Cyber War/Guerre informatique

Citation :

la Marine victime du virus Conficker-Downadup
Thierry Noisette, publié le 9 février 2009

Sécurité - Le réseau interne de la Marine française a été touché par le virus Conficker (ou Downadup) qui a infecté des millions de PC dans le monde. Elle a dû couper son réseau pour le traiter le mois dernier, en collaborant directement avec Microsoft.
L'armée française a été victime en janvier du virus Downadup-Conficker, comme l'a rapporté la lettre Intelligence Online, elle-même citée sur le blog du spécialiste de la défense de Libération, Jean-Dominique Merchet.
Contactée par ZDNet.fr, la Marine confirme ce lundi que « dans la seconde quinzaine de janvier, le virus Conficker a été introduit par négligence, par une clé USB, dans le réseau interne de la Marine, Intramar ». Le lieutenant de vaisseau Rivayrol, du Sirpa Marine, nous indique que le réseau a dès lors été coupé « pour éviter la propagation du virus et procéder à la maintenance sur les postes ». « Intramar a été isolé des autres réseaux du ministère de la Défense, avec lesquels existent en temps normal des passerelles de communication. »
Mais « cela n'a eu aucun effet sur les systèmes opérationnels de la Marine, ni avions ni autres ». Intelligence Online affirmait que les Rafale de la Marine auraient été cloués au sol faute d'avoir pu télécharger leurs paramètres de vol. Ce qui a été arrêté quelques jours concernait seulement la messagerie, précise notre interlocutrice : « On a des réseaux sécurisés militaires, qui ont servi en remplacement pendant la coupure d'Intramar, et Internet. Mais ces trois réseaux, Intramar, Internet et réseaux sécurisés sont complètement séparés, il n'y a aucun lien entre eux. »
Intramar relie plusieurs milliers de postes informatiques, dont « moins de 2 % ont été touchés par le virus ».

Une faille traitée en 48 heures
Pourquoi ce décalage entre un patch publié par Microsoft (le virus touche une faille Windows, notamment sous Windows 2000, XP et Vista) en octobre et des ordinateurs atteints en janvier ?
« Il y avait un petit défaut dans le patch qui ne prenait pas en compte en totalité Conficker, explique le lieutenant Rivayrol. Ce patch avait été installé sur l'ensemble des postes de la Marine, mais cela n'a pas suffi. Par contre, le réseau d'alerte ministériel et interministériel a immédiatement été mobilisé. Il a directement travaillé avec Microsoft pour mettre au point un patch traitant cette faille-là, ce qui a été fait en moins de 48 heures. Le dispositif d'alerte a très bien fonctionné, et le virus n'a du coup eu aucune conséquence pour d'autres armes ni ailleurs dans le ministère. »
Les experts américains du Computer Emergency Response Team (Cert) avaient mis en cause la méthode de Microsoft pour bloquer la propagation du ver Downadup.
L'armée française n'est pas la seule à avoir été éprouvée par Conficker, qui a contaminé des millions d'ordinateurs dans le monde. Le ministère britannique de la Défense, et en particulier la Royal Navy, ont également été touchés par le virus le mois dernier.

http://www.zdnet.fr/actualites/informatique/0,39040745,39387036,00.htm

pas tres prof de l´officier d´utiliser un USB en publique et apres en Intramar...j´aurai bien aimé voir un Rafale hacké ce qu´il va faire

Citation :

MOSCOU, 25 février - RIA Novosti. Les pays les plus développés du monde auront d'ici deux ou trois ans la possibilité de mener de véritables guerres de l'information, a déclaré mercredi devant des journalistes le chef adjoint de l'Etat-major général des forces armées russes le général Anatoli Nogovitsyne.
Les principaux objectifs de ces guerres seront la perturbation du fonctionnement des systèmes de défense, industriels et administratifs clefs de l'ennemi", ainsi qu'"un impact info-psychologique sur sa population, ses troupes et sa direction, avec recours aux technologies de l'information modernes", a indiqué le militaire.
Selon le général, une guerre de l'information présente des traits caractéristiques qui la différencient d'une guerre traditionnelle, crée de nouveaux problèmes et mérite de ce fait une attention soutenue.
Le coût peu élevé de la mise au point et de l'application de l'arme informationnelle en est la principale caractéristique, a rappelé le chef adjoint de l'Etat-major général.
"Le coût de l'élaboration des moyens de qualité pour mener une info-guerre est relativement faible et est donc accessible à un vaste éventail de protagonistes", a-t-il indiqué.
Les moyens élaborés en vue d'une guerre de l'information peuvent donc constituer "un outil puissant de manipulation par la perception", a ajouté le général.

Citation :

DCNS présente son premier démonstrateur de table tactique 3D



A l'occasion du salon Laval Virtual, qui se tient jusqu'à dimanche dans la capitale de la Mayenne, DCNS présente son premier démonstrateur de table tactique en trois dimensions, qui permet de passer d'une représentation à plat à un rendu 3D. Ce démonstrateur est un prototype développé en partenariat avec le Centre Lavalois de Recherche Technologique (CLARTE). Il permet de passer d'une représentation à plat à un rendu 3D, plus conforme à la réalité. Cette présentation reproduit les strates d'altitude : espace aérien, surface de la mer, fonds sous-marins où évoluent différents bâtiments (navires, sous-marins, aéronefs, etc.).
Concrètement, l'utilisateur se trouve face à deux écrans perpendiculaires. Equipé de lunettes 3D, il va pouvoir, en fonction de ses propres mouvements suivis par des caméras infra-rouge (technologie du tracking), visualiser dans l'espace et en relief la situation tactique d'ensemble de façon plus immédiate. A l'aide du doigt comme dispositif de pointage dans l'espace, il pourra aisément accéder aux informations sur les bâtiments présents dans cette situation, explique le groupe naval.
Issu des travaux de DCNS et CLARTE dans le domaine des applications de la réalité virtuelle à la conception des navires de combat, ce démonstrateur de table tactique préfigure ce que pourrait être la conduite des opérations dans les navires futurs. Dans une prochaine étape, il visera à connecter la table avec des simulateurs, des données et équipements réels d'un système de combat.
Pour améliorer la qualité de l'information mise à disposition des utilisateurs en mer et à terre, DCNS conduit depuis plusieurs années une politique de veille technologique et de développements en R&D. La mise en oeuvre d'une nouvelle interface de mise à disposition d'informations repose sur une double approche. « Nous avons travaillé à la fois sur le développement de nouvelles technologies et sur une analyse du facteur humain pour produire aujourd'hui un premier démonstrateur de table tactique 3D, adapté aux attentes des utilisateurs », explique Yves Le Thérisien, Responsable du domaine Réalité Virtuelle au sein de DCNS.

y´a des breches dans l´ATC americain,en fevrier y´a eu un hacking de la FAA..

Citation :

China at War with U.S….Cyber War
Looking to gain the upper hand in any future cyber conflicts, China is probably spying on U.S. companies and government, according to a report commissioned by a Congressional advisory panel monitoring the security implications of trade with China.

The report outlines the state of China's hacking and cyber warfare capabilities, concluding that "China is likely using its maturing computer network exploitation capability to support intelligence collection against the U.S. government and industry by conducting a long term, sophisticated computer network exploitation campaign." Published Thursday, the report was written by Northrop Grumman analysts commissioned by the US-China Economic and Security Review Commission.

Government agencies and military contractors have been hit with targeted, well-crafted attacks for years now, many of which appear to have originated in China. But this report describes in detail how many of these attacks play out, including an attack that exploited an unpatched flaw in Adobe Acrobat that was patched earlier this year.

Citing U.S. Air Force data from 2007, the report says at least 10 to 20 terabytes of sensitive data has been siphoned from U.S. government networks as part of a "long term, persistent campaign to collect sensitive but unclassified information." Some of this information is used to create very targeted and credible phishing messages that then lead to the compromise of even more computers.

Northrop Grumman based its assessment largely on publicly available documents, but also on information collected by the company's information security consulting business.

The report describes sophisticated, methodical techniques, and speculates on possible connections between Chinese government agencies and the country's hacker community, increasingly a source of previously unknown "zero-day" computer attacks.

"Little evidence exists in open sources to establish firm ties between the [People's Liberation Army] and China's hacker community, however, research did uncover limited cases of apparent collaboration between more elite individual hackers and the [People's Republic of China's] civilian security services," the report says.

If true, that wouldn't be much of a surprise. The U.S. government has had a presence at the Defcon hacker convention for years now, and the U.S. Department of Defense has even started using it as a recruitment vehicle in recent years.

The Adobe Acrobat attack was supplied by black hat programmers to attackers who targeted an unnamed U.S. firm in early 2009. Working nonstop in shifts, the attackers snooped around the network until an operator error caused their rootkit software to crash, locking them out of the system.

In a typical targeted attack, the victim receives an email message containing a maliciously crafted office document as an attachment. It might be disguised to look like the schedule or registration form for an upcoming conference, for example. When it's opened, the zero-day attack executes and cyberthieves start collecting information that might be used in future campaigns. They sniff network and security settings, look for passwords, and even alter virtual private network software so they can get back into the network. In some cases they've installed encrypted rootkits to cover their tracks, or set up staging points to obscure the fact that data is being moved off the network.

