The U.K.’s Telegraph has a story today on a report in a British academic journal, arguing that the Stuxnet malware used to attack and sabotage Iranian nuclear enrichment sites in 2010 may have had the net effect of helping Iran get better at enriching uranium.

Stuxnet, you’ll recall, is the most famous of a series of cyber weapons said to have been used by the U.S. and Israel in a series of joint operations meant to sabotage and delay the ability of Iranian nuclear scientists to enrich uranium and eventually build a nuclear bomb.

Never officially acknowledged by either the U.S. or Israel, the Stuxnet source code was taken apart by computer-security researchers who determined that only a motivated government could have the resources to build it. And the only motivated governments in the world with sufficient know-how are the U.S. and Israel, their argument went. The New York Times finally all but proved them right.

Using data gathered from the International Atomic Energy Agency, King’s College researcher Ivanka Barzashka concluded that the Stuxnet attacks exposed weaknesses in Iranian systems that would otherwise have gone undetected, and which have since been patched. Since then, she said, Iran has regrouped and actually boosted its capacity to enrich uranium.

The story goes that the Stuxnet worm was introduced in 2009 via a series of USB drives dropped by intelligence operatives near a targeted facility at Natanz. The worm penetrated computers running pretty much any variant of Microsoft’s Windows, looking for a specific set of machines hooked up to a series of Siemens programmable logic controllers — computers that sit between desktop PCs and industrial equipment like, say, nuclear centrifuges.

What it did was show operators a screen depicting centrifuges running normally, while at the same time issuing commands to those centrifuges to spin too fast. Ultimately, several of them exploded. The estimate at the time was that Iran’s nuclear efforts had been set back by two years. It has now been four years since that attack was alleged to have taken place. If Barzashka’s findings are confirmed — and that’s admittedly not going to be easy — it would raise some serious questions about whether or not the Stuxnet attacks were such a good idea in the first place.

I did just that this morning. (And you can, too, right here.) One section I found especially interesting is headlined “Role of Electronic Warfare in Future Conflict.” It details the Pentagon’s current assessment of how China’s People’s Liberation Army looks at action in the digital realm, and if nothing else, it’s certainly worth thinking about.

It’s pretty well understood that if the U.S. and China found themselves in a shooting war tomorrow, the U.S. would hold a significant military advantage. Its land forces, planes and ships and surveillance technologies are all more advanced. But much of that advantage comes from the ability to quickly share information on the battlefield, and to see everything that’s going on.

China, the Pentagon says, sees electronic warfare as a way to “reduce or eliminate” those technological advantages. How? China’s military doctrine calls for making its enemy blind, deaf and dumb by disrupting its ability to communicate and share information. “Effective EW is seen as a decisive aid during military operations and consequently the key to determining the outcome of war,” the Pentagon writes. “Potential Chinese adversaries, in particular the United States, are seen as ‘information dependent,’” the report says elsewhere.

If you’ve been paying attention to China’s numerous alleged intrusions against many, many computer systems and networks owned by U.S. government agencies and companies like Google and Intel that have disclosed attacks in the past, it’s not surprising. But when cast in the light of an overarching military philosophy, it’s more troubling.

Earlier this year, the world learned about the existence of a division of the People’s Liberation Army called Unit 61398. This unit is thought to be responsible for a series of cyber attacks against no fewer than 141 distinct companies or organizations since 2006.

The role of these attacks, the Pentagon says, is pretty straightforward: Spying and information in preparation for a day when a potential conflict might come. “China is using its computer network exploitation capability to support intelligence collection against the U.S. diplomatic, economic, and defense industrial base sectors that support U.S. national defense programs,” the report says. It could also give China’s leaders insight into the planning and capabilities of U.S. forces and into how leaders might respond, and that information could be “exploited during a crisis.”

China’s military thinkers, the report says, see electronic and information warfare as a “preemption weapon,” one that can be used to achieve “information dominance.” The ultimate aim: “Preclude the need for conventional military action.”

Come to think of it, that sounds a lot like the Chinese philosopher Sun Tzu, who I’ve quoted before. But the quotation I have in mind bears repeating: “The supreme art of war is to subdue the enemy without fighting.”

