently has very few natural defenses. And sophisticated crafted viruses like Stuxnet are even tougher to fend off. Indeed, the Web “was not developed with security in mind,” he added. “It was developed with transparency in mind; it was developed with ease of technological innovation.” Those same attributes do not lend themselves to good security. Among the potential targets for cyberattack frequently mentioned by cybersecurity experts are the nation’s powergrid and financial system.

It was in 2008 that a cyberattack on Pentagon networks – an attack attributed to an unnamed “foreign intelligence service” – served as a wake-up call for US defense leadership. “To that point, we did not think our classified networks could be penetrated, so it was – it was a fairly shocking development,” said Lynn, adding that it was a “seminal moment” in a new military frontier.

Lynn put forward an analogy to early American warfare that the Pentagon often likes to call upon to illustrate its point. “If you figure the Internet is 20, 20-plus years old, and you kind of analogize to aviation … the first military aircraft was bought, I think, in 1908, somewhere around there. So we’re in about 1928,” he said.

“We’ve kind of seen some … biplanes shoot at each other over France,” he added. “But we haven’t really seen kind of what a true cyberconflict is going to look like.”

He warned, however, that there were a few things that appear clear. It is a kind of war that “is going to be … more sophisticated, it’s going to be more damaging, it’s going to be more threatening” than it appears at the present, Lynn said. “And it’s one of the reasons we’re trying to get our arms around the strategy in front of this rather than respond to the event.”

Q1 Labs Releases SIEM For Social Media

Image representing Q1 Labs as depicted in Crun...

By Mathew J. Schwartz
InformationWeek
September 28, 2010 08:00 AM

Q1 Labs on Monday announced the release of its latest security information and event management (SIEM) product, QRadar 7.0, which now has the ability to monitor social media networks and online communication tools, including Facebook, Gmail, LinkedIn, Skype and Twitter, in real time.

QRadar, as with most SIEM products, uses deep packet inspection technology to watch, in real time, for the presence of web-based malware or known vulnerabilities being introduced to the network, monitor for behavior that’s outside the norm, as well as to scan for data loss prevention, among other capabilities.

Q1 Labs said that the new QRadar will also be part of its Security Intelligence Operating System — “a unified architecture for collecting, storing, analyzing and querying log, threat, vulnerability and risk related data” — due out by the end of the year.

“Companies today face the increasing challenge of keeping their networks safe from hackers that have evolved, and that are taking advantage of new avenues of attack — such as social networking sites and applications utilized by partners, outsourcers and employees,” said Sandy Bird, CTO of Q1 Labs, in a statement. “They are also faced with keeping productivity up, due to the ‘always connected’ mentality of employees that want to be constantly connected to their social networks.”

Accordingly, the new version of QRadar extends SIEM to social networks, adding the ability to identify which users access which social networks, chart volume and patterns of usage, and inspect any content being transmitted via such services. In addition, the software can be set to automatically alert security managers when application activity, transmitted data or user behavior violates corporate policies or typical usage patterns, which may indicate that an attacker has breached the network.

Other new features in QRadar 7.0 include inventorying applications on enterprise PCs to determine whether they contain known vulnerabilities. In addition, the software can benchmark how users and applications normally behave, to detect anomalies, for example if a worker logs in at unusual times, or suddenly begins downloading excessive amounts of data from a cloud-based application, either of which could be the only indication that an account has been compromised.

Indeed, according to Gartner Group analyst Mark Nicolett, “application activity monitoring is important because application weaknesses are frequently exploited in targeted attacks, and because abnormal application activity may be the only signal of a successful breach or of fraudulent activity.”

%d bloggers like this: