On Tuesday, researchers from Symantec’s Security Response team released a report offering proof that the Stuxnet worm that targeted industrial facilities in Iran—most especially the Natanz uranium enrichment facility suspected to be part an Iranian effort to produce nuclear weapons— is two years older than previously thought. The 18-page report reveals that development of the malware dates back to 2005, although it first appeared in the wild in 2007. It wasn’t identified until July 2010. What explains the two-year lead time? An extended refinement process was probably part of what made Stuxnet and its precursor, Flame, so sophisticated. The exploits these bits of malware pulled off without attracting attention were “nothing short of amazing,” Mikko H. Hypponen, chief research officer for F-Secure, a security firm in Helsinki, Finland, told IEEE Spectrum. Furthermore, says Hypponen, “You need a supercomputer and loads of scientists to do this.” Symantec acknowledges that Stuxnet, which was designed to “take snapshots of the normal running state of the system, replay normal operating values during an attack so that the operators are unaware that the system is not operating normally… [and] prevent modification to the [compromised system] in case the operator tries to change any settings during the course of an attack cycle” is among the most complicated coding ever seen.
For more on how Stuxnet really worked and on the efforts to track it down, see “The Real Story of Stuxnet” in this month’s issue of IEEE Spectrum.
Advanced Malware Escapes Sandbox with Help from Twitter
New malware designed to steal sensitive information exploits a patched sandbox-bypass vulnerability in Adobe Reader. The malicious code, dubbed MiniDuke by the researchers at Kaspersky Lab and CrySyS Lab, who discovered it and released a report about it this week, has attacked the systems of government agencies in 23 countries, mostly in Europe. Among its novel features are the use of steganography to hide the code it uses to create, then slip in and out of backdoors in the compromised systems; the ability to assess whether a computer is in use; and the ability to determine what detection capability the machine has. MiniDuke can also reach out to Twitter accounts created by the attackers to access tweets seeded with information pointing to command and control servers offering continually updated commands and encrypted backdoors. MiniDuke successfully bypassed the sandbox protection in Adobe Reader despite a patch meant to cover the vulnerability added on 20 February.
The Kaspersy and CrySyS researchers report that the malware is introduced via social engineering. A PDF claiming to contain information about Ukraine’s foreign policy and NATO membership plans and one purporting to provide information about a human rights seminar are laced with the infection.
“This is a unique and very strange attack. The many different targets hit in separate countries, together with the high profile appearance of the decoy documents and the weird backdoor functionality indicate an unusual threat actor,” says the Kaspersky and CrySyS report.
Cryptography No Longer an Effective Security Measure?
“We need to think about security in a post-cryptography world,” says Adi Shamir, a luminary in the world of public-key cryptography. That comment was part of his remarks at the Cryptographers’ Panel session at the RSA Conference on Tuesday. Shamir, who helped design the original RSA algorithm, noted that because advanced persistent threats (APTs) have penetrated even the most secure computer systems, “We should rethink how we protect ourselves.” He reasons that, “It’s very hard to use cryptography effectively if you assume an APT is watching everything on a system.”
Internet Service Disruptions for Copyright Scofflaws
On Monday, leading U.S. Internet service providers announced that a program under which they will disrupt Internet access for repeat online copyright offenders has begun. The “Copyright Alert System” for which the nation’s major record labels and Hollywood studios strongly lobbied, features “mitigation measures” (.pdf) that kick in after four documented instances of unauthorized use or distribution of copyrighted material. These measures include slowing the user’s Internet download speed and redirecting their browser to an “educational” landing page about infringement. Though the Digital Millennium Copyright Act calls for ISPs to cancel the accounts of repeat copyright offenders, the newly created Center for Copyright Information, which is in charge of the Copyright Alert System, insists that it will not wield that weapon.
U.S. High Court Dismisses Government Cybersnooping Case
On Tuesday, the U.S. Supreme Court dismissed a legal challenge to the federal government’s warrantless electronic communications surveillance program. The 5-4 decision (.pdf) supported the government’s claim that wiretapping laws cannot be challenged in court. But its main conclusion was that the American Civil Liberties Union, journalists and human-rights groups that sought to end the warrantless snooping made permissible by the FISA Amendments Act, also known as §1881, had no right to sue. The majority’s rationale: “[The groups] have no actual knowledge of the Government’s §1881a targeting practices. Instead, [they] merely speculate and make assumptions about whether their communications with their foreign contacts will be acquired under §1881a.” So, in other words, because the plaintiffs couldn’t present black-and-white evidence that their calls and e-mails to people outside the country had been intercepted, they couldn’t demand that the government quit doing it. The High Court was not moved by the groups’ claims that the 2008 legislation has chilled their speech and violated their privacy rights under the Fourth Amendment.
Observers note that if the Supremes hadn’t dismissed the challenge, the government would have likely batted it away by invoking the state secrets privilege, claiming that the suit threatened to expose national security secrets.
Category: Internet Crime