[FoRK] SANS NewsBites Vol. 14 Num. 44 : FLASH: President Obama (and predecessor) ordered Stuxnet and campaign of cyber attacks against Iran's nuclear program

Damien Morton dmorton at bitfurnace.com
Fri Jun 1 14:02:31 PDT 2012


Why the fuck is the US allowing Israel to modify its sabotage malware?

On Fri, Jun 1, 2012 at 4:13 PM, Stephen D. Williams <sdw at lig.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> FLASH: The New York Times reported this morning that President Obama
> (and his predecessor) ordered a sophisticated campaign of cyberattacks
> against Iran's nuclear program, and has either attacked or considered
> attacking networks in China, Syria, and North Korea as well. Because
> the publication of this story is likely to herald substantive and
> far-ranging changes in the way cybersecurity is managed in the US and
> in many other countries, we have included an analysis by Gautham Nagesh.
> Under normal circumstances, his thoughtful, in-depth analyses are
> available only to paid subscribers to CQ Roll Call "Executive Briefing
> on Technology." This is an abnormal circumstance. There is great value
> in the security community understanding that the game has changed, and
> what it means.
>
> Alan
>
> PS Another very valuable piece of cybersecurity reporting will appear
> on the front page of the Washington Post on Sunday or Monday and then
> be discussed on National Public Radio (the Diane Rehm show) on Monday
> morning.
>
> TOP OF THE NEWS
> --President Obama Ordered Stuxnet and More Attacks on Iran
> (June 1, 2012)
> (By Gautham Nagesh, CQ Executive Briefing on Technology)
> The New York Times has a bombshell this morning: President Obama began
> ordering cyberattacks on Iran within days of taking office. The story,
> which is a must-read, finally confirms what many cybersecurity experts
> have suspected: the Stuxnet worm, which disabled industrial equipment
> in Iran and Europe, was originally designed by Israel and the U.S. to
> slow down Iran's nuclear enrichment plant. The virus' escape from Iran's
> Natanz plant and subsequent discovery in Germany in 2010 was a mistake
> that U.S. authorities blamed on Israel. Former CIA chief Michael Hayden
> also acknowledged to the Times that Stuxnet is the first major
> cyberattack intended to cause physical destruction (to Iranian
> centrifuges). "Somebody crossed the Rubicon," he said.
>
> The article includes a history of the classified cyberweapons program,
> dubbed "Olympic Games," which began under President Bush, and includes
> details of how President Obama decided that digital attacks were
> preferable to a potential military conflict between Iran and Israel. But
> the bottom line is that President Obama (and his predecessor) ordered a
> sophisticated campaign of cyberattacks against Iran's nuclear program,
> and has either attacked or considered attacking networks in China,
> Syria, and North Korea as well. The Obama administration previously
> acknowledged that it might respond to cyberattacks with physical force,
> but the report makes it clear that even as the U.S. was making those
> threats, it was perpetrating cyberattacks on the very nations it accuses
> of targeting its networks.
>
> In doing so, the White House has seemingly opened a Pandora's box.
> Administration officials have placed a greater emphasis on cybersecurity
> and the threat to our nation's networks that any previous
> administration, doubtless because they had first-hand knowledge of just
> how much damage sophisticated cyberattacks are capable of causing. Those
> officials might have also feared reprisals from nations that were
> targeted by Stuxnet and other digital attacks from the U.S. The
> revelation also sheds some light on the Pentagon's reluctance to outline
> its cyberwarfare policies in detail, since doing so might have involved
> disclosing to Congress that the U.S. already was fully engaged in online
> battle.
>
> Having taken such an aggressive stance on deploying Stuxnet, it will be
> very difficult for the U.S. to keep casting itself as the innocent
> victim of unprovoked attacks by countries looking to steal our economic
> and military secrets. Today's report makes it clear that the White House
> long ago decided to embrace digital warfare, and puts the onus squarely
> back on the administration to clearly explain its rules of engagement
> online. But the greatest impact may be internationally, where hostile
> nations now have confirmation the U.S. could be targeting their
> networks. If hackers in those countries weren't already attempting to
> take down U.S. critical infrastructure, they probably are now.
