OUT OF BAND A Farewell to Air Gaps, Part 1 Hal Berghel, University of Nevada, Las Vegas One of the most fundamentally misguided charged with the oversight and ways to protect a networked infrastructure management of these acquisitions. Going back at least 30 years be- is to introduce an air gap. The US has been fore the Farewell revelation, the US mastering the art of crossing them for more and its NATO allies were keen to keep the keys to the kingdom out of than 30 years. Soviet hands. Through export and other economic policies, they op- posed Line X and the forces behind ager to send détente to an early grave, US Pres- it. Thus the sharing of nuclear secrets, certain sophisti- ident Ronald Reagan wasted no time taking cated manufacturing techniques, semiconductor tech- advantage of the intelligence provided by the nology, and sensitive trade secrets was verboten, and the French domestic intelligence agency’s KGB spy, corresponding products, weapons, advanced computers, EColonel Vladimir Vetrov, codenamed “Farewell.” In 1981, machinery, and the like were embargoed. French President François Mitterrand offered Reagan the But that didn’t stop the KGB. Line X populated visiting “Farewell Dossier,” 4,000 KGB documents that by some Soviet delegations with KGB agents to learn about agri- accounts triggered a spectacularly kinetic CIA response. culture, manufacturing, defense, and whatever else they Gus Weiss documented the entire affair in his capac- could. What they didn’t learn from direct inspection, ity as a special assistant to the secretary of defense as they tried to buy. What they couldn’t buy directly, they well as director of International Economics for the Na- tried to purchase through third parties. Failing that, theft tional Security Council (NSC). According to Weiss,1 the was always a viable option. This was Cold War technol- Soviets under Leonid Brezhnev viewed détente as some ogy transfer Soviet style: a continuation of the atom bomb much needed economic breathing room that enabled spying effort, but with economic objectives that contin- them to improve the USSR’s economy. To expedite this ued to some degree until Reagan found out about all of it improvement, the Soviet Council of Ministers and the from Mitterrand. Communist Party of the Soviet Union’s Central Com- mittee established the KGB’s Directorate T to find and THE CIA’s MARK TO MARKET retrieve Western targets of opportunity (read: stolen in- At the NSC, Weiss read the Farewell Dossier and deter- tellectual property). A new operating arm, Line X, was mined that the Soviets were acquiring technology trade 64 COMPUTER PUBLISHED BY THE IEEE COMPUTER SOCIETY 0018-9162/15/$31.00 © 2015 IEEE EDITOR HAL BERGHEL OUT OF BAND University of Nevada, Las Vegas; [email protected] secrets at breakneck speed. “Our sci- explanation. Reed claims that Weiss remote-access Trojan and information ence was supporting their national de- told him the story and provided him stealer, W32.Duqu,2 and the espionage fense,” he reported.1 From the dossier, with his notes shortly before his mys- hack, Flame.3 In fact, early versions of William Casey’s CIA developed a Line terious death on 25 November 2003. Stuxnet (circa v0.5) are thought to de- X shopping list in 1982 and, with the Although some dispute whether the rive from the Flame platform, whereas FBI’s help, assisted the Soviets on their hack resulted in the actual explosion, later versions (circa v1.0) also derive shopping spree by seeing that they got it wasn’t for lack of effort on the part of from the Tilded platform—so-called enhanced versions of the things they the Reagan administration. So far as I because contributors tended to start sought—these items “would appear can determine, no authoritative source filenames with tildes. Other Flame- genuine, but would later fail.”1 De- disputes the rest of Reed’s account. and Tilded-based malware are certain fective computer chips, flawed parts, Some of Weiss’s notes appeared on to remain in circulation in some form and misleading or bogus technical the CIA website under his name on 14 In Countdown to Zero Day: Stuxnet information were supplied to vendors April 2007,1 more than two years after and the Launch of the World’s First Dig- known to sell to the Soviet Union. We Reed’s book had removed any cover ital Weapon,4 journalist Kim Zetter— know this from Weiss’s report,1 but of secrecy. The Trans-Siberian Pipe- who’s covered cybercrime for Wired things got much more interesting line part of the story isn’t included in and other publications—convincingly when Thomas Reed, also a member of Weiss’ published CIA notes; add this documents (see “The Legend of Stux- Reagan’s NSC, came into the picture. to Weiss’s strong opposition to the Iraq net” sidebar) that although Flame and Weiss and Reed were with