Hello everyone, first post here, and boy is it a doozy.
For the past couple of years there's been a few major virus attacks on networks in the Middle East: the Stuxnet, Duqu, and Flame malware.
http://en.wikipedia.org/wiki/Stuxnet
http://en.wikipedia.org/wiki/Duqu
http://en.wikipedia.org/wiki/Flame_(malware)
Looking further into these, a paranoid thought popped into my head. Though Stuxnet and Duqu seem to have been pinned down on the US or one of our allies, Flame is still being researched and some facts are coming to light, but no one has claimed responsibility yet.
http://arstechnica.com/security/2012/06/flame-crypto-breakthrough/
I don't know if it's been because I've been getting ready to launch my own Eclipse Phase campaign or what, but when I saw this article and its talks on the new cryptographic collision attack they used, I started to think that maybe this really isn't us at all. That this might be our own real-life TITANs.
Call me crazy, but maybe the Fall isn't as far off as we thought.
Welcome! These forums will be deactivated by the end of this year. The conversation continues in a new morph over on Discord! Please join us there for a more active conversation and the occasional opportunity to ask developers questions directly! Go to the PS+ Discord Server.
Stuxnet, Duqu, Flame, oh my!
Thu, 2012-06-07 15:32
#1
Phyrexus
Stuxnet, Duqu, Flame, oh my!
Thu, 2012-06-07 17:26
#2
Arenamontanus
Re: Stuxnet, Duqu, Flame, oh my!
Well, at least the background for the Fall seems ever more plausible. See
http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of...
and
http://www.technologyreview.com/view/428061/how-obama-was-dangerously-na...
(or for that matter, http://www.theatlantic.com/technology/archive/2012/06/is-it-possible-to-... ) Basically, it looks like the government might have unleashed a weapon of which it did not fully understand the political, legal or security implications.
"Permission to activate the TITAN system, Mr President?"
"Sure. Why do you even ask? We have more important issues to deal with here."
—
Fri, 2012-06-08 08:22
#3
Decivre
Re: Stuxnet, Duqu, Flame, oh my!
Why is it that every malware release makes me love my copy of Linux more and more? I just don't understand.... :P
I do however think this is the start of something terrible for the world of Internet technologies. These administration have opened up a dangerous Pandora's box that they might regret down the line. I understand that the intent was to stop Iran, but the implications for us are far worse... the usage share of Microsoft Windows is anywhere from 76-92% worldwide, and these guys have unleashed code that could potentially violate this operating system with great ease. Should any decent hacker reverse engineer these worms, they would have access to tools that could potentially change the face of malware.
I mean imagine it. Flame utilized an MD5 hole that allowed it to pose as an official Microsoft update. [i]An official Microsoft update[/i]. Access to that exploit could completely devastate any amount of the world's computers. Worse off, someone could use that exploit to put something else out there that isn't detectable as a variation of Flame. An ambitious ransomware distributor with some as-of-yet unseen virus could hit a vast amount of the infrastructure before Symantec and other antivirus companies could do anything about it, and even lock their software out (because it could pose as an [i]official Microsoft update[/i]), forcing drastic antivirus methods to clean the mess.
I'm seeing less Eclipse Phase, and more of Shadowrun's Great Crash.
—
Transhumans will one day be the Luddites of the posthuman age.
[url=http://bit.ly/2p3wk7c]Help me get my gaming fix, if you want.[/url]
Fri, 2012-06-08 09:38
#4
Phyrexus
Re: Stuxnet, Duqu, Flame, oh my!
That also popped into my head as well. Becoming much more plausible and scarier after this: http://it.slashdot.org/story/12/06/08/013204/flame-malware-authors-hit-s...
I also am thankful I run Linux and have been successful in converting a few friends to it as well. :P
Fri, 2012-06-08 11:22
#5
Phyrexus
Oops, double post
Oops, double post
Fri, 2012-06-08 11:51
#6
Decivre
Re: Stuxnet, Duqu, Flame, oh my!
Imagine if they could have bricked firmware with a similar sort of self-destruct command... horrifying.
Me too! I've made it one of my life's goals to try and get people to change over. If they are gamers like me, I help them get VMware player set up on their systems... that way they can still game, but use Linux for everything else.
—
Transhumans will one day be the Luddites of the posthuman age.
[url=http://bit.ly/2p3wk7c]Help me get my gaming fix, if you want.[/url]
Fri, 2012-06-08 12:36
#7
Caretaker
Re: Stuxnet, Duqu, Flame, oh my!
