It has been almost two years since the infamous and mysterious computer worm known as Stuxnet was first detected by a team of researchers in Belarus.

Opinions on this vary, but the worm that is said to have caused explosions at certain nuclear installations in Iran is thought to have set that country’s alleged nuclear energy and weapons ambitions back by as much as two years.

The fascination persists. Although no one has ever taken official responsibility for it — the leading suspects in its creation are Israel and the U.S., acting together or independently — Stuxnet is widely considered to have been the most successful and innovative weapon of digital warfare ever seen.

And though numerous media accounts have, with the help of anonymous sources, filled in some of the narrative around its development, the subject of the covert cyber campaign against the Iranian nuclear program has generally remained outside the attention envelope of mainstream TV audiences.

That will change Sunday night when CBS’s popular television news documentary show “60 Minutes” turns its attention on Stuxnet, and the concept of offensive cyberwar generally.

If you’re not familiar with the particulars of Stuxnet, here’s a brief explanation: It’s a sophisticated worm that experts say required several months and millions of dollars to design. Via long-since-patched vulnerabilities in Microsoft Windows, it is designed to burrow its way into specialized industrial computers called programmable logic controllers, made by the German industrial company Siemens. These PLCs sit between conventional computers and industrial machinery like factory equipment, generators and centrifuges used to create nuclear fuel. PLCs and systems like them are widely used and, in many cases, not well secured, in part because they were never designed to be connected to the Internet.

(I first wrote about it at my last job in 2010 in stories found here and here.)

The story goes that the worm was first introduced to Iran via infected flash drives that were dropped around the outside of certain targeted facilities. The worm was carefully programmed to target a specific installation and to remain inert until it found its target. When it did, it seized control of some 1,000 Iranian nuclear centrifuges at Natanz, about 200 miles south of Tehran. While displaying seemingly normal operating conditions to workers there, the centrifuges were forced to spin out of control and effectively destroy themselves.

In a preview video released today (embedded below), “60 Minutes” correspondent Steve Kroft appears to get a tour of the U.S. Cyber Command, the military nerve center for U.S. cyberwar operations. And, in what’s likely to be considered a not-so-subtle message in certain circles, as you see Kroft getting his tour, it’s hard not to notice the screen behind him. Plus, his host shows a Google Maps image of Iran with lots of orange dots on it.

The report, for which CBS presumably got a lot of cooperation from the Pentagon, comes not long after the Obama Administration officially declared cyberspace as a theater of war. That means, the military can conduct both defensive and offensive operations, and that an attack on certain computer systems by other countries or terrorists is essentially equivalent to an attack against U.S. territory, property and people.

It’s not the first time that “60 Minutes” has tackled the subject of cyberwar. In 2009, it first introduced TV viewers to the concept of using digital weapons to seize control of industrial infrastructure in order to sabotage it, including some once-classified footage of a test at the Idaho National Lab where a generator was destroyed using nothing more than computer code (although the same report contains references to a 2007 power outage in Brazil which Wired has said wasn’t caused by digital saboteurs after all, though CBS has said it stands by its reporting.) Aside from that, CBS’s older report serves as something of a lead-up to tomorrow’s story on Stuxnet.

It will be interesting to see if “60 Minutes” has unearthed anything new on Stuxnet that fills in more of the picture surrounding its development and use. Neither the U.S. nor Israel has ever acknowledged any involvement in its creation or use. But Israeli officials have occasionally been described as “breaking into broad smiles” when asked about the subject. It will also be interesting to see if the program asks any important questions about the state of cyberwar post-Stuxnet. It’s pretty safe to assume that other parties have learned as much as they can about how it was created and how another worm like it might be created again.

What’s impossible to guess is where the next target is.

Update: I added a link above to a Wired story that disputed some of CBS’s reporting on the 2007 Brazilian blackout. In short, Wired says the real cause of that blackout was poor maintenance and not an attack by hackers, although CBS has said it stands by its reporting on that subject.

