Links for 11-04-2012

These are my links for 11-04-2012:

  • An Anatomy of US Cyber Command – United States Cyber Command (USCYBERCOM) is America’s answer to cyber warfare, but who are they and what groups make this elite team up?
Comments are closed

Links for 23-01-2012

These are my links for 23-01-2012:

  • Dutch Council on Int’l Affairs’ Advise On Digital Warfare – In December 2011 the Dutch Advisory Council on International Affairs published an advisory (.pdf, in Dutch) entitled "Digitale Oorlogsvoering" (English: "Digital Warfare") intended for the Dutch government. The council describes itself as "an independent body which advises government and parliament on foreign policy, particularly on issues relating to human rights, peace and security, development cooperation and European integration". Its existence originates in Dutch law (.pdf, in Dutch). The council is administratively co-located at the Dutch Ministry of Foreign Affairs.
Comments are closed

Links for 16-12-2011

These are my links for 16-12-2011:

  • A Few Chinese Hacker Teams Do Most US Data Theft – ABC News – As few as 12 different Chinese groups, largely backed or directed by the government there, do the bulk of the China-based cyberattacks stealing critical data from U.S. companies and government agencies, according to U.S. cybersecurity analysts and experts.
Comments are closed

Was India Behind Stuxnet?

Why not? Why should we miss out on the party fun?

First it was the American and then the Israelis and then the joint US-Israel angle and now, we have the Russians as suspected makers of Stuxnet. Now, I ask you, why not the Indians? Don’t bother to answer, it was a rhetorical question – I know the odds against it!

On a more serious note, the article linking Russians to Stuxnet does everything except link them. It goes on to provide a good old Cold War story of why the Russians would want to sabotage the Iranian nuclear program

“their companies’ profit margins will benefit as long as the Iranians keep Russian scientists and engineers in country, who can oversee Iranian nuclear progress”

and why they would rather let the American and Israelis be given the credit

“its designers wouldn’t want it traced back to the Kremlin, and so it would have to appear as if it were a clandestine operation by an adversary that didn’t have access to the gateway entry points”

It even goes on to speculate on Russian expertise

“Russian scientists and engineers are familiar with the cascading centrifuges whose numbers and configuration – and Siemen’s SCADA PLC controller schematics – they have full access to by virtue of designing the plants.”

What is missing, of course, is the tiniest shred of evidence supporting this claim or even circumstantial evidence that Russian possesses enough cyber power to carry out such a well orchestrated cyber attack.

Comments { 0 }

Duqu: an indicator of the next Stuxnet?

The December 2011 issue of Pragati carries an article titled “Duqu: an indicator of the next Stuxnet?” by yours truly, reproduced below.

Stuxnet worm was first reported in June 2010 and was credited with several exploits, including sabotaging the Iranian nuclear reactors and possibly even causing the malfunction of the INSAT-4B communication satellite. Now, more than one year on, security experts think that they have stumbled upon a worm that is being described as the precursor to the next Stuxnet and potentially written by the same people who wrote the Stuxnet, or at least by someone who had access to the source code of the Stuxnet worm.

Named Duqu, the worm was first reported by the Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics in Hungary on 1st September 2011. The name given to the worm came about due to the “~DQ” prefix that was given to the files it created on the system that it infected. Further analysis by Internet security firm Symantec revealed that the worm may have been in the wild since November 2010 and has so far infected computers in eight countries, including India, and potentially four more.

Just like Stuxnet, Duqu makes use of a 0-day vulnerability against Microsoft to exploit the operating system and install the components of the worm stealthy and just like Stuxnet, it also installs a driver with a valid digital signature, the digital certificate used for this seem to have been stolen from a company in Taiwan.

However the similarities do not carry over to the suspected intention of the worms. It is now accepted that Stuxnet was written with the intention of compromising industrial control and monitoring systems, often called Supervisory Control and Data Acquisition (SCADA) systems and specifically targeted at the Iranian atomic program, while it is believed that Duqu does not contain any code related to industrial control systems and is primarily a malware designed to give the attacker complete control over the compromised machine remotely, often termed a Remote Access Trojan (RAT). It is also believed to install malwares that records keystrokes and collect other system information from the compromised machine. The attackers were most probably looking for information that could be used in a future attack, hence the description of Duqu being a “precursor to the next Stuxnet.” It does make one wonder as to what we may have missed that was the real precursor to the Stuxnet worm.