the NSC war and you have the stuff of which Duqu are derived from the Flame and when the Reagan–Casey–CIA–FBI in- great conspiracies are made. I’d be re- Tilded codebases, respectively, Stux- trigue began in early 1982. miss if I didn’t mention here that Reed net borrows from both, and in differ- Reed picked up Weiss’s storyline remains a partisan loyalist to Reagan ent proportions over time.4 Kaspersky in At the Abyss: An Insider’s History of and his politics, so it could be that Lab’s Costin Raiu believes that the the Cold War (Presidio Press, 2005). his account is biased and somewhat Stuxnet cyber aggressors borrowed He tells how the Soviets were in need sanitized—perhaps there’s much more heavily from the Flame platform code of some software for their natural gas to the story than even Reed reported. and then shifted to Tilded later in de- pipeline that stretched from Siberia velopment due to the simplicity and to Eastern Europe. They dispatched a MALWARE ARCHAEOLOGY tightness of the latter code.5 KGB operative to a Canadian software AND STUXNET In Confront and Conceal: Obama’s supplier. The US intelligence folks For the next chapter on international Secret Wars and Surprising Use of Amer- were given the heads-up through Fare- cyber sabotage, we turn to Stuxnet. ican Power (Broadway Books, 2012), well, prompting the FBI to work with So that we’re all on the same page, you journalist David Sanger explains Op- the Canadians to “enhance” the soft- need to know that the officially uncon- eration Olympic Games in the context ware, which the KGB then obtained. firmed US/Israeli cyberattack against of the political climate during both According to Reed, the software the Iranian uranium enrichment facil- the latter George W. Bush and early included a Trojan horse allowing the ity at Natanz—reported in 2010—was Barack Obama administrations. He West to regulate the pipeline’s pump never called Stuxnet by those who al- speculates that Flame was a US arti- speeds and settings, valve openings, legedly deployed it. “Operation Olym- fact used when Stuxnet was in the ex- and internal pressures—pushing them pic Games” was the codename used by perimental stage, and that the Duqu/ well beyond safe operating limits. the planners when they presented the Tilded code was primarily an Israeli Needless to say, the flawed software idea to the George W. Bush administra- product. Only after Bush authorized produced the desired result of disrupt- tion originally. The Stuxnet moniker Operation Olympic Games did the ing the pipeline’s operations—in fact, came much later, from investigators two teams begin sharing code. There’s it’s alleged to have caused the larg- external to the project who juxtaposed considerable evidence for this be- est non-nuclear explosion in history fragments of contained filenames. cause Flame and Duqu differ greatly in (equivalent to detonating three kilo- The Stuxnet archaeology produced sophistication— pointing to the likeli- tons of TNT). In response to the NSC’s sufficient digital artifacts from which hood that different teams with differ- concern about the resulting explosion, several conclusions can be drawn. ent skill levels contributed to it. The Weiss is reported to have told them First, it actually shares some of the Stuxnet payload—the part directed at not to worry about it, but he gave no architecture and codebase with the specific industrial controllers—seems JUNE 2015 65 OUT OF BAND THE LEGEND OF STUXNET he discovery of the Stuxnet worm by VirusBlokAda (http:// by 2000, it was becoming ineffective by the time that v0.5 Tanti-virus.by/en/index.shtml), a small Belarus security was released, so Stuxnet’s authors instead went with newer company, is itself an interesting story that’s now part of cyber and more sophisticated exploits. Unlike v0.5, v1.0 used a lore. Stuxnet’s creators went to considerable trouble to thwart multi-exploit. discovery by major security software vendors, but VBA was In all, Symantec and Kaspersky Lab identified five different apparently too small to be on their radar. An Iranian reseller for infection hacks: the Autorun exploit in v0.5, the .LNK hack VBA reported events of interest from several customers that in v1.0 and later, and three elevation-of-privileges exploits couldn’t seem to rid themselves of malware infection. This through vulnerabilities in the Windows keyboard file handler, alerted VBA, which in turn uncovered a kernel-level rootkit print spooler, and task manager. In addition, Kim Zetter2 doc- operating on its customers’ computers. Further analysis uments eight different propagation tactics once the malware discovered an injector based on Windows .LNK files carried by was installed on one computer: USB flash drives.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages5 Page
-
File Size-