Here’s the short preview of tomorrow’s “60 Minutes” report.

“For the past 50 days we’ve been disrupting and exposing corporations, governments, often the general population itself, and quite possibly everything in between, just because we could,” the group wrote in its statement.

The collection of files it released — LulzSec’s “booty” — which I downloaded, contained a mishmash of text and images intended to demonstrate, one last time, the group’s hacking prowess. Among the collection was an image of a U.S. Navy web site civilian jobs board that had been defaced with 11 entries reading “PabloEscobar AntiSec.”

Another file, entitled “Office Networks of Corporations,” is a text file containing what appear to be the IP addresses of internal corporate networks belonging to several media and telecommunications companies. Among those on the list are the Walt Disney Company, Sony — a favorite LulzSec target — Qwest Communications and the EMI Group.

By far the biggest file — clocking in at more than 600 megabytes — was a folder containing what appeared to be internal documents taken from AT&T. They include what seem to be planning documents, timelines, internal memos related to testing and other documents concerning the construction of AT&T’s LTE wireless network.

Another file appears to be an internal memo concerning the structure of an AOL network.

Another text file, entitled “silly routers,” contains a long list of IP addresses of routers, the networking equipment that functions as the traffic cops of the Internet. Next to each IP address are the creditials used to log in and make changes to the settings of those routers; however, in each case the username and password are “root” and “admin” or “root” and “root.”

The significance here is that “root” is the highest level of administrative access that can be gained on any computer. A user with “root” access has complete control over the system, and “gaining root” is the gold standard of practically any hacker attack. In this case the joke — or Lulz — is that the root accounts are guarded by default passwords, either “root” or “admin,” meaning they’re essentially unguarded. I traced a few of the IP addresses and found they correspond with addresses in Brazil, where a LulzSec branch — really more of a copycat group — has emerged in recent days.

So why is LulzSec calling it quits now at the height of its infamy? For one thing, the heat is clearly on. At least one person said to have ties to the group, a 19-year-old named Ryan Cleary, has been arrested in the U.K., and assuming the person they’ve arrested is guilty as charged, chances are that when the pressure is on, he’ll give Scotland Yard as much evidence as he can in exchange for a lighter sentence.

Additionally, more information has started to emerge about the group via rival gangs and people who are former members. The Guardian Newspaper on Friday published a fascinating account, including a lengthy chatroom transcript that provides a great deal of insight into the group’s inner workings. That this much information has wound up in the hands of a newspaper means that the cone of silence the groups members have relied upon to cover their tracks is starting to break down. Law enforcement agents looking to make more arrests will be combing through the logs looking for connections.

They’ll be looking for someone else like Cleary, who has a history of hanging around on the periphery of groups like LulzSec, and who may have knowledge of how they operate, or other identities they use online. If it plays out as other cases have, eventually investigators will hit upon another clue that will lead to the arrest of key member who will, when the pressure of the law is brought to bear, start naming names of the other members.

With that kind of heat, it behooves LulzSec’s members to go silent and split up, and stop creating any kind of digital trail that might lead to them. Chances are that each member will destroy any evidence in their possession that might implicate them personally: Hard drives will be wiped and perhaps physically destroyed. At the same time they’ll probably retain somewhere enough evidence that will help them finger other members in the event they’re arrested.

Then again, there may never be any more arrests. There are untold scores of infamous computer crimes committed for which no one ever got arrested.

One such group that comes to mind is Hacking for Girliez, which in 1998 defaced the Web site of the New York Times. (See a mirror of what they put up here.) The people who carried out the attack later granted an interview to Forbes Magazine, but were never heard from again. No one ever faced charges in that incident, and the statute of limitations has long since expired.

LulzSec’s members could find a way to quietly fade into digital obscurity in the same way that Hacking for Girliez did more than a decade ago. But then much depends on how well its members can keep their mouths shut. Part of their appeal was their ability to brag about their conquests so publicly and with apparent impunity. If each of the group’s six members can resist the urge to brag that they were once part of the Internet’s most infamous gang of troublemakers, they might just get away with it.