> http://www.nytimes.com/2012/**06/01/world/middleeast/obama-**
> ordered-wave-of-cyberattacks-**against-iran.html?_r=1&**pagewanted=all<http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?_r=1&pagewanted=all><
> http://www.nytimes.com/2012/**06/01/world/middleeast/obama-**
> ordered-wave-of-cyberattacks-**against-iran.html?_r=1&**pagewanted=all<http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?_r=1&pagewanted=all>
> >
>
>
>  Then the N.S.A. and a secret Israeli unit respected by American
>> intelligence officials for its cyberskills set to work developing the
>> enormously complex computer worm that would become the attacker from within.
>>
>> The unusually tight collaboration with Israel was driven by two
>> imperatives. Israel’s Unit 8200, a part of its military, had technical
>> expertise that rivaled the N.S.A.’s, and the Israelis had deep intelligence
>> about operations at Natanz that would be vital to making the cyberattack a
>> success. But American officials had another interest, to dissuade the
>> Israelis from carrying out their own pre-emptive strike against the Iranian
>> nuclear facilities. To do that, the Israelis would have to be convinced
>> that the new line of attack was working. The only way to convince them,
>> several officials said in interviews, was to have them deeply involved in
>> every aspect of the program.
>>
>> Soon the two countries had developed a complex worm that the Americans
>> called “the bug.” But the bug needed to be tested. So, under enormous
>> secrecy, the United States began building replicas of Iran’s P-1
>> centrifuges, an aging, unreliable design that Iran purchased from Abdul
>> Qadeer Khan, the Pakistani nuclear chief who had begun selling fuel-making
>> technology on the black market. Fortunately for the United States, it
>> already owned some P-1s, thanks to the Libyan dictator, Col. Muammar
>> el-Qaddafi.
>>
>> When Colonel Qaddafi gave up his nuclear weapons program in 2003, he
>> turned over the centrifuges he had bought from the Pakistani nuclear ring,
>> and they were placed in storage at a weapons laboratory in Tennessee. The
>> military and intelligence officials overseeing Olympic Games borrowed some
>> for what they termed “destructive testing,” essentially building a virtual
>> replica of Natanz, but spreading the test over several of the Energy
>> Department’s national laboratories to keep even the most trusted nuclear
>> workers from figuring out what was afoot.
>>
>> Those first small-scale tests were surprisingly successful: the bug
>> invaded the computers, lurking for days or weeks, before sending
>> instructions to speed them up or slow them down so suddenly that their
>> delicate parts, spinning at supersonic speeds, self-destructed. After
>> several false starts, it worked. One day, toward the end of Mr. Bush’s
>> term, the rubble of a centrifuge was spread out on the conference table in
>> the Situation Room, proof of the potential power of a cyberweapon. The worm
>> was declared ready to test against the real target: Iran’s underground
>> enrichment plant.
>>
>> “Previous cyberattacks had effects limited to other computers,” Michael
>> V. Hayden, the former chief of the C.I.A., said, declining to describe what
>> he knew of these attacks when he was in office. “This is the first attack
>> of a major nature in which a cyberattack was used to effect physical
>> destruction,” rather than just slow another computer, or hack into it to
>> steal data.
>>
>> “Somebody crossed the Rubicon,” he said.
>>
>> Getting the worm into Natanz, however, was no easy trick. The United
>> States and Israel would have to rely on engineers, maintenance workers and
>> others — both spies and unwitting accomplices — with physical access to the
>> plant. “That was our holy grail,” one of the architects of the plan said.
>> “It turns out there is always an idiot around who doesn’t think much about
>> the thumb drive in their hand.”
>>
>>  ...
>
>>
>> But by the time Mr. Bush left office, no wholesale destruction had been
>> accomplished. Meeting with Mr. Obama in the White House days before his
>> inauguration, Mr. Bush urged him to preserve two classified programs,
>> Olympic Games and the drone program in Pakistan. Mr. Obama took Mr. Bush’s
>> advice.