In another case cited by Northrop Grumman, the attackers clearly had a predefined list of what they would and would not take, suggesting that they had already performed reconnaissance on the network. "The attackers selected the data for exfiltration with great care," the report states. "These types of operational techniques are not characteristic of amateur hackers."

Earlier this year, Canadian researchers described a similarly sophisticated cyberespionage network, called GhostNet, launched against international government agencies and pro-Tibetan groups such as the Office of His Holiness the Dalai Lama.

Although the GhostNet report authors did not link the spying to the Chinese government, some researchers did.

=> A LIRE ABSOLUMENT: un rapport important,publié par northrop sur les capacités de guerre cybernétique de la chine
http://www.uscc.gov/researchpapers/2009/NorthropGrumman_PRC_Cyber_Paper_FINAL_Approved%20Report_16Oct2009.pdf

Citation :

Israël, les USA et la Russie prêts pour les futures cyber-guerres


McAfee (l’éditeur d’anti-virus) révèle dans son 5ème rapport annuel sur la criminalité virtuelle que la course mondiale aux cyber-armes n’est plus une fiction. L’étude souligne l’accroissement d’attaques contre l’informatique à but politique, et montre que la France, les États-Unis, Israël, la Chine et la Russie disposent de cyber-armes puissantes.

« Nous avons commencé nos mises en garde contre le cyber-armement il y a plus de deux ans », déclare Dave DeWalt, Président et CEO de McAfee. « Nous rencontrons aujourd’hui de plus en plus de preuves de son existence réelle. Plusieurs pays étudient des moyens de guerre informatique ou ont entrepris des actions de ce type. Aujourd’hui, l’armement n’est plus seulement nucléaire mais aussi virtuel, et le monde doit s’adapter à cette menace ».

Le Virtual Criminology Report est le fruit des travaux de plus d’une vingtaine de grands experts mondiaux en relations internationales dont le Dr Jamie Saunders (conseiller à l’ambassade de Grande-Bretagne à Washington) et des experts de la sécurité de la National Security Agency des États-Unis. Le rapport a été compilé pour McAfee par Paul Kurtz, ancien conseiller à la Maison Blanche.

Le rapport propose la première définition de la cyber-guerre, cite les pays qui préparent des attaques et des défenses dans ce contexte, étudie en détail des exemples de cyber-guerre à motif politique, et révèle comment le secteur privé risque de se trouver malgré lui sous le feu croisé des belligérants. La censure gouvernementale pose également un problème majeur, car elle s’applique souvent aux cyber-attaques et aux informations associées, empêchant le secteur public et le secteur privé de se défendre correctement.

Les experts demandent une définition claire de la cyber-guerre et un débat ouvert sur le sujet. En l’absence d’échanges d’informations entre les gouvernements, le privé et le public, les cyber-attaques visant l’infrastructure critique pourraient être dévastatrices.

Une progression des attaques informatiques à visée politique

Au cours des 12 derniers mois, la progression des attaques informatiques à visée politique a déclenché l’alarme et suscité l’inquiétude. Rien qu’aux États-Unis, des attaques ont ainsi visé la Maison Blanche, le Département de la sécurité intérieure, l’U.S. Secret Service et le Department of Defense. Plusieurs pays ont des programmes actifs de mise au point de cyber-armes et sont engagés dans la course aux armements, avec pour cibles les réseaux gouvernementaux et les infrastructures critiques. Et les attaques de ce genre ne se limitent pas à des échanges virtuels entre ordinateurs, elles peuvent avoir des effets concrets et dévastateurs, avec des dommages physiques.

Les cyber-armes visent les infrastructures critiques

Les pays actifs dans la course au cyber-armement ne se contentent pas de concevoir des défenses. Ils mettent au point des attaques contre des infrastructures majeures telles que les réseaux de distribution de l’électricité, les transports, les télécommunications, la finance et les réseaux de distribution d’eau, car un minimum d’efforts peut conduire à des dommages rapides. Dans la plupart des pays développés, ces infrastructures critiques sont reliées à Internet. En l’absence de sécurisation appropriée, les installations associées sont vulnérables. Lorsque l’on ajoute au manque de protection le manque de préparation, il est clair qu’une attaque sur ces infrastructures causerait davantage de destructions que toutes les attaques précédentes.

La notion de cyber-guerre n’a pas été définie

La cyber-guerre met en jeu tellement d’acteurs et de méthodes différents que les règles d’un tel conflit n’ont pas été clairement définies. Le débat reste également ouvert sur le niveau de responsabilité des organisations dans l’éducation et la protection du public face aux cyber-attaques. En l’absence d’une définition appropriée, il est quasiment impossible de déterminer si la situation justifie une réponse politique ou une action militaire.

Le secteur privé est le plus exposé aux risques

Dans beaucoup de pays développés, l’infrastructure critique est sous la responsabilité du secteur privé, elle est donc une cible très intéressante dans le cadre d’un cyber-conflit. En matière de prévention des cyber-attaques, le secteur privé s’en remet largement au secteur public. Mais si le feu virtuel est déclenché, les balles perdues risquent de tomber aussi bien sur les gouvernements que sur les entreprises ou les citoyens. En l’absence de visibilité sur la stratégie de cyber-défense de l’Etat, le secteur privé ne peut se préparer et prendre les précautions appropriées. Les experts réclament donc une discussion publique sur la cyber-guerre, afin que le sujet sorte de l’ombre.

Citation :

Les États-Unis « vulnérables » sur le terrain de la cybersécurité
AFP
vendredi 30 juillet 2010
Les États-Unis sont vulnérables en matière de cybersécurité, où leur « flanc est à découvert », a déclaré jeudi le général à la retraite et ancien patron de la CIA Michael Hayden, au cours d’une conférence sur le sujet à Las Vegas.

« Notre flanc est totalement à découvert », a déclaré M. Hayden en utilisant la métaphore militaire. D’ailleurs, a-t-il dit à l’occasion de la conférence Black Hat consacrée à la sécurité des réseaux informatiques, « si vous incluez la collecte de renseignement dans la définition de la guerre, bien sûr qu’il y a une cyber-guerre ».

M. Hayden s’est dit « absolument émerveillé » par la campagne d’espionnage sur internet lancée par la Chine, tout en soulignant qu’elle n’était pas le seul pays à le pratiquer et que les Etats-Unis eux-mêmes étaient « très bons à cet exercice ».

Aucun pays au monde n’a promis de s’abstenir d’espionner sur internet, a-t-il rappelé.

Il a reproché au réseau internet une conception mettant l’accent sur le partage libre et rapide de l’information, qui donne un avantage à l’attaque par rapport à la défense.

« Vous créez un monde cybernétique qui ressemble à la plaine du nord de l’Allemagne et ensuite vous pestez et vous geignez parce que vous êtes envahis », a-t-il lancé au public de la conférence. « Sur le web, nous sommes tous traités comme la Pologne », envahie à de nombreuses reprises dans son histoire, a-t-il ajouté, filant la métaphore historico-guerrière.

Michael Hayden a appelé à la création de l’équivalent sur internet des rivières et des montagnes qui servent d’obstacles naturels contre les envahisseurs.

« Le monde cybernétique est un domaine comme la terre, l’air, l’eau et l’espace », a-t-il dit. « La différence, c’est que Dieu a créé ces quatre éléments et vous n’avez fait que le cinquième. Dieu a mieux travaillé ».

Pour lui, les États-Unis auraient dû être en première ligne pour imposer des codes de conduite sur internet il y a une décennie ou plus, lorsqu’ils avaient un avantage technologique qu’ils ont perdu face à d’autres pays.

« Avec cette balkanisation progressive, l’influence américaine s’affaiblit », a-t-il regretté.

Stuxnet pourrait etre la face cachee de l'iceberg de l'armement software destine a faire des dommages hardware.

Il y'a le sabotage/terrorisme comme stuxnet et le sabotage des systemes de controle industriel (SCADA) "Electricity Grid in U.S. Penetrated By Spies" http://online.wsj.com/article/SB123914805204099085.html ou en core "Windows Power Grid Worm is Just the Beginning" http://gigaom.com/cleantech/windows-power-grid-worm-is-just-the-beginning/

, et il y'a aussi l'espionnage en "sniffant" les donnees et utilisant des superordinateur pour faire de l'analyse de contenu/casser le cryptage. Un article sur la Chine: "How China swallowed 15% of 'Net traffic for 18 minutes" http://arstechnica.com/security/news/2010/11/how-china-swallowed-15-of-net-traffic-for-18-minutes.ars (notez que les autres pays doivetn faire de meme

http://www.f-secure.com/weblog/archives/00002040.html
http://www.nytimes.com/2010/03/21/world/asia/21grid.html

http://www.schneier.com/blog/archives/2007/10/staged_attack_c.html

http://www.symantec.com/connect/blogs/distilling-w32stuxnet-components

Citation :

October 7, 2010
Stuxnet

Computer security experts are often surprised at which stories get picked up by the mainstream media. Sometimes it makes no sense. Why this particular data breach, vulnerability, or worm and not others? Sometimes it's obvious. In the case of Stuxnet, there's a great story.