LulzSec’s farewell Tweet and statement are below.

50 Days of Lulz statement: http://t.co/GbAD070 | Torrent: http://t.co/lGsJ4PU Thank you, gentlemen. #LulzSec

June 25, 2011 4:03 pm via webReplyRetweetFavorite

@LulzSec

The Lulz Boat

PREVIOUSLY:

• Despite All the Attention, LulzSec Hackers Failed
• At The Height Of Their Infamy, LulzSec Hackers Call It Quits
• Arizona Confirms LulzSec Docs Are Authentic, Worries About Officer Safety
• LulzSec Goes All Wikileaks On Arizona State Cops
• LulzSec Shrugs After Scotland Yard Nabs Hacking Suspect (Updated)
• LulzSec And Anonymous Team Up to Hack Governments and Banks
• Viral Video: LulzSec Gets Taiwanesed
• CIA Web Site Goes Down; LulzSec Takes Credit
• LulzSec Blasts Space Game Eve Online, Other Gaming Sites
• LulzSec Strikes Again, Hits Bethesda Softworks And U.S. Senate
• Turkey Arrests 32 Alleged Members of Anonymous, Days After Arrests in Spain
• Web Security Start-Up Cloudflare Gets Buzz, Courtesy of LulzSec Hackers
• No Hacks to Report at Xbox, But Microsoft Isn’t Letting Its Guard Down
• No LulzSec Hackers Have Been Arrested–At Least Not Yet
• LulzSec Posts More Sony Data, Amid Claim One of Them Is Arrested
  LulzSec Strikes Again, Claims Attack On Nintendo Server
  Sony Hacked for What Seems To Be the Umpteenth Time

• Sony’s Playstation Network Is Back. Sony’s Reputation Will Take a Little Longer.
• Exclusive: Sony Considers Offering Reward to Help Catch Hackers
• Anonymous Claims It Took No Credit Card Numbers From Sony
• Sony Implicates Anonymous in Attack; Group Denies Involvement
• Sony Apologizes For the Playstation Network Breach
• Sony Blames PlayStation Outage on “External Intrusion”

The arrest of a 19-year-old came in the wake of word that the U.K.’s Office for National Statistics is looking into the possibility that some data from the 2011 Census may have been stolen. There was a claim on Pastebin by someone claiming to be part of LulzSec that they had conducted just such an attack. On its Twitter feed, LulzSec denied any role in attacking the U.K. Census, but it expressed support.

Seems the glorious leader of LulzSec got arrested, it’s all over now… wait… we’re all still here! Which poor bastard did they take down?

June 21, 2011 6:27 am via webReplyRetweetFavorite

@LulzSec

The Lulz Boat

LulzSec, of course, is the group that claims to have hacked several Sony Web sites, as well as a Nintendo site, then the gaming servers of a couple of companies. It has also attacked the Web site of the CIA and of private affiliates of the FBI. As recently as yesterday it claimed to have carried out a denial-of-service attack against a British police agency.

Scotland Yard isn’t yet saying much about the arrest, but did say in a statement that it was in connection with computer attacks carried out against several companies, including denial of service attacks that LulzSec has been openly bragging about for days. It also said it is cooperating with the FBI.

The Wall Street Journal quoted a source familiar with the matter saying that the person arrested “may be a member of LulzSec,” but that can be difficult to pin down in these situations. The person could be merely a sympathizer emulating LulzSec’s methods but without taking the same care to avoid detection. Or it may be a person operating on the fringes of the group in some way.