>>
>> *The Stuxnet Surprise*
>>
>> Mr. Obama came to office with an interest in cyberissues, but he had
>> discussed them during the campaign mostly in terms of threats to personal
>> privacy and the risks to infrastructure like the electrical grid and the
>> air traffic control system. He commissioned a major study on how to improve
>> America’s defenses and announced it with great fanfare in the East Room.
>>
>> What he did not say then was that he was also learning the arts of
>> cyberwar <http://topics.nytimes.com/**top/reference/timestopics/**
>> subjects/c/cyberwarfare/index.**html?inline=nyt-classifier<http://topics.nytimes.com/top/reference/timestopics/subjects/c/cyberwarfare/index.html?inline=nyt-classifier>>.
>> The architects of Olympic Games would meet him in the Situation Room, often
>> with what they called the “horse blanket,” a giant foldout schematic
>> diagram of Iran’s nuclear production facilities. Mr. Obama authorized the
>> attacks to continue, and every few weeks — certainly after a major attack —
>> he would get updates and authorize the next step. Sometimes it was a strike
>> riskier and bolder than what had been tried previously.
>>
>> “From his first days in office, he was deep into every step in slowing
>> the Iranian program — the diplomacy, the sanctions, every major decision,”
>> a senior administration official said. “And it’s safe to say that whatever
>> other activity might have been under way was no exception to that rule.”
>>
>>
>
>
>
> --Pentagon's Plan X Aims to Develop Robust Cyberwarfare Capabilities
> (May 30, 2012)
> The Pentagon's Defense Advanced Research Projects Agency (DARPA) is
> launching a five-year, US $110 million research program dubbed Plan X.
> DARPA is seeking input from private sector organizations, universities,
> and computer game companies in its effort to develop improved
> cyberwarfare capabilities. Goals include creating a comprehensive map
> of cyberspace that is updated continuously, developing an operating
> system strong enough to launch cyber attacks and withstand
> counterattacks, and creating systems that allow commanders to launch
> speed-of-light attacks.
> http://www.washingtonpost.com/**world/national-security/with-**
> plan-x-pentagon-seeks-to-**spread-us-military-might-to-**
> cyberspace/2012/05/30/**gJQAEca71U_story.html<http://www.washingtonpost.com/world/national-security/with-plan-x-pentagon-seeks-to-spread-us-military-might-to-cyberspace/2012/05/30/gJQAEca71U_story.html>
>
> --US Legislators Poised to Reauthorize FISA Amendments Act
> (May 31, 2012)
> US legislators appear to be ready to reauthorize the FISA Amendments
> Act, which grants the government authority to conduct warrantless
> surveillance on American citizens. The law allows the government to
> eavesdrop on phone calls and email correspondence of Americans as long
> as one of the parties in the conversation is outside the US. The FISA
> Amendments Act requires the Foreign Intelligence Surveillance Act Court
> to give blanket approval to electronic surveillance requests. The target
> of the surveillance does not have to be identified, and the surveillance
> can begin up to a week before the request is made. The FISA Court
> rulings are not public. Some US legislators did say that intelligence
> agencies need to be more accountable for how they are using the
> authority.
> http://www.wired.com/**threatlevel/2012/05/congress-**mulls-spy-powers/<http://www.wired.com/threatlevel/2012/05/congress-mulls-spy-powers/>
>
> --Backdoor in Privacy Tool Sparks Concern Over Cyber Surveillance in Iran
> (May 30, 2012)
> Versions of a privacy tool called Simurgh that contain backdoor
> components have been detected on filesharing sites in Iran, leading to
> speculation that the government could be using the software to spy on
> its citizens. Simurgh, a proxy tool, is widely used in Iran to evade
> censorship technology that the government has put in place. Simurgh in
> its original form is standalone software that can be run from a USB
> stick. The version with the backdoor must be installed on PCs. It has
> the capacity to log users' keystrokes and gather information about which
> sites they visit. The harvested data are sent to US-based servers that
> are registered to a Saudi Arabian organization. Because both versions
> of the software connect with a page that confirms the use of a proxy,
> the developers are using the opportunity to warn users whose versions
> appear to be infected.