As the story goes, the Stuxnet worm was designed and released by a government--the U.S. and Israel are the most common suspects--specifically to attack the Bushehr nuclear power plant in Iran. How could anyone not report that? It combines computer attacks, nuclear power, spy agencies and a country that's a pariah to much of the world. The only problem with the story is that it's almost entirely speculation.

Here's what we do know: Stuxnet is an Internet worm that infects Windows computers. It primarily spreads via USB sticks, which allows it to get into computers and networks not normally connected to the Internet. Once inside a network, it uses a variety of mechanisms to propagate to other machines within that network and gain privilege once it has infected those machines. These mechanisms include both known and patched vulnerabilities, and four "zero-day exploits": vulnerabilities that were unknown and unpatched when the worm was released. (All the infection vulnerabilities have since been patched.)

Stuxnet doesn't actually do anything on those infected Windows computers, because they're not the real target. What Stuxnet looks for is a particular model of Programmable Logic Controller (PLC) made by Siemens (the press often refers to these as SCADA systems, which is technically incorrect). These are small embedded industrial control systems that run all sorts of automated processes: on factory floors, in chemical plants, in oil refineries, at pipelines--and, yes, in nuclear power plants. These PLCs are often controlled by computers, and Stuxnet looks for Siemens SIMATIC WinCC/Step 7 controller software.

If it doesn't find one, it does nothing. If it does, it infects it using yet another unknown and unpatched vulnerability, this one in the controller software. Then it reads and changes particular bits of data in the controlled PLCs. It's impossible to predict the effects of this without knowing what the PLC is doing and how it is programmed, and that programming can be unique based on the application. But the changes are very specific, leading many to believe that Stuxnet is targeting a specific PLC, or a specific group of PLCs, performing a specific function in a specific location--and that Stuxnet's authors knew exactly what they were targeting.

It's already infected more than 50,000 Windows computers, and Siemens has reported 14 infected control systems, many in Germany. (These numbers were certainly out of date as soon as I typed them.) We don't know of any physical damage Stuxnet has caused, although there are rumors that it was responsible for the failure of India's INSAT-4B satellite in July. We believe that it did infect the Bushehr plant.

All the anti-virus programs detect and remove Stuxnet from Windows systems.

Stuxnet was first discovered in late June, although there's speculation that it was released a year earlier. As worms go, it's very complex and got more complex over time. In addition to the multiple vulnerabilities that it exploits, it installs its own driver into Windows. These have to be signed, of course, but Stuxnet used a stolen legitimate certificate. Interestingly, the stolen certificate was revoked on July 16, and a Stuxnet variant with a different stolen certificate was discovered on July 17.

Over time the attackers swapped out modules that didn't work and replaced them with new ones--perhaps as Stuxnet made its way to its intended target. Those certificates first appeared in January. USB propagation, in March.

Stuxnet has two ways to update itself. It checks back to two control servers, one in Malaysia and the other in Denmark, but also uses a peer-to-peer update system: When two Stuxnet infections encounter each other, they compare versions and make sure they both have the most recent one. It also has a kill date of June 24, 2012. On that date, the worm will stop spreading and delete itself.

We don't know who wrote Stuxnet. We don't know why. We don't know what the target is, or if Stuxnet reached it. But you can see why there is so much speculation that it was created by a government.

Stuxnet doesn't act like a criminal worm. It doesn't spread indiscriminately. It doesn't steal credit card information or account login credentials. It doesn't herd infected computers into a botnet. It uses multiple zero-day vulnerabilities. A criminal group would be smarter to create different worm variants and use one in each. Stuxnet performs sabotage. It doesn't threaten sabotage, like a criminal organization intent on extortion might.

Stuxnet was expensive to create. Estimates are that it took 8 to 10 people six months to write. There's also the lab setup--surely any organization that goes to all this trouble would test the thing before releasing it--and the intelligence gathering to know exactly how to target it. Additionally, zero-day exploits are valuable. They're hard to find, and they can only be used once. Whoever wrote Stuxnet was willing to spend a lot of money to ensure that whatever job it was intended to do would be done.

None of this points to the Bushehr nuclear power plant in Iran, though. Best I can tell, this rumor was started by Ralph Langner, a security researcher from Germany. He labeled his theory "highly speculative," and based it primarily on the facts that Iran had an unusually high number of infections (the rumor that it had the most infections of any country seems not to be true), that the Bushehr nuclear plant is a juicy target, and that some of the other countries with high infection rates--India, Indonesia, and Pakistan--are countries where the same Russian contractor involved in Bushehr is also involved. This rumor moved into the computer press and then into the mainstream press, where it became the accepted story, without any of the original caveats.

Once a theory takes hold, though, it's easy to find more evidence. The word "myrtus" appears in the worm: an artifact that the compiler left, possibly by accident. That's the myrtle plant. Of course, that doesn't mean that druids wrote Stuxnet. According to the story, it refers to Queen Esther, also known as Hadassah; she saved the Persian Jews from genocide in the 4th century B.C. "Hadassah" means "myrtle" in Hebrew.

Stuxnet also sets a registry value of "19790509" to alert new copies of Stuxnet that the computer has already been infected. It's rather obviously a date, but instead of looking at the gazillion things--large and small--that happened on that the date, the story insists it refers to the date Persian Jew Habib Elghanain was executed in Tehran for spying for Israel.

Sure, these markers could point to Israel as the author. On the other hand, Stuxnet's authors were uncommonly thorough about not leaving clues in their code; the markers could have been deliberately planted by someone who wanted to frame Israel. Or they could have been deliberately planted by Israel, who wanted us to think they were planted by someone who wanted to frame Israel. Once you start walking down this road, it's impossible to know when to stop.

Another number found in Stuxnet is 0xDEADF007. Perhaps that means "Dead Fool" or "Dead Foot," a term that refers to an airplane engine failure. Perhaps this means Stuxnet is trying to cause the targeted system to fail. Or perhaps not. Still, a targeted worm designed to cause a specific sabotage seems to be the most likely explanation.

If that's the case, why is Stuxnet so sloppily targeted? Why doesn't Stuxnet erase itself when it realizes it's not in the targeted network? When it infects a network via USB stick, it's supposed to only spread to three additional computers and to erase itself after 21 days--but it doesn't do that. A mistake in programming, or a feature in the code not enabled? Maybe we're not supposed to reverse engineer the target. By allowing Stuxnet to spread globally, its authors committed collateral damage worldwide. From a foreign policy perspective, that seems dumb. But maybe Stuxnet's authors didn't care.

My guess is that Stuxnet's authors, and its target, will forever remain a mystery.

This essay originally appeared on Forbes.com.

My alternate explanations for Stuxnet were cut from the essay. Here they are:

* A research project that got out of control. Researchers have accidentally released worms before. But given the press, and the fact that any researcher working on something like this would be talking to friends, colleagues, and his advisor, I would expect someone to have outed him by now, especially if it was done by a team.

* A criminal worm designed to demonstrate a capability. Sure, that's possible. Stuxnet could be a prelude to extortion. But I think a cheaper demonstration would be just as effective. Then again, maybe not.

* A message. It's hard to speculate any further, because we don't know who the message is for, or its context. Presumably the intended recipient would know. Maybe it's a "look what we can do" message. Or an "if you don't listen to us, we'll do worse next time" message. Again, it's a very expensive message, but maybe one of the pieces of the message is "we have so many resources that we can burn four or five man-years of effort and four zero-day vulnerabilities just for the fun of it." If that message were for me, I'd be impressed.

* A worm released by the U.S. military to scare the government into giving it more budget and power over cybersecurity. Nah, that sort of conspiracy is much more common in fiction than in real life.

Note that some of these alternate explanations overlap.

EDITED TO ADD (10/7): Symantec published a very detailed analysis. It seems like one of the zero-day vulnerabilities wasn't a zero-day after all. Good CNet article. More speculation, without any evidence. Decent debunking. Alternate theory, that the target was the uranium centrifuges in Natanz, Iran.

Citation :

BERLIN | Mon Dec 27, 2010 11:28am EST

BERLIN (Reuters) - Germany will create a new cyber-warfare defense center next year to fight off espionage attacks, the German interior ministry said.

"We plan to create a so-called 'National Cyber-Defense Centre' in 2011," a spokesman told reporters on Monday. "It will work by bundling existing know-how in the area of cyber defense."

As computer systems become more important to control essential services, from power grids to banking, computerized attacks are seen as becoming as important a part of nations' arsenals as conventional or nuclear weaponry.

Britain announced a 650-million-pound ($1 billion) programme last month, labeling cyber security a key priority despite broad cuts to government spending, including on defense.

Several Western security experts believe one computer worm, known as Stuxnet, may have been created by a national counterterrorism authority intent on crippling Iran's nuclear programme by sabotaging the industrial control system at its atomic energy plant in Bushehr.

(Reporting by Rene Wagner and Christiaan Hetzner)

http://www.reuters.com/article/idUSTRE6BQ2JF20101227
http://www.spiegel.de/international/germany/0,1518,606987,00.html

Citation :

Stuxnet retaliation: What if Iran isn’t bluffing?

It is no secret that Iran and others have openly blamed the United States, Britain and Israel for the Stuxnet attack that struck the Iranian nuclear enrichment program in 2010. Given the unique characteristics of this cyberattack, there is little hard evidence to support those accusations. Once again the problem of attribution comes into play, and there is no chance we will solve the attribution issue any time soon. However, that has not stopped the relentless accusations and rhetoric. Just recently the rhetoric has been taken to a new height.

