Review of the Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon

Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon

Rating: ⭐️⭐️⭐️⭐️⭐️

Zetter’s book engages in a heroic effort to summarize, describe, and explain the significance of the NSA’s and Israel’s first ‘cyber weapon’, named Stuxnet. This piece of malware was used to disrupt the production of nuclear material in Iran as part of broader covert efforts to delimit the country’s ability to construct a nuclear weapon. 

Multiple versions of Stuxnet were created, as were a series of complementary or derivative malware species with names such as Duqu and Flame. In all cases the malware was unusually sophisticated and relied on chains of exploits or novel techniques that advanced certain capabilities from academic theory to implementable practice. The reliance on zero-day vulnerabilities, or those for which no patches are available, combined with deliberate efforts to subvert the Windows Update system as well as use fraudulently signed digital certificates, bear the hallmarks of developers being willing to compromise global security for the sake of a specific American-Israeli malware campaign. In effect, the decision to leave the world’s computers vulnerable to the exploits used in the creation of Stuxnet demonstrate that offence was prioritized over defence by the respective governments and their signals intelligence agencies which authored the malware.

The book regales the reader with any number of politically sensitive tidbits of information: the CIA was responsible for providing some information on Iran’s nuclear ambitions to the IAEA, Russian antivirus researchers were monitored by Israeli (and perhaps other nations’) spies, historically the CIA and renown physicists planted false stories in Nature, the formal recognition as cyberspace as the fifth domain of battle in 2010 was merely formal recognition of work that had been ongoing for a decade prior, the shift to a wildly propagating version of Stuxnet likely followed after close access operations were no longer possible and the flagrancy of the propagation was likely an error, amongst many other bits of information.

Zetter spends a significant amount of time unpacking the ways in which the United States government determines if a vulnerability should be secretly retained for government use as part of a vulnerabilities equities process. Representatives from the Department of Homeland Security who were quoted in the book noted that they had never received information from the National Security Agency of a vulnerability and, moreover, that in cases where the Agency was already exploiting a reported vulnerability it was unlikely that disclosure would happen after entering the vulnerability into the equities process. As noted by any number of people in the course of the book, the failure by the United States (and other Western governments) to clearly explain their vulnerabilities disclosure processes, or the manners in which they would respond to a cyber attack, leaves unsettled the norms of digital security as well as leaves unanswered the norms and policies concerning when (and how) a state will respond to cyber attacks. To date these issues remain as murky as when the book was published in 2014.

The Countdown to Zero Day, in many respects, serves to collate a large volume of information that has otherwise existed in the public sphere. It draws in interviews, past technical and policy reports, and a vast quantity of news reports. But more than just collating materials it also explains the meanings of them, draws links between them that had not previously been made in such clear or straightforward fashions, and explains the broader implications of the United States’ and Israel’s actions. Further, the details of the book render (more) transparent how anti-virus companies and malware researchers conduct their work, as well as the threats to that work in an era when a piece of malware could be used by a criminal enterprise or a major nation-state actor with a habit of proactively working to silence researchers. The book remains an important landmark in the history of security journalism, cybersecurity, and the politics of cybersecurity. I would heartily recommend it to a layperson and expert alike.

Link

Millions exposed to malvertising that hid attack code in banner pixels

From Ars Technica:

Despite targeting only people using IE and unpatched versions of Flash, Stegano is noteworthy for its concealment of exploit code in the pixels of the banner ads. There’s no reason future campaigns—or possibly ongoing ones that have yet to be discovered—couldn’t exploit zero-day vulnerabilities that infected a much larger base of people. Until ad networks get much better at detecting malvertising campaigns, the scourge is likely to continue.

The lesson, again, is that the advertising that is scattered throughout the web should be generally regarded as hostile and that ad blockers aren’t just a privacy tool but a security tool as well.

Link

How hard is it to hack the average DVR? Sadly, not hard at all

Ars Technica:

Johannes B. Ullrich, a researcher and chief technology officer for the SANS Internet Storm Center, wanted to know just how vulnerable these devices are to remote takeover, so he connected an older DVR to a cable modem Internet connection. What he saw next—a barrage of telnet connection attempts so dizzying it crashed his device—was depressing.

“The sad part is, that I didn’t have to wait long,” he wrote in a blog post published Monday. “The IP address is hit by telnet attempts pretty much every minute. Instead of having to wait for a long time to see an attack, my problem was that the DVR was often overwhelmed by the attacks, and the telnet server stopped responding. I had to reboot it every few minutes.”

The Internet of Things should, at this point, mostly be renamed the Internet of Threats.

Link

Cyberbullying law would let police ‘remotely hack into computers, mobile devices, or cars’

Cyberbullying law would let police ‘remotely hack into computers, mobile devices, or cars’:

Experts say police would be able to install viruses, or malware, into the electronics of anyone suspected of a crime, after gaining judicial approval.

“There’s a series of different tactics that they could adopt. They could engage in phishing schemes — deliberately serving infected files to computers — or it could involve sending URLs to people’s emails and when they click it, it infects their computers,” he said, adding that it could also involve installing malicious apps onto Canadians’ smartphones that work as listening devices. Police could even hack into a car’s OnStar to keep tracking of location, and call logs.

While C–13 is intended to target transmission data — call information, IP address, and location data — Mr. Parsons said it’s entirely possible that C–13 could capture basic data from Canadians’ Skype conversations, as well as a vast field of other digital information. “That’s the way that it reads,” he says.

The powers would still be subject to judicial oversight. The warrants are valid for two months for most crimes, but extends that to a year if the crime is terrorism-related, or if the suspect is connected to a criminal organization.