You can get allot of @-rep for that (but your c-Rep can take a hit, the Micro$oft hypercorp will not like it). :)
Sat, 2012-06-09 01:33
#8
Arenamontanus
Re: Stuxnet, Duqu, Flame, oh my!
Interesting point here:
http://www.thebulletin.org/web-edition/op-eds/cyberweapons-bold-steps-di...
If a nation works on cyberwarfare, it will want to collect exploits. This means it will not tell them to the software manufacturers (since patches will make them useless), leaving all computers - including the ones of their own nation - unsecured. In fact, it might be rational for the cyber command to reduce the spread of patches since it makes them more able... at the price of making everybody else more vulnerable.
Now imagine this logic automated and accelerated with AI and AGI support on a global scale.
—
Sat, 2012-06-09 02:44
#9
Smokeskin
Re: Stuxnet, Duqu, Flame, oh my!
Nations could even subsidize software producers to get them to add vulnerabilties, hopefully so bizarre no one else will notice.
If nations don't want to pay directly they could easily find other ways to compensate the companies, like give them a break on monopoly restrictions.
It's a sliiy idea I know, it's way too transparent. If a software company was allowed to grow to get market power it would express itself in objective measures like the Herfindahl index that antitrust institutions use as arguments to stop mergers or force divestitures in other industries. If they just let things slide or made ineffective rulings like banning a few software bundle combinations, and subsequently enemies of the state got hit with obscure zero day vulnerabilities, everyone would know that...
Oh wait.
Sat, 2012-06-09 03:19
#10
Caretaker
Re: Stuxnet, Duqu, Flame, oh my!
That's another point in favor of open-source software as in this example mentioned in the slashdot.org article:
When the source is open to the public it's hard to hide/ignore bugs and exploits.
Reminds me of the Jurassic Park quote:
"If there is one thing the history of evolution has taught us it's that life will not be contained. Life breaks free, expands to new territories, and crashes through barriers, painfully, maybe even dangerously, but, ah, well, there it is."
Tue, 2012-06-12 20:30
#11
The Doctor
Re: Stuxnet, Duqu, Flame, oh my!
Fun to take apart, interesting, and bloody difficult to get hold of samples right now (in that order).
Nobody has officially claimed responsibility for Flame yet, but the official announcement of Operation Olympic Games makes me wonder. That, and Flame appears to have taken a development path common to some centralizd styles of software development effort: A small skunkworks development effort succeeds beyond the wildest dreams of anyone in the organization, and then the next project is officially taken over, and the result is bloatware. In toto, Flame is approximately twenty times larger than Stuxnet, which is why I make this claim - a twenty-fold increase in the size of the finished is about right for this syndrome.
The problem with malware is that, after it is deployed it is far more difficult to control after its spread in the wild.
Forcing collisions in a space of MD-5 hashes to generate signing certificates is not a new attack - here is [url=https://drwho.virtadpt.net/archive/2009/01/01/md5-considered-harmful-tod... article I wrote on a practical implementation[/url] a few years ago. This is, however, the first time anyone knows of someone carrying out the attack for cryptographically signing code. It is, all things considered, easier to purchase or steal a code signing certificate pair than it is to forge one.
And... MD-5 has been deprecated for years for precisely this reason. Hence, the existence of SHA-1 and the SHA-2 series of message digest algorithms. When dealing with crypto, momentum is not easy to overcome.
Go, humans, go.
*sigh*
—
[img]http://drwho.virtadpt.net/graphics/info_userbar.jpg[/img]
[img]http://drwho.virtadpt.net/graphics/argo_userbar.jpg[/img]
[url=https://drwho.virtadpt.net/graphics/blankbadge.png][img]http://drwho.vir...
Tue, 2012-06-12 20:51
#12
The Doctor
Re: Stuxnet, Duqu, Flame, oh my!
F/OSS operating systems have their vulnerabilities too, make no mistake about it ([url=http://thehackernews.com/2012/06/cve-2012-2122-serious-mysql.html]MySQL, I glare in your general direction[/url]). Exploitable vulnerabilities in the v3.x Linux kernel series, for example, have been found and exploits are floating around some circles, but due to the #antisec meme (as well as the fact that one can make rather a lot of money selling exploits to companies like Vupen, the Zero Day Initiative, or Endgame) people are sitting on them and making use of them judiciously.