The Islamic Republic is committed "to fight our enemies with abundant power in cyberspace and Internet warfare," said Brig. Gen. Gholamreza Jalali, who leads Iran’s Passive Defense Organization. Iran has a well-known reputation for attacking websites of the Mossad, FBI and others. A few months back, news started filtering out about Iran’s plan for a retaliatory strike against those behind Stuxnet. This information was reinforced when Iranian officials spoke of a new cyber soldier recruitment program to acquire the skills and capabilities of volunteer hackers and those in academia. One unconfirmed piece of information that surfaced claims the Iranian volunteer cyber soldiers may be paid up to $10,000 per month for their services, which is very lucrative income in Iran these days.

Some question the quality of this resource pool, but do we really want to take the chance? The answer to that question is easy: no. We should immediately review our cyber defenses, and our plans and capabilities to strike Iran to be prepared when and if we need to retaliate.

Posted by Kevin Coleman on Mar 17, 2011

http://defensesystems.com/blogs/digital-conflict/2011/03/iran-threatens-stuxnet-retaliation.aspx

Citation :

La guerre secrète contre l'Iran retarde la bombe
Par Isabelle Lasserre
19/01/2011
Le virus informatique Stuxnet, réputé avoir provoqué l'arrêt d'un cinquième des centrifugeuses atomiques installées par Téhéran, aurait été mis au point par Israël et les États-Unis.

«Nous sommes en guerre contre l'Iran. La plus grande partie de cette guerre est clandestine. Et les deux parties ont intérêt à ce qu'elle reste secrète », affirmait mardi Efraim Halevy, ancien directeur du Mossad, les services de renseignements israéliens, invité du Center of Political and Foreign Affairs (CPFA). Cette «guerre secrète», dont il ne dévoile pas les détails, s'incarne, pour les observateurs de la scène iranienne, par un virus nommé Stuxnet, dressé pour dévorer, ou au moins blesser, le programme nucléaire iranien. En infectant un logiciel Siemens utilisé par ce programme, il a entrepris de saboter le fonctionnement des centrifugeuses iraniennes produisant de l'uranium enrichi.

Restées jusqu'à présent très discrètes sur le sujet, assurant que les dégâts de Stuxnet avaient été limités, les autorités iraniennes ont récemment accusé les États-Unis, par la voix du négociateur Saeed Jalili, d'être derrière cette cyber­attaque aussi puissante que sophistiquée. Dans un article paru samedi, le New York Times affirme que les services de renseignements américains et israéliens ont collaboré au développement du virus. Citant des experts militaires, le quotidien révèle même que l'efficacité de Stuxnet a été testée à Dimona, dans le complexe qui abrite, au milieu du désert du Neguev, le programme atomique non déclaré israélien.

En novembre dernier, le virus informatique aurait, selon des spécialistes, provoqué l'arrêt d'un cinquième des centrifugeuses et retardé la capacité iranienne à fabriquer ses premières bombes atomiques. À l'œuvre depuis deux ans, Stuxnet continue à agir. Mais d'autres moyens, les sanctions notamment, sont utilisés pour faire fléchir Téhéran. Les scientifiques nucléaires iraniens sont parfois la cible d'attaques ciblées. Après l'assassinat, en janvier 2010 à Téhéran, du scientifique Massoud Ali Mohammadi, le ministère des Affaires étrangères iranien a récemment fait savoir son intention de porter plainte contre Israël.

Plusieurs années de répit

Pendant longtemps, les grandes agences de renseignements travaillant sur le programme nucléaire iranien avaient considéré la fin de l'année 2009 comme une ligne rouge. Au-delà, prévenaient-ils, il ne sera plus guère possible d'empêcher l'avènement de la bombe iranienne. Ensuite, plus rien. Après une rapide progression des activités d'enrichissement en 2007 et 2008,les travaux nucléaires iraniens semblent avoir été ralentis. Et certains de ces mêmes experts affirment aujourd'hui que l'Iran pourrait ne pas arriver à ses fins avant 2012, ou même 2015. «Nous avons plus de temps que nous le pensions», reconnaît le général Michael Hayden, ancien directeur de la CIA. Faisant état de récentes «difficultés», le ministre des Affaires étrangères israélien, Moshe Yaalon, a récemment affirmé que l'accession de Téhéran au statut atomique avait été retardée de plusieurs années. Au début du mois, Israël a officiellement revu son évaluation des progrès nucléaires des Iraniens, estimant, «grâce aux mesures déployées contre eux», bénéficier de quatre années supplémentaires.

Régulièrement agitée en Israël, où l'armée s'entraîne à cette perspective, l'option d'une frappe militaire contre les installations nucléaires iraniennes semble donc s'éloigner. Trop compliquée, trop risquée et trop peu soutenue par Washington qui, du temps de l'Administration Bush déjà, avait refusé aux Israéliens la possibilité d'utiliser l'espace aérien irakien en cas d'attaque contre l'Iran. À Tel-Aviv, certains vont même jusqu'à dire que le programme nucléaire iranien «ne représente plus, pour l'instant, une menace existentielle pour l'État d'Israël». Quant au chef d'état-major de l'armée, le général Gabi Ashkenazi, il s'est dit persuadé il y a quelques jours que «commencer une guerre n'apportera que le désastre à Israël».

Ces nouveaux développements redonnent du temps, ainsi qu'une chance nouvelle, à la diplomatie, qui montrait pourtant ses limites dans le dossier nucléaire iranien.

Néanmoins, cette vision optimiste n'est pas partagée par tout le monde en Israël. Au sein du pouvoir, de nombreux responsables politiques et militaires considèrent toujours le programme nucléaire iranien comme une menace mortelle pour le jeune État. En tout état de cause, affirme une source israélienne proche du dossier : «Il est salutaire que les Iraniens pensent que nous pouvons utiliser la force contre eux.»

http://www.lefigaro.fr/international/2011/01/18/01003-20110118ARTFIG00764-la-guerre-secrete-contre-l-iran-retarde-la-bombe.php

Citation :

Lockheed Martin hit by cyber attack

Hackers launched a "significant and tenacious" cyber attack on US defence contractor Lockheed Martin, which holds highly sensitive information, but its secrets remained safe, the company said today.

Lockheed Martin, the Department of Homeland Security and the Pentagon confirmed that the contractor's information systems had come under attack.

Lt Col April Cunningham, speaking for the Defence Department, said the impact on the Pentagon "is minimal and we don't expect any adverse effect".

Still, the concerted attempt to breach the contractor's systems underscored the risk to the nation's critical defence data.

Chris Ortman, Homeland Security spokesman, said his agency and the Pentagon were working with the company to determine the breadth of the attack and "provide recommendations to mitigate further risk".

Lockheed Martin said it detected the May 21 attack "almost immediately" and took counter-measures. As a result, "our systems remain secure; no customer, programme or employee personal data has been compromised".

The company's security team is still working to restore employee access to the targeted network. Neither Lockheed Martin nor the government agencies revealed specifics of the attack.

http://www.independent.co.uk/news/world/americas/lockheed-martin-hit-by-cyber-attack-2290675.html

Citation :

Lockheed Martin piraté : les tokens de RSA/SecurID en cause ?
informatique, mais affirme l'avoir maîtrisée. La piste de l'usage d'un jeton d'authentification de RSA / EMC est évoquée.

Publié le 30/05/2011, 13h25


Lockheed Martin a confirmé avoir été victime d'une "attaque significative et tenace" contre son système d'information. La société, qui a notamment de nombreux contrats avec la Défense américaine, affirme que son équipe dédiée à la sécurité de son système d'information a détecté l'attaque "presque immédiatement", et a pris des mesures énergiques pour la parer. Cela lui permet d'affirmer que son système est resté sûr. Le groupe s'est voulu rassurant en affirmant qu'"aucune donnée concernant un client, un programme ou un employé n'a été compromise".

Citant une source proche du dossier, l'agence Reuters affirme de son côté que les pirates informatiques ont pénétré les systèmes de sécurité de Lockheed Martin mais aussi d'autres groupes de défense. Selon cette même source, les pirates se seraient introduits en dupliquant les tokens fournis par le service SecurID de RSA. Cette filiale d'EMC avait raconté les détails de l'attaque dont elle avait été victime en mars, qui s'était soldée par une fuite de données (lire notre entretien du directeur technique de RSA à ce sujet). EMC ne s'est pas encore publiquement exprimé sur l'attaque de Lockheed Martin.

Lockheed Martin est l'un des plus gros groupes de l'industrie de la défense au monde. Le groupe commercialise notamment des missiles et divers avions (chasseurs F-16, F-22, F-35, Hercules C-130, avions espions P-3 Orion, etc). La société compte près de 126 000 employés, et affiche plus de 45 milliards de dollars de chiffre d'affaires annuel.

Source

premiere partie sur les drones ensuite sur les cyber attaque

Citation :

Lockheed/piratage: clés remplacées

L'entreprise américaine de logiciels et de systèmes de stockage EMC a proposé de remplacer des millions de clés de sécurité électroniques après que le réseau de Lockheed Martin a été piraté avec l'aide de données volées à RSA, filiale d'EMC.