For what it’s worth, there was yet another claim by the group Web Ninjas, a rival faction that says it wants to expose LulzSec members, that the person arrested goes by the name Ryan and that his is just the first arrest of several that are coming. “Well bad news for LulzSec, count your days as we count your heads, How about this for LULZ?” they wrote. The Web Ninjas go on to describe “Ryan” as the administrator of the IRC chat server supposedly used by LulzSec. But as I said yesterday, it’s difficult to sort out all these claims and counterclaims. We have, of course, seen similar claims before.

Meanwhile, if LulzSec is worried, it isn’t showing any evidence of it. It’s promising to publish more data it has been given.

Thank you to the supporters who have assisted in leaks. Like @WikiLeaks, our sources remain anonymous. Leak payloads are being decided now.

June 20, 2011 8:41 pm via webReplyRetweetFavorite

@LulzSec

The Lulz Boat

Update: LulzSec is now confirming at least some of the Web Ninja account. In a series of Twitter updates starting about an hour ago, the group said that the person initially identified as Ryan “is not a member of LulzSec,” though the group does acknowledge a connection. See the tweets below, one of which links to a Sky News report that I’ve embedded further down.

Ryan Cleary is not part of LulzSec; we house one of our many legitimate chatrooms on his IRC server, but that’s it. http://t.co/98VflEi

June 21, 2011 11:48 am via webReplyRetweetFavorite

@LulzSec

The Lulz Boat

Clearly the UK police are so desperate to catch us that they’ve gone and arrested someone who is, at best, mildly associated with us. Lame.

June 21, 2011 11:54 am via webReplyRetweetFavorite

@LulzSec

The Lulz Boat

PREVIOUSLY:

• LulzSec And Anonymous Team Up to Hack Governments and Banks
• Viral Video: LulzSec Gets Taiwanesed
• CIA Web Site Goes Down; LulzSec Takes Credit
• LulzSec Blasts Space Game Eve Online, Other Gaming Sites
• LulzSec Strikes Again, Hits Bethesda Softworks And U.S. Senate
• Turkey Arrests 32 Alleged Members of Anonymous, Days After Arrests in Spain
• Web Security Start-Up Cloudflare Gets Buzz, Courtesy of LulzSec Hackers
• No Hacks to Report at Xbox, But Microsoft Isn’t Letting Its Guard Down
• No LulzSec Hackers Have Been Arrested–At Least Not Yet
• LulzSec Posts More Sony Data, Amid Claim One of Them Is Arrested
  LulzSec Strikes Again, Claims Attack On Nintendo Server
  Sony Hacked for What Seems To Be the Umpteenth Time

• Sony’s Playstation Network Is Back. Sony’s Reputation Will Take a Little Longer.
• Exclusive: Sony Considers Offering Reward to Help Catch Hackers
• Anonymous Claims It Took No Credit Card Numbers From Sony
• Sony Implicates Anonymous in Attack; Group Denies Involvement
• Sony Apologizes For the Playstation Network Breach
• Sony Blames PlayStation Outage on “External Intrusion”

In a tweet published moments ago, the group said that service at the CIA’s Web site at www.cia.gov was disrupted. “Tango down,” the group wrote. “For the Lulz.” The site was unavailable as of a few minutes ago, the apparent victim of a denial of service attack.

Tango down – http://t.co/2QGXy6f – for the lulz.

June 15, 2011 2:48 pm via webReplyRetweetFavorite

@LulzSec

The Lulz Boat

Chances are no one is laughing at CIA HQ in Langley, Virginia. The site is for all intents and purposes the public face of the agency, so it’s not likely that any classified information is being taken or any sensitive communications disrupted, but attacking government Web sites is a federal crime under the Computer Fraud and Abuse Act, and probably some other laws I’m not thinking of. Having already demonstrated that it had penetrated the servers of the U.S. Senate’s Web site, I’m assuming that LulzSec is already deep within that territory, knows it, and is wantonly demonstrating that it doesn’t care.

It’s funnier when they say it:

CIA’s ‘Facebook’ Program Dramatically Cut Agency’s Costs

Please see the disclosure about Facebook in my ethics statement.