> http://www.theregister.co.uk/**2012/05/30/trojaned_privacy_**
> tool_hits_iran/<http://www.theregister.co.uk/2012/05/30/trojaned_privacy_tool_hits_iran/>
> [Editor's Note (Ullrich): Hashes are good. Even better to have the
> software digitally signed. If you are publishing software, and you are
> not offering signatures, you are putting your customers (and with that
> your reputation) at risk.]
>
> --White House Anti-Botnet Effort
> (May 29 & 30, 2012)
> The US government is planning to take a number of steps in an effort to
> fight botnets. The coordinated efforts will be undertaken by the
> Departments of Commerce and Homeland Security, the White House
> Cybersecurity Office, and the Industry Botnet group, a coalition of
> private organizations. Plans include increased sharing of information
> about botnets among government agencies and private organizations and a
> campaign to educate consumers about botnets.
> http://krebsonsecurity.com/**2012/05/white-house-aims-to-**
> stoke-botnet-fight/<http://krebsonsecurity.com/2012/05/white-house-aims-to-stoke-botnet-fight/>
> http://www.computerworld.com/**s/article/9227569/White_House_**
> launches_coordinated_effort_**to_battle_botnets?taxonomyId=**17<http://www.computerworld.com/s/article/9227569/White_House_launches_coordinated_effort_to_battle_botnets?taxonomyId=17>
> http://news.cnet.com/8301-**1009_3-57443380-83/white-**
> house-prepares-to-convene-**anti-botnet-summit/<http://news.cnet.com/8301-1009_3-57443380-83/white-house-prepares-to-convene-anti-botnet-summit/>
> http://www.darkreading.com/**threat-intelligence/167901121/**
> security/antivirus/240001203/**obama-administration-partners-**
> with-industry-to-fight-**botnets.html<http://www.darkreading.com/threat-intelligence/167901121/security/antivirus/240001203/obama-administration-partners-with-industry-to-fight-botnets.html>
> http://www.nextgov.com/**cybersecurity/2012/05/new-**
> partnership-aims-combat-**zombie-computer-networks/**
> 55974/?oref=ng-channelriver<http://www.nextgov.com/cybersecurity/2012/05/new-partnership-aims-combat-zombie-computer-networks/55974/?oref=ng-channelriver>
> [Editor's Note (Ullrich): The US Govt. might consider just declaring
> Wednesday "Botnet Day". Appears these efforts spring up about once a
> week.]
>
> --Pentagon to Issue New Social Media Policy for DoD Employees
> (May 25 & 29, 2012)
> A new policy to be used by the Pentagon will require troops to hide
> certain identifying information on social media sites. There have been
> reports that hackers could gather sensitive information, including
> military unit location, from some social media posts. The new policy
> comes in the wake of an attack on a dating site that compromised the
> personal information of military users. The new policy will require that
> DoD employees "use non-mission related contact information ... to
> establish personal accounts."
> http://www.nextgov.com/**cybersecurity/cybersecurity-**
> report/2012/05/no-more-dot-**mil-accounts-dating-sites/**
> 55930/?oref=ng-voicestop<http://www.nextgov.com/cybersecurity/cybersecurity-report/2012/05/no-more-dot-mil-accounts-dating-sites/55930/?oref=ng-voicestop>
> http://gcn.com/articles/2012/**05/29/dod-social-media-policy-**
> no-dot-mil.aspx<http://gcn.com/articles/2012/05/29/dod-social-media-policy-no-dot-mil.aspx>
> [Editor's Note (Murray): We call this "operational security," OPSEC for
> short. OPSEC policy must be implemented with training.
>
> sdw
>
> ______________________________**_________________
> FoRK mailing list
> http://xent.com/mailman/**listinfo/fork<http://xent.com/mailman/listinfo/fork>
>


More information about the FoRK mailing list