Le réseau informatique de Lockheed Martin, le premier fournisseur d'armement et de technologie militaire du gouvernement américain, a en effet été attaqué par des pirates le mois dernier. RSA, la division spécialisée dans les systèmes de sécurité du groupe EMC avec les clés SecurID, a confirmé sur son site internet que des informations confidentielles qui lui avaient été volées en mars ont servi à l'attaque menée sur le réseau de Lockheed.

EMC a proposé de remplacer les clés de sécurité électroniques des clients qui en font la demande, a dit à Reuters un porte-parole de la compagnie.

figaro

Une tres long et interessant article sur la decouverte de Stuxnet, le virus/trojan qui a frappe tout particulierement l'Iran.

Article trop long a poster, SVP jeter un coup d'oeil par ici:

http://www.wired.com/threatlevel/2011/07/how-digital-detectives-deciphered-stuxnet/



Bonne Lecture

http://arstechnica.com/security/news/2011/08/serious-security-holes-found-in-siemens-control-systems-targeted-by-stuxnet.ars

Citation :

LAS VEGAS—A security researcher has uncovered a slew of vulnerabilities in Siemens industrial control systems, including a hardcoded password, that would let attackers reprogram the systems with malicious commands to sabotage critical infrastructures and even lock out legitimate administrators.

The vulnerabilities exist in several models of Siemens programmable logic controllers, or PLCs—the same devices that were targeted by the Stuxnet superworm and that are used in nuclear facilities and other critical infrastructures, as well as in commercial manufacturing plants that make everything from pharmaceuticals to automobiles.

Stuxnet was discovered on systems in Iran last year and is believed to have been aimed at destroying uranium-enrichment centrifuges at the Natanz nuclear facility in that country. It targeted Siemens Simatic Step7 software, which is used to monitor and program Siemens PLCs. It then intercepted legitimate commands going from the Step7 system to PLCs and replaced them with malicious commands aimed at sabotaging processes controlled by the PLC; in this case the spinning of centrifuges.

The newly discovered vulnerabilities go a step further than Stuxnet, however, in that they allow an attacker to communicate directly with a Siemens PLC without needing to compromise, or even use, the Step7 software.

One of the most serious security holes is a six-letter hardcoded username and password—“Basisk”; “Basisk”—that Siemens engineers had left embedded in some versions of firmware on its S7-300 PLC model. The credentials are effectively a backdoor into the PLC that yield a command shell, allowing an attacker to dump the device’s memory—in order to map the entire control system and devices connected to it—and reprogram the unit at will.


“I was able to log in via Telnet and http, which allowed me to dump memory, delete files and execute commands,” says Dillon Beresford, the security researcher with NSS Labs who discovered the password, and at least a dozen more subtle security holes.

Beresford, a security researcher with NSS Labs, had planned to discuss a few of the vulnerabilities at TakeDownCon in Texas in May, but pulled the talk at the last minute after Siemens and the Department of Homeland Security expressed concern about disclosing the security holes before Siemens could patch them.

Since then, he discovered additional vulnerabilities in several models of Siemens PLCs that would variously allow attackers to bypass authentication protection in the PLCs and reprogram them, or issue a “stop” command to halt them. They all require the attacker to have access to the network on which the PLCs run. That might be accomplished by infecting a legitimate computer on the network, such as with a phishing attack targeted at an employee, or through an infected USB stick—the method Stuxnet used.

Beresford will be presenting his findings on Wednesday at the Black Hat security conference in Las Vegas, but spoke with Threat Level in advance of his talk.

He’s been working with DHS’s Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, to validate and disclose the vulnerabilities and plans to withhold some information, as well as actual exploit code, until Siemens has a chance to patch the vulnerabilities that can be fixed. Not all of the vulnerabilities affect every model. Some of the vulnerabilities are inherent in the architecture of the systems and would require more than a patch.

One of the main vulnerabilities, he says, is that the systems have no defense against a so-called “replay attack”. An attacker could intercept commands going from any Step7 control system to any PLC—including a system in his own lab that he controls—and later play them back to any other PLC.

The attacker, for example, can capture a CPU “stop” command going from his own Step7 engineering workstation to his PLC, then replay the command back to another PLC to shut it down. He could also sabotage whatever the PLC is controlling by replaying malicious commands that would, for example, cause the speed of motors or rotors to increase on a centrifuge or cause valves to open or close on a pipeline.

“If I could only replay the same traffic into my own PLC, that would constitute a vulnerability,” Beresford said. “The fact that I can record traffic going to and from my own PLC, and play them back to any PLC, that’s what makes it a big issue.”

Generally, this kind of captured traffic should have a session ID that expires. But the Siemens PLC session never expires, Beresford said, so an attacker can use the captured traffic repeatedly, unless the PLC he’s attacking crashes and an administrator physically re-cycles it and then issues a “run” command to restart it.

Last May, Beresford revealed that he could conduct the replay attack against Siemens S7-1200 PLC model. Siemens said at the time that it believed the flaw did not affect other models of its PLCs, and last month the company announced that it had fixed the flaw in the S7-1200. But Beresford found that the flaw also exists in the S7-200, S7-300 and S7-400 models of Siemens PLCs.

It’s possible for an attacker to communicate directly with the PLC, without needing to use Siemens Step7 system, because Siemens’ PLCs don’t restrict or otherwise limit which computers communicate with them. There are no rules in the PLC limiting traffic or commands to specific IP addresses or to specific computers with Step7 installed on them, Beresford said. The PLCs also do not keep logs to identify the computers that send them commands, so trying to identify the source of a malicious command a PLC received would be difficult.

Siemens did not respond to a request for specific comment about the vulnerabilities but said the company had sent several representatives to the BlackHat conference and is working with Beresford to understand and patch the vulnerabilities.

“ICS-CERT and Siemens have issued technical alerts/updates on this topic, and will continue to do so on an as-needed basis,” said Frank Garrabrant from Siemens SIMATIC Security Industry Automation Division, in a written statement.

Previously, Siemens has asserted that the attacks Beresford describes could be thwarted by air-gapping PLCs and their control computers from the Internet. But according to Vik Phatak, CTO of NSS Labs, not all companies have a complete understanding of what constitutes an air-gapped system.

“We’ve talked to a number of different companies that have told us that their version of an air-gapped network [means] there’s no inbound connection, but they definitely have outbound connections to the Internet for their employees,” Phatak said.

Even air-gapping a system would not work if someone plugged removable media containing malware into the system.

The only thing on the PLCs that would prevent an attacker on the network from communicating directly with the devices is an authenticated packet that passes from the Step7 machine to the PLC. But Beresford found a way to bypass this authentication protection.

Step7 machines authenticate themselves to a PLC using a hash generated from a password. The hash is stored inside a project file that gets sent from the Step7 machine to a PLC. If the hash matches a hash stored on the PLC, a switch on the PLC is flipped that allows a programmer to then read and write to the PLC. Beresford found that he could bypass this by capturing the authentication packet and replaying it to a PLC.

“If you capture it, you have the authenticated packet, there’s nothing the PLC can do to stop you,” Beresford said.

Beresford could also do a replay attack to disable the authentication protection on a PLC. He’d simply issue a command to his own PLC to disable the password protection, then capture that command as it passed to his PLC and replay it to the PLC he wanted to attack.

“I can even change their password, so if I wanted to lock them out of their own PLC I could do that as well,” he said.

To find a PLC on a network, an intruder could introduce malware designed to scan the network for any devices operating on port 102—the port the PLCs use to communicate—and map all of the PLCs on a network in order to attack them all, or target specific ones.

As for the hard-coded password, “Basisk,” that he found in the S7-300 firmware, Beresford says it was obfuscated by a basic shift sequence that involved swapping characters and shifting them to the right. It took him two and a half hours to decode the password. Beresford could only confirm that the hardcoded password existed in a specific version of the firmware on his S7-300 PLC—firmware version 2.3.4.

The credential would give a user command shell access on the PLC, allowing someone to reprogram the PLC or otherwise completely control it. The password also gives access to a memory dumping tool that would allow an attacker to dump memory from the PLC in real time in order to gather intelligence on the PLC to devise a targeted attack.

He found he could dump SDRAM, uncached and cached, NOR flash, as well as other parts of RAM and scratchpad data. He could also obtain the serial numbers and tag names of devices connected to the PLC. All of these would allow an attacker to discover new vulnerabilities in the system and to determine what’s connected to the PLC and what normal operating conditions exist for those devices in order to design a worm like Stuxnet to attack them. An attacker could also write a worm that copied itself to a PLC—so that anyone who communicated with the PLC would be infected—or use the PLC to launch attacks against other machines on the same network.

Siemens has acknowledged that the password existed and said that developers had put it in the system for testing purposes, but then forgot to remove it.

ICS-CERT has issued an alert about the password (.pdf). According to the alert, Siemens discovered the password in 2009 and removed it from subsequent systems. But anyone using pre-2009 versions of the S7-300 firmware would likely still have the password installed.

“Anything before October 2009, for the PLCs, in terms of the S7-300, would be affected by the hardcoded password,” Beresford said.

Finally, Beresford also found an Easter egg in two versions of the S7-300 PLC firmware—versions 2.3.2 and 2.3.4. It’s an html file that depicts a handful of dancing chimpanzees and a German proverb that is the equivalent of the English phrase, “All work and no play makes Jack a dull boy.”

