Friday, November 19, 2010

Code clues point to Stuxnet maker

Detailed analysis of the code in the Stuxnet worm has narrowed the list of suspects who could have created it.

The sophisticated malware is among the first to target the industrial equipment used in power plants and other large scale installations.

New research suggests it was designed to disrupt centrifuges often used to enrich uranium.

Forensic analysis of the worm has revealed more about the team behind it and what it was supposed to do.

Code secrets

The close look at the code inside Stuxnet was carried out by Tom Parker from security firm Securicon who specialises in picking out the digital fingerprints hackers leave behind in malware.

His analysis of Stuxnet shows it is made of several distinct blocks. One part targets industrial control systems, another handles the worm's methods of spreading itself and another concerns the way its creators planned to communicate with and control it.

The most sophisticated part of Stuxnet targeted the Programmable Logic Controllers used in industrial plants to automate the operation of components such as motors or pumps.

Subverting PLCs required detailed knowledge of one manufacturer's product line, the programming language written for it and insight into how it could be subverted. That meant, said Mr Parker, the list of suspects was pretty short.

"I do believe the PLC components were written in the West," he said. "It's western companies that are investing most heavily in automation of industrial processes, whether it's putting coke in cans or nuclear enrichment."

"However, the bits that drop it into a system and the command and control parts are not that advanced at all," said Mr Parker.

"I've compared this less advanced code to other malware and it does not score very highly," he said.

Dedicated hi-tech criminals would not have used such crude methods of distribution and control, he said, suggesting that it was put together by a nation rather than organised crime.

What this implies, he said, is that whichever country put Stuxnet together commissioned the creation of the PLC part from a Western nation, then added its own distribution and control code to it.

The analysis suggests that a team of 6-10 people were behind Stuxnet and were involved with it for some time. Whoever wrote it would also need information about and access to industrial plants in Iran if that was the actual target, said Mr Parker.

Motor control

More information has also emerged about how Stuxnet disrupts the industrial control systems it managed to compromise.

Research by security firm Symantec has shown that the likely target were frequency controllers that many PLCs are hooked up to in order to regulate a motor.

In particular, said Symantec, Stuxnet targeted those operating at frequencies between 807 and 1210Hz.

"There's a limited amount of equipment operating at that speed," said Orla Cox, security operations manager at Symantec. "It knew exactly what it was going after."

"Those operating at 600hz or above are regulated for export by the US because they can be used to control centrifuges for uranium enrichment," she said.

If Stuxnet did manage to infect a PLC connected to a centrifuge, it would seriously disrupt its working, said Ms Cox.

What is not clear, said Ms Cox, is whether Stuxnet hit its target. If it did not, she said, then the fact that the command and control system has been taken over by security firms has ended any chance of it being used again.

"Our expectation is that the attack is done at this point," she said. "We've not seen any more variants out there and I don't suspect we will."

Mr Parker said that whoever did write it failed in one respect because Stuxnet has not stayed live for as long as its creators hoped.

The control system set up needed to have been in place for years to have a seriously disruptive effect on its intended targets, he said.

"Someone has serious egg on their face because they are never going to be able to use this investment ever again," he said.



Powered by WizardRSS | Full Text RSS Feeds

Internet 'could kill jury system'

The jury system may not survive if it is undermined by social networking sites, England's top judge has said.

In a lecture published on Friday the Lord Chief Justice, Lord Judge, raised major concerns about the use of the internet by jurors.

He said: "If the jury system is to survive as the system for a fair trial... the misuse of the internet by jurors must stop."

Lord Judge said some jurors had used the internet to research a rape case.

Earlier this year a judge in Manchester had to dismiss a jury and restart a trial, The Sun reported, after a juror went onto her Facebook page, gave details of a trial and asked friends: "Did he do it?"

Lord Judge, who is the most senior judge in England and Wales, said it was too easy for campaigners to bombard Twitter with messages in a bid to put pressure on jurors who might be looking at it.