But even so, for all the talk about cyberwar, it didn’t come close to eclipsing the amount of financially motivated crime that took place in the digital realm, a new study by telecom giant Verizon has found.

In its ninth annual survey of data breach investigations, which will be formally released tomorrow, Verizon found that old-fashioned financial motivations accounted for 75 percent of computer security incidents. State-sponsored attacks accounted for 20 percent. And, as you might expect, the victims are the organizations that move or hold a lot of money: Financial organizations were targets 37 percent of the time, followed by retailers (24 percent) and manufacturing, transportation and utilities (20 percent).

The study’s sample size included 621 confirmed data breaches and more than 47,000 reported computer security incidents in 27 countries and territories. Verizon has been gathering the data for nine years, and now has records encompassing 2,500 data breaches and 1.2 billion compromised records.

Attacks by outside entities accounted for the majority of breaches, while only 14 percent were attributed to insiders and 1 percent to business partners; 71 percent of breaches targeted user devices and 54 percent were aimed at servers. Perhaps most troubling: Two thirds of the breaches reported required a month or more to discover.

The benefit of a study like this is that it happens at all. Since most large companies and organizations aren’t usually willing to disclose when they’ve been attacked — most have — and suffered a breach that actually cost them some money, it’s rare to see this sort of trend data gathered up in one place.

One interesting thing I noted as I scanned the report. For all the security-related anxiety that seems to have arisen during the two years or so around the “bring your own device” trend in the enterprise — where employers let workers use their personal smartphones or tablets or notebooks to access corporate networks — there seem to have been practically no BYOD-related security incidents. As one sidebar in the report put it:

“The Bring Your Own Device (BYOD) trend is a current topic of debate and planning in many organizations. Unfortunately, we don’t have much hard evidence to offer from our breach data. We saw only one breach involving personally-owned devices in 2011 and a couple more in 2012. We’ll keep watching.”

According to a pretty detailed report from Reuters, a provision of the government’s latest spending law requires three federal agencies — NASA and the departments of Justice and Commerce — to buy gear only after performing a cyber-security risk assessment carried out in consultation with law-enforcement agencies. Part of the assessment includes consideration of the fact that the equipment or its components may have been manufactured in China.

It’s the latest expression of official hand-wringing about China, and the fact that that country is proving not only to be a permanent and overpowering fixture in the world of tech manufacturing is complicated by the fact that it is also proving to be an adept and aggressive player in the ongoing digital cold war between the countries. It’s also a shot across the bow of China’s large tech equipment providers, like Lenovo and Huawei.

Last month, a U.S.-based research firm claimed to have traced numerous cyber attacks to a specific unit of China’s People’s Liberation Army, one operating within a particular building in Shanghai.

Before that, suspicions about China and its intentions, capabilities and actions in the cyber arena led to a White House-ordered review of claims of spying by the Chinese telecom firm Huawei. This followed a report by the House Intelligence Committee saying that Huawei and another Chinese telecom-equipment concern, ZTE, pose sufficient security risks that government agencies should avoid buying their equipment. This amendment, inserted into a continuing resolution intended to keep the government running through the end of September, essentially puts those worries into force with regard to those three agencies.

But, as I argued at the time, at least some of the federal worry has as much to do with what China might do as it does with what the U.S. is known to have already done. The joint U.S.-Israeli cyber campaigns against Iran using malware weapons like Stuxnet, Gauss and Flame say a great deal about the potential real-world damage that a cyber weapon might do. Stuxnet, you’ll recall, is said to have caused some of Iran’s nuclear centrifuges to spin out of control and explode in an attempt to set back that country’s nuclear research efforts.

Huawei in particular has had a difficult time proving that its links to China’s military establishment are sufficiently severed, and that in the event of open conflict its gear wouldn’t be turned into a surveillance and espionage tool against the U.S. Though, as Reuters notes in its story, Huawei doesn’t believe the bill applies to it. We’ll see.

That’s making companies with new approaches to security pretty popular among venture capital and private equity investors. Today, one new firm, Endgame Systems, announced that it has landed a $23 million Series B investment led by Paladin Capital. Previous investors include Bessemer Venture Partners, Columbia Capital, Kleiner Perkins Caulfield & Byers and TechOperators. Retired Lt. Gen. Kenneth A. Minihan, a managing director at Paladin and a former director of the super-secret National Security Agency, will join Endgame’s board.