Siemens was not aware the Easter egg was in the firmware. “They weren’t exactly happy,” Beresford said. “Considering where these devices are deployed, they didn’t think it was very funny.”

While the Easter egg may have simply been a developer’s idea of fun, Beresford says he’s still examining it to see if it’s possible to send commands through the html page back to the PLC.

Siemens is beginning to move out patches for some of the vulnerabilities this week, but others will take longer.

Image courtesy of NSS Labs

Siemens equipe un nombre considerable de compagnies d'infrastructure (nucleaire, electrique, assinissement...).

Citation :

Key Project
In Morocco, the Office National des Chemins de Fer (ONCF) awarded Siemens its rail transportation project. The scope of the project includes engineering, supplying, parameter settings, installation works, testing and setting up a system of board equipment speed control. In the Energy Sector, Siemens won several top contracts, so the Power Transmission and Power Distribution Divisions have the mandate to modernize a control center for Rabat city and to deliver two new control centers for the cities of Tangier and Tetouan.

http://www.siemens.com/about/en/worldwide/morocco_1154649.htm

http://www.siemens.ma/en/siemens-in-morocco/history.htm

http://blogs.mcafee.com/mcafee-labs/revealed-operation-shady-rat
http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf

Citation :

Revealed: Operation Shady RAT
Tuesday, August 2, 2011 at 9:14pm by Dmitri Alperovitch
Download the PDF version of Operation Shady RAT report


For the last few years, especially since the public revelation of Operation Aurora, the targeted successful intrusion into Google and two dozen other companies, I have often been asked by our worldwide customers if they should worry about such sophisticated penetrations themselves or if that is a concern only for government agencies, defense contractors, and perhaps Google. My answer in almost all cases has been unequivocal: absolutely.

Having investigated intrusions such as Operation Aurora and Night Dragon (systemic long-term compromise of Western oil and gas industry), as well as numerous others that have not been disclosed publicly, I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.

Lately, with the rash of revelations about attacks on organizations such as RSA, Lockheed Martin, Sony, PBS, and others, I have been asked by surprised reporters and customers whether the rate of intrusions is increasing and if it is a new phenomenon. I find the question ironic because these types of exploitations have occurred relentlessly for at least a half decade, and the majority of the recent disclosures in the last six months have, in fact, been a result of relatively unsophisticated and opportunistic exploitations for the sake of notoriety by loosely organized political hacktivist groups such as Anonymous and Lulzsec. On the other hand, the targeted compromises — known as ‘Advanced Persistent Threats (APTs)’ (although this term lately lost much of its original meaning due to overzealous marketing tactics of various security companies, as well as to the desire by many victims to call anything they discover being successful at compromising their organizations as having been an APT) — we are focused on are much more insidious and occur largely without public disclosures. They present a far greater threat to companies and governments, as the adversary is tenaciously persistent in achieving their objectives. The key to these intrusions is that the adversary is motivated by a massive hunger for secrets and intellectual property; this is different from the immediate financial gratification that drives much of cybercrime, another serious but more manageable threat.

What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth — closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics and much more has “fallen off the truck” of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries.

What is happening to all this data — by now reaching petabytes as a whole — is still largely an open question. However, if even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat not just to individual companies and industries but to entire countries that face the prospect of decreased economic growth in a suddenly more competitive landscape and the loss of jobs in industries that lose out to unscrupulous competitors in another part of the world, not to mention the national security impact of the loss of sensitive intelligence or defense information.

Yet, the public (and often the industry) understanding of this significant national security threat is largely minimal due to the very limited number of voluntary disclosures by victims of intrusion activity compared to the actual number of compromises that take place. With the goal of raising the level of public awareness today we are publishing the most comprehensive analysis ever revealed of victim profiles from a five year targeted operation by one specific actor — Operation Shady RAT, as I have named it at McAfee (RAT is a common acronym in the industry which stands for Remote Access Tool).

This is not a new attack, and the vast majority of the victims have long since remediated these specific infections (although whether most realized the seriousness of the intrusion or simply cleaned up the infected machine without further analysis into the data loss is an open question). McAfee has detected the malware variants and other relevant indicators for years with Generic Downloader.x and Generic BackDoor.t heuristic signatures (those who have had prior experience with this specific adversary may recognize it by the use of encrypted HTML comments in web pages that serve as a command channel to the infected machine).

McAfee has gained access to one specific Command & Control server used by the intruders. We have collected logs that reveal the full extent of the victim population since mid-2006 when the log collection began. Note that the actual intrusion activity may have begun well before that time but that is the earliest evidence we have for the start of the compromises. The compromises themselves were standard procedure for these types of targeted intrusions: a spear-phishing email containing an exploit is sent to an individual with the right level of access at the company, and the exploit when opened on an unpatched system will trigger a download of the implant malware. That malware will execute and initiate a backdoor communication channel to the Command & Control web server and interpret the instructions encoded in the hidden comments embedded in the webpage code. This will be quickly followed by live intruders jumping on to the infected machine and proceeding to quickly escalate privileges and move laterally within the organization to establish new persistent footholds via additional compromised machines running implant malware, as well as targeting for quick exfiltration the key data they came for.

After painstaking analysis of the logs, even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators. Although we will refrain from explicitly identifying most of the victims, describing only their general industry, we feel that naming names is warranted in certain cases, not with the goal of attracting attention to a specific victim organization, but to reinforce the fact that virtually everyone is falling prey to these intrusions, regardless of whether they are the United Nations, a multinational Fortune 100 company, a small non-profit think-tank, a national Olympic team, or even an unfortunate computer security firm.

In all, we identified 72 compromised parties (many more were present in the logs but without sufficient information to accurately identify them). Of these, the breakdown of 32 unique organization categories follows:




And for those who believe these compromises occur only in the United States, Canada and Europe, allow me change that perception with the following statistics on 14 geographic locations of the targets:




The interest in the information held at the Asian and Western national Olympic Committees, as well as the International Olympic Committee (IOC) and the World Anti-Doping Agency in the lead-up and immediate follow-up to the 2008 Olympics was particularly intriguing and potentially pointed a finger at a state actor behind the intrusions, because there is likely no commercial benefit to be earned from such hacks. The presence of political non-profits, such as the a private western organization focused on promotion of democracy around the globe or U.S. national security think tank is also quite illuminating. Hacking the United Nations or the ASEAN (Association of Southeast Asian Nations) Secretariat is also not likely a motivation of a group interested only in economic gains.

Another fascinating aspect that the logs have revealed to us has been the changing tasking orders of the perpetrators as the years have gone by. In 2006, the year that the logs begin, we saw only eight intrusions: two on South Korean steel and construction companies, and one each on a South Korean Government agency, a Department of Energy Research Laboratory, a U.S. real-estate firm, international trade organizations of an Asian and Western nations and the ASEAN Secretariat. (That last intrusion began in October, a month prior to the organization’s annual summit in Singapore, and continued for another 10 months.) In 2007, the pace of activity jumped by a whopping 260 percent to a total of 29 victim organizations. That year we began to see new compromises of no fewer than four U.S. defense contractors, Vietnam’s government-owned technology company, US federal government agency, several U.S. state and county governments, and one computer network security company. The compromises of the Olympic Committees of two nations in Asia and one Western country began that year as well. In 2008, the count went up further to 36 victims, including the United Nations and the World Anti-Doping Agency, and to 38 in 2009. Then the number of intrusions fell to 17 in 2010 and to 9 in 2011, likely due to the widespread availability of the countermeasures for the specific intrusion indicators used by this specific actor. These measures caused the perpetrator to adapt and increasingly employ a new set of implant families and command & control infrastructure (and causing activity to disappear from the logs we have analyzed). Even news media was not immune to the targeting, with one major U.S. news organization compromised at its New York Headquarters and Hong Kong Bureau for more than 21 months.

The shortest time that an organization remained compromised was less than a single month; nine share that honor: International Olympic Committee (IOC), Vietnam’s government-owned technology company, trade organization of a nation in Asia, one Canadian government agency, one US defense contractor, one US general government contractor, one US state and one county government, and a US accounting firm. I must, however, caution that this may not necessarily be an indication of the rapid reaction of information security teams in those organizations, but perhaps merely evidence that the actor was interested only in a quick smash and grab operation that did not require a persistent compromise of the victim. The longest compromise was recorded at an Olympic Committee of a nation in Asia; it lasted on and off for 28 months, finally terminating in January 2010.