On this we agree. It seems that the powers that be finally got around to reading [url=https://projects.eff.org/~barlow/Declaration-Final.html]A Declaration of Independence of Cyberspace[/url] and are treating the Net the same way they'd treat any other entity that they really do not want to see independent: as a battlefield.
In some ways the malware that crackers have been writing and deploying for years are light-years more advanced than any of the state-sponsored and deployed malware discovered thus far, at least in terms of how difficult they are to detect and eradicate. The underground has this sort of thing down to a fine art but has very different goals. At least, right now.
For at least two years now, a number of corporations have been selling surveillance malware to governments which poses as updates to Windows and iTunes.. and are signed with valid code signing certificates, so they pass muster with the OS' update installers. They even come with easy-to-use GUI injectors that practically any tier-one helpdesk tech could run. More's the point, we have been finding deployed samples in the wild for over a year; these are not hypothetical attacks, they are implemented attacks. Also, MD-5 collision attacks to generate fraudulent certificates are fairly well known and documented; if all of us on this message board really felt like it we could pull it off for not a lot of money and a couple of megabytes of Python code. Probably not rapidly, mind you, but it would be doable. I would be surprised if more than just two or three major world powers were not doing this sort of thing independently right now - it is too useful and practical an attack with too many potential applications.
That would be most malware written by black hats for profit, I am afraid.
Easily.
Good. It is not just me.
—
[img]http://drwho.virtadpt.net/graphics/info_userbar.jpg[/img]
[img]http://drwho.virtadpt.net/graphics/argo_userbar.jpg[/img]
[url=https://drwho.virtadpt.net/graphics/blankbadge.png][img]http://drwho.vir...
Tue, 2012-06-12 20:57
#13
The Doctor
Re: Stuxnet, Duqu, Flame, oh my!
[url=http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the... is even worse[/url] than bricking devices. [url=https://www.net-security.org/malware_news.php?id=2143]So is this.[/url]
[url=https://en.wikipedia.org/wiki/CIH_%28computer_virus%29]This was also quite irritating.[/url]
—
[img]http://drwho.virtadpt.net/graphics/info_userbar.jpg[/img]
[img]http://drwho.virtadpt.net/graphics/argo_userbar.jpg[/img]
[url=https://drwho.virtadpt.net/graphics/blankbadge.png][img]http://drwho.vir...
Tue, 2012-06-12 20:58
#14
The Doctor
Re: Stuxnet, Duqu, Flame, oh my!
Microsoft may not like it, but other corporations use whatever works to accomplish their goals, so your c-rep may not take quite so much of a hit.
—
[img]http://drwho.virtadpt.net/graphics/info_userbar.jpg[/img]
[img]http://drwho.virtadpt.net/graphics/argo_userbar.jpg[/img]
[url=https://drwho.virtadpt.net/graphics/blankbadge.png][img]http://drwho.vir...
Tue, 2012-06-12 21:06
#15
The Doctor
Re: Stuxnet, Duqu, Flame, oh my!
They can research exploits on their own, but it is faster and cheaper to buy them in bulk from security companies. They [i]could[/i] hire one hacker for $40kus per year plus benefits (this is how much the NSA is offering for security analysts with reverse engineering experience these days) or they could potentially buy several dozen zero-day exploits (well more than their hacker-on-the-payroll could find and develop per year) for twice that, and continue to do so for as long as they wanted.
The #antisec meme did that for them, I fear. Some prominent white hats took pretty hard blows between 0 and 1 last year for their disclosure policies.
Self aware reverse engineering systems... remind me to keep backing myself up to offline storage in the future, please?
—
[img]http://drwho.virtadpt.net/graphics/info_userbar.jpg[/img]
[img]http://drwho.virtadpt.net/graphics/argo_userbar.jpg[/img]
[url=https://drwho.virtadpt.net/graphics/blankbadge.png][img]http://drwho.vir...
Tue, 2012-06-12 21:10
#16
The Doctor
Re: Stuxnet, Duqu, Flame, oh my!
[url=http://boingboing.net/2011/12/28/linguistics-turing-completene.html]They do not have to.[/url] Plus, a lot of code reviews are a joke.
—
[img]http://drwho.virtadpt.net/graphics/info_userbar.jpg[/img]
[img]http://drwho.virtadpt.net/graphics/argo_userbar.jpg[/img]
[url=https://drwho.virtadpt.net/graphics/blankbadge.png][img]http://drwho.vir...
Wed, 2012-06-13 01:43
#17
Decivre
Re: Stuxnet, Duqu, Flame, oh my!