“Compounding that, there’s no reporting required,” Mr. Parsons said. “We won’t know if it’s 10 requests a year, a hundred requests a year, a thousand requests a year, or a million requests a year.”

Mr. Parsons calls it the dawn of Canadian ‘‘Govware.’’ Passing this bill, as is, said Mr. Parsons, “risks introducing significant, and poorly understood, new powers to the Canadian authorities.”

Mr. Fraser and Mr. Parsons raise the practical implication of the procurement process for this sort of software. If Ottawa contracts out the creation of a digital snooping program, it risks legitimizing the creation of malware, said Mr. Parsons, adding that Ottawa should be fighting to improve the security of our electronics, not exploiting their weaknesses.

Another good piece by Justin Ling, who is quickly becoming a key go-to reporter for all federal government issues privacy- and surveillance-related issues.

Link

Bitcoin Malware Emerges

So, in line with my previous writing on why I’m skeptical of digital currencies like Bitcoin, Ars Technica has a piece of the newest malware hitting digital currencies:

In another example of the security mantra of “be careful what you click,” at least one Bitcoin trader has been robbed in a forum “phishing” attack designed specifically to ride the hype around the digital currency. The attack attempts to use Java exploits or fake Adobe updates to install malware, and it’s one of the first targeted attacks aimed at the burgeoning business of Bitcoin exchanges.

(…)

This type of attack is de rigeur in the financial world, according to George Waller, the executive vice president of Strikeforce Technologies, a security software firm specializing in two-factor authentication and anti-keylogging software for the financial industry. “Driving people to a site to download malware is one of the most common attacks today,” he told Ars. “You go to a site from a forum and get prompted for Java or Adobe updates—and in the majority of those updates they drop in a keylogger. Since they’re written to get around antivirus scans, AV software is useless against this sort of pervasive malware today.”

To be clear: such attacks are common against a host of perceived high-value targets. They also, however, underscore the real value in linking names, activity-types, purchase behaviour, and other distinctive characteristics to persons’ online economic activity to defray fraud made possible by malware.

Aside

This promotional video of the FinFisher surveillance malware has some interesting components:

  1. they are talking about older Blackberry devices – I’m curious to know if they already have a ‘solution’ for more contemporary devices;
  2. the video speaks of infecting websites, which seems to suggest that an element of the FinFisher process is attacking unrelated website to then hunt targets. Crazy illegal in most jurisdictions I’m familiar with;
  3. the company focuses on TrueCrypt, which confirms the position the TC is a pretty awesome way of securing things you want to remain confidential….so long as you’re not infected with surveillance malware.
Quote

I have posted before about the Tibetan attacks, because they offer good insights into this issue in general. But it’s not just the Tibetan activists and other outspoken critics of the Chinese regime that are targeted by this “GhostNet”. I work on Taiwan/China issues in Washington, D.C. Pretty much everyone in that community – be it academics, think tankers, NGO employees, and government officials – are consistently targeted by the kind of “social malware” attacks that are detailed in the two reports. These attacks are very sophisticated, making them really hard to spot, and they show intimate knowledge of what’s going on in the community. Let me give you two recent examples:

On March 26, the Pentagon released their annual report on the Chinese military. On March 27, I received an email ostensibly from one of the people responsible for Taiwan issues at the Pentagon. The email basically said “Hey, here is the expanded version of the report from yesterday, with some additional commentary on Taiwan. I thought you would find it useful”. Attached was a PDF named “China_Military_Power_Report_2009.pdf”, exactly like the official document released by the Pentagon. I work on Taiwan defense issues, so this would be very interesting to me were it real. However, I correspond with this person on a regular basis, and he usually signs his emails to me with his nickname. This email didn’t, which made me suspicious. A Virustotal scan confirmed that the attachment contained malicious software (only detected by 4/38 products, though) and a quick phone call confirmed that the person hadn’t sent an email like that.

In another recent attack, it was the name of the head of my organization that was used to try to trick recipients into opening malicious attachments. He had just returned from a visit to Taiwan, a trip that had been reported on in the Taiwan press. About a week after returning, he received an inquiry from a prominent researcher at a D.C. think tank, asking if he had sent the researcher an email with a trip report from his visit. He had not in fact sent such an email, although it wouldn’t have been unusual for him to do so. I spoke to the IT manager at the think tank, who confirmed that the researcher was indeed tricked into opening the attachment, and that it did contain malware.

And this was just in the last three weeks. I could go on for pages describing various things we have seen over the past two/three years (two more here), but you get the gist. For small NGOs like mine, protecting against infiltration, monitoring our systems for intrusions, and educating our staff to recognize potential hazards has become a huge drain on our already limited resources. The frustrating thing is that there is pretty much nothing we can do about it, except to remain diligent. But at least I’m glad that the issue is continuing to get coverage in the mainstream press.

* Gemmy, from a 2009 comment on GhostNet
Link

Turning IT Into a Profit Centre

Jeffrey Carr has some amusing thoughts on transforming IT in corporate businesses from a cost to a profit centre. Just a taste of the humour:

The good news, or at least potential good news since no one is doing this yet, is that the undiscovered malware lurking on corporate networks potentially represent tens or hundreds of thousands of dollars in income for the corporation. And since it resides on the corporate network, it becomes the property of that corporation. All of a sudden, something that you’ve viewed only as a threat and an expense has become a valuable commodity thanks to the trend in selling offensive malware to government agencies.

One can easily imagine how his article, slightly reworked, would have made an excellent April fool’s column.