Other than the fact that machines in India have been infected with the Duqu virus, there is another curious connection to the Indian cyberspace. Malwares like Duqu use external Command and Control (C&C) servers as a means for the attackers to remotely control the malware, for example to download new executable onto the infected machine, exfiltrate sensitive information from them, update the malware itself and sometimes even to destroy or deactivate it. One of the only three C&C server identified for Duqu was hosted on the IP address 206.183.111.97. This IP address and the virtual private server (VPS) that it belonged to was being hosted by Web Werks, a Mumbai-based hosting company. According to the company, the VPS belonged to a client in Milan, Italy and because it was a system that was being managed by the client itself, Web Werks did not have any control over what was running in it.

According to reports, officials from the Indian Computer Emergency Response Team (CERT-In) have obtained an image of the VPS before taking it offline. Interestingly, there is no mention of the operation anywhere on CERT-In’s website and officials have refused to comment on the development as it pertains to ongoing investigation.

Getting hold of the C&C servers however doesn’t seem to have done the investigators a whole lot of good though. Recent reports from Symantec indicate that all the three C&C servers, including the one hosted at Web Werks have been setup to forward all the traffic from the worm to other servers, making the discovery of the final endpoint of the C&C chain hard to pinpoint.

The last few year have seen a drastic uptick in the incidents related to cyber crime and the case of Stuxnet and Duqu have shown us that the new generation of malware are being continually honed for purposes that go beyond pranks, notoriety or money.

Stuxnet opened the Pandora’s box and there is no closing it.

Comments { 0 }

Cost of cybercrime

Assessing the cost of cybercrime is extremely hard, not just because of the nature of the crime, the differing definitions and actors involved but also because of hype-cycle surrounding the area and the inflated numbers thrown out. Kings of War takes to task the cost estimate of £27 billion provided by the UK Cabinet Office and Detica.

While I completely agree with the view that the £27 billion figure looks inflated, some of the counterpoints stated in the post is also weak.

The figure of £30 million damage is to be contrasted by the worldwide market of scareware estimated at £114 million. The UK would therefore represent 26% of the share of this market for an online population representing only less than 2% of the global online population. Why the discrepancy?

“2%” of global population does not say much. It might seem like a small number when compared to the “26%” market share but other factors need to be considered. For example, China and India occupies a good percentage of global online population but that population may  not really care when a scary message prompts them to buy a (fake) anti-virus software. Even if they care, the default mode of operation could be different that click on a link and spend money online to buy the anti-virus. I have no concrete numbers to provide nor any specific study to quote, however given first hand experience, I would be surprised if I am too far off the mark. A little knowledge is dangerous and it applies to cybersecurity as well.

And regarding consumer data loss: all the 3 legal cases in 2010 where the Computer Misuse Act 1990 was invoked concerned a breach of confidentiality, and no data were deleted. Thus the cost of consumer data loss reported to the police would be zero.

Consumer data may not have been deleted but given that confidentiality has been breached, it is naive to think that the cost of the data loss would be zero. For example, if my credit card details were compromised (but not deleted), I would have to go through the motion of reporting it, getting it revoked, replacing it etc. Of course this would mean costs imposed on the credit card company too. These can add up very quickly.

All these discussions go on to show that guesstimating the (real) cost of cyber crime is not an easy task and therein lies a big problem – if one cannot estimate such a number then one cannot set aside an appropriate budget for fighting the crime. After all, security is a lot about economics.

Comments { 0 }

Links for 26-11-2011

These are my links for 26-11-2011:

Comments are closed

Links for 25-11-2011

These are my links for 25-11-2011:

  • Cyber Security Strategy | Cabinet Office – The new Cyber Security Strategy was published on 25 November 2011. It sets out how the UK will support economic prosperity, protect national security and safeguard the public’s way of life by building a more trusted and resilient digital environment.
  • Cyberwarfare and its damaging effects on citizens – The paper analyzes the damaging effects, in terms of loss of human lifes, that an hypothetical cyber-war or individual acts of cyberwarfare could cause to citizens of a nation under attack.
Comments are closed

Links for 17-11-2011

These are my links for 17-11-2011:

  • Geneva Convention-like pact is required on cyber security – Home – livemint.com – Ross Perot Jr, the son of an American billionaire who twice ran unsuccessfully for the office of the President of the US, talks about the importance of having a secure cyberspace for digital commerce, the need to have a Geneva Convention-like agreement on cyber security and the disagreements between nations on a common global framework. India will host the third global conference on cyber security next year.

    Repeat after me – cybercrime != cyberwar

Comments are closed

Links for 14-11-2011

These are my links for 14-11-2011:

Comments are closed