Don't I know it. Injections are one of the major reasons I'm not interested in making my own public website. Seems to risky. I'll stick to having a private network torrent server and a storage server... and that's it.
Which is problematic. The internet forms the backbone of most of human society today, [i]especially[/i] in the western world. I don't think these governments realize how devastating even localized shutdowns within the internet would be (imagine if bank networks or VISA got shut down by a government-made malware... the effects would be devastating to the market).
Yet they don't seem to realize this. They pretend the internet is some building they all have to gain control of, when in reality the internet has become [i]a new layer of the world as a whole[/i].
True in a sense. These viruses were more impressive in scope and autonomy, as well as ability to target specific systems, than anything. They clearly weren't very well stealthed, and had massive footprints.
But they did have some interesting traits, and those traits have already hit the common malware scene. Stuff like using the torrent protocol to update every infected system. And I wonder how long it will be before we see some black hats throw a PLC disruptor of their own on the internet. Oh what fun that could cause. [/sarcasm]
Scary. Makes you wonder if there's some reason that these companies still use MD5, despite the fact that it has so many glaring flaws for security purposes.
I know, but it will be more horrifying when they successfully implement the elements of these government programs into those elements. A botnet that uses the torrent network to be self-improving and autonomous? Chilling.
Now all we have left is to start placing bets on what dumbass government is going to accidentally invent the crash virus, and who is going to put together Echo Mirage. :P
—
Transhumans will one day be the Luddites of the posthuman age.
[url=http://bit.ly/2p3wk7c]Help me get my gaming fix, if you want.[/url]
Fri, 2012-06-15 22:32
#18
The Doctor
Re: Stuxnet, Duqu, Flame, oh my!
I would much rather use an application that started its life a few years ago, is still being actively developed, and has a large enough userbase to warrant code audits. Also, JIT-virtual patching done by the hosting provider is good to buy time when it is necessary to do so.
So much of the Internet is necessary for daily communication; an unknown number (but rather a lot) of long-distance links are, in fact, voice-over-IP gateways (for example). In places where radio repeaters are infeasible, VoIP is sometimes used to connect them. SCADA systems of some facilities are hooked into the Net so they can be remotely controlled... which is so bad an idea that perhaps only Denis Leary or Andrew Clay at the top of their respective games could properly elucidate its drawbacks. And what about stock and futures trading proto-AIs? What if they were infected?
The going perception of offensive infosec seems to conflate exploits with bombs. If one does not work, get a bigger one... which is exactly how such things do not work.
The surveillance aspects of Flame rival some mobile device malware I have seen. That was slightly frightening. As for whether or not Flame was well stealthed, it was admitted that Flame had probably been in the wild for a couple of years before it was detected, so I suppose that says something about its stealth capabilties. However, I wonder if the developers really did write such lousy code, if they accidentally used some compiler flags that bloated the code, or some combination of the two. Or something else.
It is my understanding that there are a few hackers working on PLC disruption, but that they are white hats working for some of the larger security firms. The other side of the house is no doubt hard at work as well.
Project managers are often not programmers, and were probably never cypherpunks. Developers tend to use what they know or what is in the spec. Sometimes, developers really are lousy, or come from the Mal Reynolds school of programming.
The match on /autonomous/i chills my blood.
My guess would be that they would be the same side, shortly after they discover that their malware likes their networks just as much as the ones they want to take down. The internauts will no doubt form their own Echo Mirage teams, only with more biofeedback devices and LOLcats and fewer implanted jacks. At least, at first.
—
[img]http://drwho.virtadpt.net/graphics/info_userbar.jpg[/img]
[img]http://drwho.virtadpt.net/graphics/argo_userbar.jpg[/img]
[url=https://drwho.virtadpt.net/graphics/blankbadge.png][img]http://drwho.vir...
Thu, 2012-06-21 10:11
#19
nezumi.hebereke
Re: Stuxnet, Duqu, Flame, oh my!
You and me both!
The box was already there. If the US didn't do it, someone else would have -- and soon. The fact is, the US was (relatively) responsible. It had so many safeties to control it, the target is valid. And the thing the world needs MOST is examples of this technology, so we can start building defenses. Fire and Stuxnet have delivered. Already all the big AV and security companies are trying to figure out how to anticipate this sort of attack. Google now gives you an alert if they suspect you're the target of state-sponsored spying. People are thinking about it. (Consider if instead the first attack of this sort was done by Russia, Iran, or China.)
Definitely, including SR's paradigm of islands on the net.