I can’t remember a year during which computer security stories jumped so readily from the tech and business pages to the front page.

The year 2010 was bookended by two such cases. It opened with Google’s disclosure that it had come under attack in China, an apparent attempt to penetrate the Gmail accounts of certain activists and journalists.

It ended with the WikiLeaks affair, which stemmed from the alleged theft by an Army private of classified documents stored on a government network.

And let’s not forget in mid-year came the story, as fascinating as it was sobering, of Stuxnet, a computer worm developed by parties unknown–although the smart money is on Israel–that penetrated and ultimately damaged equipment used in the Iranian nuclear program.

Computer hacking–which has for too long evoked images in the public mind-set of teenagers in basements taking digital joyrides–has finally revealed itself to everyone for what it has long been for those in the know: The domain of espionage, sabotage and possibly warfare.

In Google’s case, the attacks upon its systems raised questions about where it draws the line with authorities in Beijing about such matters as freedom of speech. When the attack was first disclosed, Google publicly mulled shutting down its operations in China.

Then in protest, it stopped censoring its search results, giving mainland Chinese access to the same search results available to residents of Hong Kong. Beijing responded by blocking access to Google’s site.

Finally, Google and China came to a new agreement, and Google appeared the loser in the battle of wills.

Computer security is one of those things that companies and governments say they take seriously, but never really seem to get a grip on, judging by the results.

In any case, there is no firewall or software in existence that could have prevented Bradley Manning from stealing the documents that he is alleged to have given to WikiLeaks. As a low-level Army intelligence analyst, he was a trusted insider who had access to this material in the course of his day-to-day job.

So, it was not technology that failed. The failure was one of internal policies that allowed him access to data not relevant to his position.

Any employee of a midsize company can see how wrong that is. Human-resources documents are limited only to those who work in that department. The same is true of people who work in the legal office, business development department and so on.

But it apparently didn’t occur to anyone in government to limit the access to what became the WikiLeaks cache to people who worked only for or closely with the State Department.

If it turns out that thousands of companies are better at protecting their business secrets than the U.S. government is, then it’s not for nothing that the Central Intelligence Agency task force investigating the WikiLeaks affair bears the initials “WTF.”

Something similar was true of Stuxnet. One of the reasons the attackers, whoever they are, succeeded was that they used several so-called “zero day” vulnerabilities in Windows.

These are undocumented weaknesses that hackers save up for special occasions as a way to open a back door into a computer and then insert a troublemaking payload, like a worm. Zero day exploits are a fact of life, and once spotted in the world, they’re usually patched.

The Stuxnet attackers used as many as four zero day exploits as a way to get their worm into targeted computers. Microsoft, to its credit, made short work of fixing them once they came to light.

Even so, the Stuxnet worm burrowed its way from Windows machines into industrial control computers known as SCADA systems, which are widely used to run factories, power plants, pipelines and all sorts of other infrastructure essential to modern life.

The worm was designed to find a specific target: The systems controlling a set of as many as 1,000 centrifuges at the uranium enrichment facility in Natanz, and make them spin faster than they were supposed to.

The ability to attack industrial computers and cause them to do things they’re not supposed to do has been a lingering fear among security experts for years. Researchers at the U.S. Department of Energy in 2007 looked at the potential for attacks on SCADA systems and proved that it was possible to seize control of an electrical generator and then make it destroy itself.

They also found that many of these systems are connected to the Internet for what seem like good reasons: Convenience and cost savings. But these connections have also opened them up to the same kind of attacks that rattled the Iranian facility in Natanz.

Another Stuxnet-like worm, the thinking goes, could be used to bring down a power grid, or poison drinking water, or shut down an oil or gas pipeline. The good news is that such an attack is expensive–Stuxnet, by one estimate, cost $10 million to create–and requires a lot of specialized insider knowledge.

The bad news is that the Stuxnet source code is circulating in the wild for anyone to study. And as the WikiLeaks case shows, there are often insiders willing to take part in criminal schemes.

