Tag Archives: Stuxnet

The Value in Releasing Information

Then we assumed that the attack against the centrifuge drive system was the simple and basic predecessor after which the big one was launched, the attack against the cascade protection system. The cascade protection system attack is a display of absolute cyberpower. It appeared logical to assume a development from simple to complex. Several years later, it turned out that the opposite was the case. Why would the attackers go back to basics? […]

In other words, blowing the cover of this online sabotage campaign came with benefits. Uncovering Stuxnet was the end of the operation, but not necessarily the end of its utility. Unlike traditional Pentagon hardware, one cannot display USB drives at a military parade. The Stuxnet revelation showed the world what cyberweapons could do in the hands of a superpower. It also saved America from embarrassment. If another country — maybe even an adversary — had been first in demonstrating proficiency in the digital domain, it would have been nothing short of another Sputnik moment in U.S. history. So there were plenty of good reasons not to sacrifice mission success for fear of detection.

via Stuxnet’s Secret Twin – By Ralph Langner | Foreign Policy.

In previous posts, I have discussed how information has value. This is both in the eyes of attackers as well as the information’s original controllers. I have also written several tutorials, such as those on GPG or OPSEC, that by implication state that anonymity has worth. After all, what is the point of privacy if it has no value? What the article above demonstrates is a corollary to that theme. Specifically, when you utilize stealth, one of its powers is found in giving it up.

The mathematics that investigates competitive self-interest is known as game theory. Simplified, it states that rational actors will behave in a logical manner. Specifically, rational actors will attempt to maximize success, however that is quantified in the models involved. It is utilized in everything from economic modeling to poker. In this case, we will see how utilizing a more obvious weapon than its predecessor is rational.

It was no secret that the United States was working against Iran’s nuclear research programs. What was not clear was what efforts, if any, were being made outside of economic sanctions or other “non-violent” means (the applicability of the adjective “non-violent” of sanctions are outside of this discussion).

What the article quoted above indicates is that the Iranian nuclear research facilities had been compromised for some time. While it did not bring the research to a stop, it would both delay it and raise doubts as to the capabilities of the technical staff involved. This would hopefully allow time for other avenues to bring the research to a complete halt. However, despite the value in this, the technique was modified to instead utilize the payload found in Stuxnet.

This would increase the visibility of the attack, but it is possible that at this point that was the desired goal. It would continue causing delays in the research program, and with a smaller risk of escalation than a military strike (warning: PDF). Additionally, even if discovered it would most likely not cause a war given the ongoing debate over the role of cyber attacks in warfare. What it would do, however, is expose that they had the capability of doing so.

The results of this were obvious. First, the U.S. and their allies faced retribution. While not desirable, such attacks were easier to absorb than the projected asymmetric physical responses, such as car bombings. The response was found in software-based asymmetric responses instead such as Saudi Aramco and various Western banks. The correlation between the methods used both in the initial attack on Natanz and the response indicates that this may have been the desired response.

Given that asymmetric response was going to happen, and that malware and other information-based attacks are already utilized and asymmetric (warning: PDF), perhaps it was desired due to its existing threat. Assuming that those making the decision were in fact rational actors, it means that they saw the many revelations that would come from Stuxnet would inform other actors of their capabilities. By doing so it showed that in the event of such an attack on its own infrastructure the U.S. could respond in-kind.

The Economics of Malware: Governments

Note: This is the third of three articles I will do about the economics of malware. I will be giving a presentation on these issues at Madison, Wisconsin’s Nerd Nite on October 30, 2013.

In part one, I talked about the history of vulnerability research, and the development of the market that exists around them. Part two involved the criminal side of the purchasers of those vulnerabilities, and how they make their profit.

Today’s subjects are those who operate with a level of sanction. These are government agencies and contractors, all of which operate with different goals than the criminal elements discussed in part two. Broadly, those goals fall under three categories.

  1. Monitoring their own Citizens – This goal applies to any instance where the government or its agents (public or private) act in order to observe people under their banner. This can fall under censorship desires, such as the Chinese Great Firewall of China being used to control what is discussed. Alternately, they can be under the guise of law enforcement Saudi Government looking for technologies to “monitor terrorists“.
  2. Gathering Information from outside their Borders – External espionage is perhaps the most common governmental use of malware. In this case one of the best know examples is Flame. The control servers used in Flame(r) left lots of evidence about its longevity (perhaps five years) and extensive data collection (upwards of 8gb of encrypted data in a mere 10 days). This is far from the only example, however. as the Chinese government has used similar tactics in order to gain data on weapons programs.
  3. Disrupting Targets – For instances like this, the attacks can be more direct. The quintessential modern example is Stuxnet. With these, governments (assumed to be the United States or Israel, or both), created some of the most successful malware packages. Stuxnet was used to (supposedly) slow the Iranian nuclear weapon program by disabling centrifuges used to enrich uranium. There also exist examples of North Korea launching overt attacks against South Korea, or rumors of Iranian involvement on attacks on financial institutions within the United States.

As with all things, these goals unify with the overall desire to increase the power and influence of their constituent nations. With that in mind, they work in different ways from the criminal element. Luckily, the multi-prong form used by the NSA can be used as a case study.

These are examples of how modern governments are major purchasers of exploits, just like the criminal elements of part two. Once purchased, they go to use. The NSA has used and is preparing for expanding malware use. One of the United State’s ongoing major programs is to develop better techniques and methods for handling large scale assaults.

The attacks begin at the network layer. Most people depend on the appearance of a lock in their address bar to know that they have SSL protection when they browse the Internet. At some point, the NSA compromised the value of SSL, TSL, and VPN, at least on some level. Attacks on alternate anonymization technologies assist them in ensuring they can collect data especially those who want to hide themselves.

In order to do so, they used multiple methods. First, they used the extensive collection of zero-day vulnerabilities they acquire either through their own research or the gray market that exists today. Additional work is farmed out to contractors, expanding what is perhaps the greatest growth industry in defense. They also pay employees of major tech companies to insert backdoors that allow them access.

Works spill over into other arenas. Importantly, the NSA use of malware and exploits has led to fear of legitimizing their utilization, although that appears to be a moot point. While governments such as Germany show anger at the revelations of the last year, they are also not innocent of using their own similar tools.

The biggest issue here is that as more specific details come out about nation state programs using malware, there has been more anger from the targets. While this anger would be valuable if it was directed towards auditing algorithms and software to look for manipulation, it is instead appearing to fracture the universality of the Internet instead.

While new systems may be good, working to improve universal standards may be better. For several years there has been questions about National Institute of Standards and Technology’s (NIST) SP 800-90 for elliptical curve cryptography. The fundamentals of the math are not in question, only the implementation details. Unfortunately, governments will attempt to continue to influence these implementations, as anyone with their power would do as rational actors attempting to increase their own power.

And that is the main lesson of government use of malware. It is functionally not very different from anything from the last few decades. Phone companies have been required to allow interception by legitimate requests for over a century, and espionage has a history dating back millennia. Perhaps the scale is different, but policy solutions have been shown to inevitably fail. Technical solutions are possible, but require a great deal of work and are far from certain to work.