Below is the complete list of all 72 targets, with country of origin, start date of the initial compromise and duration of the intrusions:

Victim Country Intrusion Start Date Intrusion Duration (Months)
South Korean Construction Company South Korea July 2006 17
South Korean Steel Company South Korea July 2006 11
Department of Energy Research Laboratory USA July 2006 3
Trade Organization Country in Asia July 2006 1
South Korean Government Agency South Korea August 2006 27
U.S. International Trade Organization USA September 2006 12
ASEAN (Association of Southeast Asian Nations) Secretariat Indonesia October 2006 10
U.S. Real-Estate Firm #1 USA November 2006 8
Vietnam’s Government-owned Technology Company Vietnam March 2007 1
U.S. Real-Estate Firm #2 USA April 2007 17
U.S. Defense Contractor #1 USA May 2007 21
U.S. Defense Contractor #2 USA May 2007 20
U.S. Northern California County Government USA June 2007 7
U.S. Southern California County Government USA June 2007 24
U.S. State Government #1 USA July 2007 6
U.S. Federal Government Agency #1 USA July 2007 8
Olympic Committee of Asian Country #1 Country in Asia July 2007 28
U.S. State Government #2 USA August 2007 1
U.S. State Government #3 USA August 2007 25
U.S. Federal Government Agency #2 USA August 2007 7
Olympic Committee of Western Country Western Country August 2007 7
Taiwanese Electronics Company Taiwan September 2007 8
U.S. Federal Government Agency #3 USA September 2007 4
U.S. Federal Government Agency #4 USA September 2007 8
Western Non-profit Democracy-promoting Organization Western Country September 2007 4
Olympic Committee of Asian Country #2 Country in Asia September 2007 7
International Olympic Committee Switzerland November 2007 1
U.S. Defense Contractor #3 USA November 2007 7
U.S. Network Security Company USA December 2007 3
U.S. Defense Contractor #4 USA December 2007 7
U.S. Accounting Firm USA January 2008 1
U.S. Electronics Company USA February 2008 13
UK Computer Security Company United Kingdom February 2008 6
U.S. National Security Think Tank USA February 2008 20
U.S. Defense Contractor #5 USA February 2008 9
U.S. Defense Contractor #6 USA February 2008 2
U.S. State Government #4 USA April 2008 2
Taiwan Government Agency Taiwan April 2008 8
U.S. Government Contractor #1 USA April 2008 1
U.S. Information Technology Company USA April 2008 7
U.S. Defense Contractor #7 USA April 2008 16
U.S. Construction Company #1 USA May 2008 19
U.S. Information Services Company USA May 2008 6
Canadian Information Technology Company Canada July 2008 4
U.S. National Security Non-Profit USA July 2008 8
Denmark Satellite Communications Company Denmark August 2008 6
United Nations Switzerland September 2008 20
Singapore Electronics Company Singapore November 2008 4
U.K. Defense Contractor United Kingdom January 2009 12
U.S. Satellite Communications Company USA February 2009 25
U.S. Natural Gas Wholesale Company USA March 2009 7
U.S. Nevada County Government USA April 2009 1
U.S. State Government #5 USA April 2009 3
U.S. Agricultural Trade Organization USA May 2009 3
U.S. Construction Company #2 USA May 2009 4
U.S. Communications Technology Company USA May 2009 7
U.S. Defense Contractor #8 USA May 2009 4
U.S. Defense Contractor #9 USA May 2009 3
U.S. Defense Contractor #10 USA June 2009 11
U.S. News Organization, Headquarters USA August 2009 8
U.S. News Organization, Hong Kong Bureau Hong Kong August 2009 21
U.S. Insurance Association USA August 2009 3
World Anti-Doping Agency Canada August 2009 14
German Accounting Firm Germany September 2009 10
U.S. Solar Power Energy Company USA September 2009 4
Canadian Government Agency #1 Canada October 2009 6
U.S. Government Organization #5 USA November 2009 2
U.S. Defense Contractor #11 USA December 2009 2
U.S. Defense Contractor #12 USA December 2009 1
Canadian Government Agency #2 Canada January 2010 1
U.S. Think-Tank USA April 2010 13
Indian Government Agency India September 2010 2

Below are the complete timelines for each year of intrusion activity. It could be an interesting exercise to map some of these specific compromises to various geopolitical events that occurred around these times (The gaps in the timelines for continuous infections at specific victims may not necessarily be an indication of a successful cleanup before a new reinfection, but rather an artifact of our log collection process that did not mark every activity that occurred on the adversary’s infrastructure, potentially leading to these gaps in the data)


Although Shady RAT’s scope and duration may shock those who have not been as intimately involved in the investigations into these targeted espionage operations as we have been, I would like to caution you that what I have described here has been one specific operation conducted by a single actor/group. We know of many other successful targeted intrusions (not counting cybercrime-related ones) that we are called in to investigate almost weekly, which impact other companies and industries. This is a problem of massive scale that affects nearly every industry and sector of the economies of numerous countries, and the only organizations that are exempt from this threat are those that don’t have anything valuable or interesting worth stealing.

Dmitri

P.S. I would like to thank Adam Meyers for the invaluable support and assistance he provided to us during this investigation

You can follow Dmitri Alperovitch, McAfee’s VP of Threat Research, on Twitter at http://twitter.com/DmitriCyber

La Chine a encore frappe sans que personne ne puisse la pointer du doit

tu crois que tous les siemens auraient cette "faille" ou seulement ciblés dans certains pays?

Yakuza a écrit:

tu crois que tous les siemens auraient cette "faille" ou seulement ciblés dans certains pays?

Selon cet article:

Citation :

Last May, Beresford revealed that he could conduct the replay attack against Siemens S7-1200 PLC model. Siemens said at the time that it believed the flaw did not affect other models of its PLCs, and last month the company announced that it had fixed the flaw in the S7-1200. But Beresford found that the flaw also exists in the S7-200, S7-300 and S7-400 models of Siemens PLCs.

Citation :

“Anything before October 2009, for the PLCs, in terms of the S7-300, would be affected by the hardcoded password,” Beresford said.

Au moins ceux la.


Le pattern d'infection de stuxnet pointe surtout vers l'Iran, mais des dommages collatereux sont non seulement inevitables, mais aussi a mon avis voulus: garder le flou sur la victime reelle en infectant "pas mechament" des pays "amis" ou aleatoires....


http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99

Considerant aussi que Stuxnet (et ses clones inevitables) n'a meme pas besoin de reposer sur le matos, car ils se servent du Simatic Step7 (llogiciel sous Windows utilise pour programmer et gerer les PLC Siens) comme couche d'abstraction pour modifier les parametres, comme le montre l'enquete de Wired (voir SVP 3 posts precedent, text trop gros malheseemnt pour le post), et causer des degats materiels.

En gros avec cette "decouverte", il y'a 2 moyens de s'attaquer aux PLC de Siemens:

-online/IP (telnet et http) pour certeins models et firmares specifiques.

-en differe en se servant du modus operandi de Stuxnet qui se propage comme un stupide worm "traditionnel", mais se servant tout de meme de tous les vecteurs: LAN/SMB/partage windows et/ou email et/ou clef USB, chose interessante car ce design prend en compte que le(s) reseau(x) cibles seront ultra-securise donc deconnectes du reste de l'Internet. L'etude de stuxnet a aussi revele que la charge utile du trojan n'est un un executable windows x86 ou x64 (comme le reste des virus criminels) mais ou bien des commandes Step7 (abstraits et independants du PLC Siemens) ou bien du language machine specifique a certains PLC Siemens. LE tout enfoui sous des couhes encryptee comme des poupee russes, possedant un canal de communication avec un serveur distant Command and Control (pour rendre le compte de l'infection et envoyer certaines infornmation d'identification prises dans les PC Hotes les plus interessants, une sorte d'acknowledgement que la cible est en vue), possedant al capacite de s'autodetruire (popur ne pas laisser de traces dans des PC "banals" apres s'etre replique et une certaine date limite. Les commandes Step7 enfouie dans stuxnet sont finement etudiee pour endommager sur le moyen terme, regulierement et doucement les instrument sous controle, comme les turbines dans le cas Iranien etudie sur Wired.

Bref, un travail d'agence d'etat, car aucun script kiddie ne peut coder une telle merveille, et aucun cracker ne peut monayer la destruction d'infrastructure comme il le ferait avec du spam. du sabotage pur et simple, en douce.

Les autres vecteurs d'attaque ont aussi gagne en finesse. Passe le temps du simple Phishing "enlarge your bidule". On est deja dans l'age du Spear Phising avec des message "officiels" parfaitement bien concus pour tromper des personnes ayant des postes de responsabilitees (utilisant des infections/piratage de l'infrastructure d'internet meme comme le DNS poisoning pour tromper les logiciles de securite).


http://www.us-cert.gov/control_systems/ics-cert/
http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-204-01B.pdf



Aussi, Si les PLC Siemens sont vulnerables, il est probables que d'autres compagnies le soient egalement.
Si c'est le travail d'agences gouvernementales, il est inevitables qu'ils utilisent les Zero-day Exploits, CAD les failles decouvertes mais non declarees sur internet, que ce soit par des amateurs de celebrites ou des compagnies de securite. En gros, un faille toute fraiche entre les mais de ton ennemis.

http://news.cnet.com/8301-27080_3-20087201-245/researchers-warn-of-scada-equipment-discoverable-via-google/

Citation :

Researchers warn of SCADA equipment discoverable via Google

...

Acknowledging that he wouldn't click on any link results to avoid breaking the law by accessing a network without authorization, researcher Tom Parker typed in some search terms associated with a Programmable Logic Controller (PLC), an embedded computer used for automating functions of electromechanical processes. Among the results was one referencing a "RTU pump status" for a Remote Terminal Unit, like those used in water treatment plants and pipelines, that appeared to be connected to the Internet. The result also included a password--"1234."
That's like putting up a billboard saying SCADA (Supervisory Control and Data Acquisition) system here and, oh by the way, here are the keys to the front door.