The other bad news? Securing these systems won’t come cheap.

If history is any judge, there will likely be a barrage of computer security companies that try to spin these incidents into opportunities to make a sales pitch. That’s what security companies do, after all.

But they usually miss the point. How can you plan for a vulnerability you’ve never seen? How can you stop an otherwise trusted insider from abusing their access to sensitive information? Both are fundamentally difficult problems for which there are no easy answers.

Spending money on last year’s security vulnerabilities is like preparing to fight the last war: Circumstances inevitably change, and they certainly will in 2011. New kinds of attacks will arise, and they will catch their targets by surprise.

And the public, like the CIA, will reasonably ask, “WTF?”

The unvarnished fact is that the networked society to which we’ve become accustomed in the last several years has a soft, vulnerable underbelly.

And the more we rely upon it, the more people with a combination of advanced technical skills and repugnant motivations are going to look for ways to turn it against us.

Some will do so as a means of making a personal profit. Others may see it as a way of advancing a political or ideological agenda.

But others will want to use theirs skills to do serious harm to innocent people on a large scale.

And the events of 2010 point the way to a world where that’s a more realistic scenario than it ever was before.

The plan announced Monday also provides for quickly “surging” large numbers of CIA officers to hot spots around the globe such as the tribal areas of Pakistan or East Africa. Past agency plans haven’t provided for such war-time demands.

The moves reflect an effort to bolster agency operations and analysis without causing too much disruption, CIA veterans said. Although historically there has been tension between the CIA and the Pentagon, this plan aligns the two agencies’ priorities, the veterans said.

Read the rest of this post on the original site

“I don’t think John McCain could run a major corporation. I don’t think Barack Obama could run a major corporation. I don’t think Joe Biden could, either. But it is not the same as being the president or vice president of the United States. It is a fallacy to suggest that the country is like a company. To run a business, you have to have a lifetime of experience in business, but that’s not what Sarah Palin, John McCain, Barack Obama or Joe Biden are doing.”

– Former Hewlett-Packard CEO Carly Fiorina

Her dreams of heading up the World Bank dashed, former Hewlett-Packard (HPQ) CEO Carly Fiorina, the architect of one of the worst tech mergers in history, has turned her attention to the U.S. Senate.

After months of speculation, Fiorina officially announced her candidacy today. She’ll run as a Republican against Sen. Barbara Boxer (D., Calif.). Of course, to do that, she must first win the Republican primary. Fiorina broke the news in an op-ed in the Orange County Register.

“Admittedly, I have not always been engaged in the electoral process, and I should have been,” she wrote. “For many years I felt disconnected from the decisions made in Washington and, to be honest, really didn’t think my vote mattered because I didn’t have a direct line of sight from my vote to a result. I realize that thinking was wrong.”

Reflecting on her personal history, Fiorina continues: “As I grew throughout my career, beginning as a secretary and eventually becoming a CEO, I saw how government impacted business. I learned more as a member of advisory boards at the State Department, the Pentagon and the CIA. I now understand, in a very real way, that the decisions made by the Senate impact every family and every business, of any size, in America. This is what motivates me to run for the U.S. Senate. And so today I am announcing my candidacy to serve the people of California as your next U.S. senator….Together we can turn things around.”

Together we can turn things around? Not if Fiorina’s performance at HP is any indication. Before she was forced out of the company by its board of directors, she was so at odds with the uniquely Californian “HP Way” that her corner office could have been powered solely by Bill Hewlett spinning in his grave.

UPDATE: Here’s another Fiorina op-ed from earlier this year in which she discusses executive pay. Unsurprisingly, she is against President Obama’s efforts to restore “common sense” to CEO compensation. And why wouldn’t she be? After all, she walked away from HP with a $21 million severance package.

UPDATE: For those of you just joining us over at CNet, the headline is a joke referring to HP’s ill-starred merger with Compaq.