"Start Quote

We cannot accept that the use of the internet, or rather its misuse, should be acknowledged and treated as an ineradicable fact of life, or that a Nelsonian blind eye should be turned to it or the possibility that it is happening"

End Quote Lord Judge Lord Chief Justice

He said: "We cannot stop people tweeting, but if jurors look at such material, the risks to the fairness of the trial will be very serious, and ultimately the openness of the trial process on which we all rely, would be damaged."

Lord Judge added: "We cannot accept that the use of the internet, or rather its misuse, should be acknowledged and treated as an ineradicable fact of life, or that a Nelsonian blind eye should be turned to it or the possibility that it is happening.

"If it is not addressed, the misuse of the internet represents a threat to the jury system which depends, and rightly depends, on evidence provided in court which the defendant can hear and if necessary challenge."

He said judges need to warn jurors in the strongest terms not to use the internet to research cases or to give details of cases they are deliberating on.

He wants the notice in jury rooms to be amended to include a warning that such research could amount to a contempt of court. He raised the prospect of sentencing jurors who use the internet for research.

Lord Judge even suggested sending text messages from court buildings should be banned.

The BBC's Legal Affairs Analyst, Clive Coleman, said: "This is the strongest and most detailed judicial consideration of the threat to the criminal justice system posed by jurors using modern technology. It raises major questions of how to police and stop internet use."



Powered by WizardRSS | Full Text RSS Feeds

Google's wi-fi data to be deleted

The UK's information commissioner has said that wi-fi data accidentally collected by Google's Street View cars will be deleted "as soon as possible".

Deputy information commissioner David Smith told the BBC that there would be no further enquiries into the matter.

He said there was no indication that any information collected "had fallen into the wrong hands".

It will not appease critics who called for the search giant to be fined.

There were no grounds for fining Google, Mr Smith told the BBC.

"We'd have had to find that there was substantial damage or distress to individuals from the collection of snippets of e-mails, URLs and passwords. We'd have to meet that criteria for a penalty to be imposed," he said.

Google admitted earlier this year that it had accidentally collected information from unsecured wireless networks around the world.

The incident came to light during a routine audit by the Hamburg data authority.

It led to dozens of enquiries with some - notably the Canadian data commissioner - offering detailed findings about the nature of the breaches.

The Canadian investigation found that Google captured personal information, including a list of names of people suffering from certain medical conditions.

Canadian privacy commissioner Jennifer Stoddart said thousands of Canadians had been affected.

The findings led her to conclude that the search giant "seriously violated" its privacy laws.

More training

Mr Smith admitted that the UK had conducted a much more basic investigation.

"We spent less time searching than others did. If we had searched for days and days we would have found more," Mr Smith said.

Following this audit, the ICO ruled that "no significant breach" had occurred.

But following publication of the Canadian data commissioner's findings, the ICO changed this to a "significant breach".

Mr Smith said that the ICO had intended all along to base its final judgement on the findings of its counterparts.

"It is not a good use of the data protection authority to duplicate more in-depth enquiries," he said.

"We have based our decision on the findings of other data authorities. It was exactly the same type of information found by them," he said.

Mr Smith revealed that the ICO is only able to audit companies that have given prior permission for such an investigation.

Jim Killock, executive director of digital advocacy The Open Rights Group, thinks this is a "shocking state of affairs".

"The ICO needs more powers and definitely needs more technical expertise," he said.

"To my mind people's privacy has been breached and they should be told about it. The ICO has a duty to let people know what has happened," he said.

Mr Killock believes that Google's data breach is more akin to unlawful interception, similar to opening someone's post without permission.

The UK currently has no public body to investigate interception breaches, a gap that that led the European Commission to launch legal action against it.

The Home Office is currently consulting on how to make sure it complies with European legislation on the interception of communications.

Following the ICO's ruling, Google has promised to offer privacy training to its staff.

Other data bodies and groups around the world are still investigating its capture of wi-fi data.

Mr Killock is hopeful there will be harsher punishments for Google down the line.

"I should hope it would be fined," he said.



Powered by WizardRSS | Full Text RSS Feeds