...
Read more: http://news.cnet.com/8301-27080_3-20087201-245/researchers-warn-of-scada-equipment-discoverable-via-google/#ixzz1UPACfvRU
....

http://www.pcworld.com/article/237347/a_power_plant_hack_that_anybody_could_use.html

Citation :

A Power Plant Hack That Anybody Could Use

merci pour cette explication informative tshaashh

Yakuza a écrit:

merci pour cette explication informative tshaashh

A votre service boss

Sur le meme theme:

http://www.wired.com/dangerroom/2011/08/problem-from-hell/
http://www.wired.com/dangerroom/2011/06/chips-oy-spies-want-to-hack-proof-circuits/#more-49990 (Fishy Chips: Spies Want to Hack-Proof Circuits)

Citation :

There are computer security threats — and then there are computer security nightmares. Put sabotaged circuits firmly in the second category. Last week, retired Gen. Michael Hayden, the former CIA and NSA chief, called the hazard of hacked hardware “the problem from hell.”

“Frankly, it’s not a problem that can be solved,” he added. “This is a condition that you have to manage.”

The Pentagon’s top research division is trying, however. Over the past two months, Darpa, has awarded nine contracts totaling $49 million for its Integrity and Reliability of Integrated Circuits (IRIS) program to check for compromised chips. Seven companies and two universities received the awards.

The Defense Department has been worried about foreign adversaries tampering with its hardware for a while now. The Pentagon now buys 1 percent of all the world’s integrated circuit production; America’s defense community simply uses too many to monitor them all. In 2005, a Defense Science Board report warned that foreign adversaries could slip back doors into chips(.pdf) destined for installation in important military gear.

The hacked circuits, the report said, could be tweaked to malfunction early or provide a de facto kill switch to a weapon system.

The IRIS program builds off a previous Darpa chip-checking program called TRUST. TRUST uses imaging techniques like X-rays to compare chips against their complete design specifications. IRIS, however, is looking for ways to reverse engineer a chip and find out everything it does, even when the complete design specs aren’t available.

The prospect of this kind of hacked hardware in the defense supply chain (.pdf) is linked to changes in chip-manufacturing processes. Globalization has shifted the map of where chips are built these days. Much of the production now takes place in countries like Taiwan, China, Japan and South Korea.

Different companies are also involved in the process, including those who design the chips and the foundries that manufacture them. The United States can’t just trust the chip’s designer, it needs to trust the company that manufactures it, too.

Iarpa, the intelligence community’s answer to Darpa, has put forth another program to get around the supply-chain vulnerability. Trusted Integrated Circuits (TIC) tries to help the United States take advantage of foreign chip-manufacturing facilities.

TIC looks at techniques the government can use at foreign chip foundries to reduce the risk of malicious tampering, like conducting the less sensitive parts of chip production at foreign foundries.

How big a threat are hacked chips? The White House’s 2009 Cyberspace Policy Review says “few documented examples exist of unambiguous, deliberate subversions.” Some hints of maliciously fishy hardware have cropped cropped up, though.

Greg Schaffer, Acting Deputy Undersecretary at the Department of Homeland Security’s National Protection and Programs Directorate, was asked at a Congressional hearing last month if he knew of any examples of hacked hardware turning up. “I am aware of instances where that has happened” was his vague response.

Darpa’s also getting more involved in software security, in addition to its hardware-hacking efforts. On Thursday it announced a new “Cyber Fast Track” program to speed the development of smaller cybersecurity projects to under a year.

Ca rapelle l'epoque ou des compagnies americains avaient vendu aux sovietiques des photocopieuses dotee de "fonctionnalitees specialies" comme la capacite de garder en memoire les doc scannes...

En gros, le programme IRIS cherche a verifier et valider les puces en comparant entres autres leur image/forme vs. a quoi ils devraint ressembler physiquement s'ils repondaient aux specs, donc sans "cheval de troie a valeur ajoutee".

Citation :

http://www.defenseindustrydaily.com/Counterfeit-Chinese-Electronics-Inside-American-Defense-Equipment-05103/

Counterfeit Chinese Electronics Inside American Defense Equipment?
Oct 07, 2008 17:00 EDT

Spoiler:

http://www.defenseindustrydaily.com/Secure-Semiconductors-Sensible-or-Sisiphyean-04928/
http://spectrum.ieee.org/semiconductors/design/the-hunt-for-the-kill-switch

Secure Semiconductors: Sensible, or Sisyphean?

Citation :

From TIC to IRIS at DARPA. (Feb 15/11)

The May 2008 IEEE spectrum magazine, in “The Hunt for the Kill Switch”:

“Feeding those dreams is the Pentagon’s realization that it no longer controls who manufactures the components that go into its increasingly complex systems. A single plane like the DOD’s next generation F-35 Joint Strike Fighter, can contain an “insane number” of chips, says one semiconductor expert familiar with that aircraft’s design. Estimates from other sources put the total at several hundred to more than a thousand. And tracing a part back to its source is not always straightforward. The dwindling of domestic chip and electronics manufacturing in the United States, combined with the phenomenal growth of suppliers in countries like China, has only deepened the U.S. military’s concern.”

In 2005, the prestigious Defense Science Board warned in a report that the continuing shift to overseas chip fabrication could expose the Pentagon’s most mission-critical integrated circuits to sabotage. The board was especially alarmed that no existing tests could detect such compromised chips.

Recognizing this enormous vulnerability, in late 2007 the Pentagon issued contracts that launched the Defense Advanced Research Projects Agency’s (DARPA) 3-year Trust in Integrated Circuits initiative. It has been succeeded by IRIS, the Integrity and Reliability in Integrated Circuits initiative.

Contracts and Key Events

Feb 15/11: The University of Southern California’s Information Sciences Institute in Marina del Rey, CA receives a $6.6 million cost, no-fee contract for the Integrity and Reliability in Integrated Circuits (IRIS) Program. Their research is intended to supply benchmark test articles to better focus and drive the results of the IRIS program.

Work will be performed in Marina del Rey, CA until May 31/14. The Defense Advanced Research Projects Agency manages the contract (HR0011-11-C-0041).

Sept 15/10: DARPA releases the FedBizOpps solicitation (DARPA-BAA-10-33) for its IRIS initiative:

“The objective of the Integrity and Reliability of Integrated Circuits (IRIS) program is to develop the technology to derive the functionality of an IC to determine unambiguously if malicious modifications have been made to that IC, and to accurately determine the IC’s useful lifespan from a physical perspective.”

Feb 26/10: Raytheon Space and Airborne Systems in El Segundo, CA receives a $10.7 million cost-plus-fixed fee Phase III contract related to the TRUST in Integrated Circuits program. In Phase III, Raytheon will further refine their techniques to protect all stage of the application specific integrated circuits (ASIC) design process.

Work is to be performed in El Segundo, CA (39%); San Jose, CA (3%); Lexington, MA (9%); Albuquerque, NM (25%); Burlington, MA (15%); and Santa Clara, CA (9%), with an estimated completion date of February 2011. Bids were solicited on the World Wide Web, with 29 bids received by the Defense Advances Research Projects Agency in Arlington, VA (HR0011-08-C-0005).

Dec 24/08: Raytheon Space and Airborne Systems in El Segundo, CA receives a $10.7 million cost price firm-fixed Phase II contract for Research related to the TRUST in Integrated Circuits (TIC) program.

In Phase II, Raytheon will refine their techniques to protect all stages of the Application Specific Integrated Circuits (ASICs) design process, to ensure that integrated circuits can be trusted regardless of their origin and fabrication process. Work will be performed in El Segundo and San Jose, CA; Lexington, MA; Nashua, NH; and Albuquerque, NM; with an estimated completion date of Dec 22/09. Bids were solicited by a broad agency announcement, with 29 bids received by the Defense Advanced Research Projects Agency in Arlington, VA (HR0011-08-C-0005).

Oct 31/07: Raytheon Space and Airborne Systems in El Segundo, CA received a $3 million increment of an $11.9 million cost plus fixed-fee contract for the TRUST in Integrated Circuits program.

Work will be performed in El Segundo, CA (47%), San Jose, CA (10%), Lexington, MA (5%), Albuquerque, NM (17%), and Nashua, NH (21%), and is expected to be complete in October 2008. Funds will expire at the end of the current fiscal year. DARPA issued a solicitation on the Federal Business Opportunities website on March 7/07, and 29 proposals were received (HR0011-08-C-0005).

Oct 26/07: The University of Southern California in Los Angeles, CA received a $1.1 million increment of a $13 million cost plus fixed-fee contract to deliver test articles for the TRUST in Integrated Circuits program. Work will be performed in Los Angeles, and is expected to be completed in February 2012. Funds will expire at the end of the current fiscal year. The Defense Advanced Research Projects Agency issued a solicitation in Federal Business Opportunities on Jan 15/07, and one proposal was received (HR0011-07-C-0099).

10 scariest hacks from Black Hat and Defcon
Researchers showed all manner of serious attacks on everything from browsers to automobiles.

http://www.networkworld.com/slideshows/2011/081011-blackhat-defcon-hacks.html#slide1

le 7eme est le cauchemare des defenseurs de données personnelles
on se rend compte combien on devient vulnerable avec toute l´electronique qui est sensée servire..