Started in 2008, Endgame specializes in what it describes as providing real-time command-and-control capabilities, including analytics, visualization and knowledge discovery, all intended to enhance computer security efforts.

CEO Nathaniel Fick put it this way: “As Internet-connected devices become more pervasive in our lives, the barriers to entry are falling for malicious actors to have impact thanks to commoditized and easy-to-access tools,” he said. “The only way to be successful at cyber operations in a changing environment like that is to ingest massive amounts of data, analyze it in real-time and act.”

Endgame has been expanding in recent months. Fick joined as CEO late last year. Niloofar Howe joined as chief strategy officer. Matt Georgy, a former computer security officer with the Department of Defense and the Air Force before that, joined as CTO. Its chairman is Christopher Darby, the CEO of In-Q-Tel, the venture capital arm of the U.S. Central Intelligence Agency.

The round brings Endgame’s total capital raised to $52 million, following a $29 million investment by Bessemer in 2010.

Sergey Nivens / Shutterstock.com

But that’s not to say that Apple hasn’t been preparing — quietly as always — for the kind of eventualities that tend to crop up when hackers and other digital miscreants are taken to probing your systems for vulnerabilities.

One visible sign of that preparation can be detected in the personnel that Apple has been hiring in the area of software and system security in recent years. Apple rarely if ever comments on any but its most senior hires. Nevertheless, several names have come to light. And while Apple generally doesn’t comment to confirm or deny the role that any of these people may or may not be playing in response to the latest incident, here are some people whose job at Apple involves security.

Craig Federighi: Senior vice president for software engineering, Federighi is in charge of all aspects of Apple’s operating system software, both on the Mac and the iOS platforms, and reports directly to CEO Tim Cook. He inherited responsibility for iOS after last year’s departure of Scott Forstal. He worked at Next Computer, the company Apple acquired in 1996 that brought Steve Jobs back to Apple after more than a decade. Later, Federighi spent a decade at Ariba, including a stint as its CTO. Everyone involved in OS security, whether for the iPhone, iPad or the Mac, reports to him.

David Rice: Hired in 2011 as Apple’s global director of security, Rice is a graduate of the U.S. Naval War College and spent time at the National Security Agency. However, he’s best known for his 2007 book “Geekonomics,” in which he argued that software is a new kind of public infrastructure that when built badly amounts to a public hazard, and those who buy it become virtual crash test dummies who have to suffer with a software industry that is unaccountable for the results.

Window Snyder: Hired in 2010, Snyder lists her title as Senior Product Manager, Security and Privacy. She had previously headed up security operations at Mozilla, the open source software organization responsible for the Firefox Web browser. She has also held software security positions at Microsoft and @stake, a security firm that’s now part of Symantec. She’s listed as co-author, with Frank Swiderski, of a Microsoft-produced book called “Threat Modeling,” which focuses on looking at computer security from the point of view of an attacker.

Ivan Krstić: Hired in 2009, the Croatian-born Krstić is in charge of core OS security on the Mac. He previously ran security for the One Laptop Per Child program, where he came up with a method to secure programs in Linux called BitFrost that wrapped individual programs in their own virtual operating environments so that one couldn’t harm the other. The approach was considered so novel that some suggested incorporating it as a core feature of Linux.

Kristin Paget: Currently a Core OS Security Researcher, Paget is a Microsoft veteran who’s generally credited with “saving Windows Vista” by forcing a delay in that operating system’s release after demonstrating that it wasn’t as secure as previously thought, Paget joined Apple late last year as a Core OS security researcher. Her hiring was first reported by Wired.

Image: Sergey Nivens / Shutterstock.com

Jeffrey Carr, CEO of Taia Global, writes today in a blog post that he thinks Mandiant’s report is full of holes.

“In summary, my problem with this report is not that I don’t believe that China engages in massive amounts of cyber espionage,” he writes. “My problem is that Mandiant refuses to consider what everyone that I know in the Intelligence Community acknowledges — that there are multiple states engaging in this activity; not just China.”

Carr explains that Mandiant’s report doesn’t include a thorough analysis of alternative explanations, the purpose of which would be to exhaust the alternatives and thus narrow down the range of possible conclusions. He says that intelligence agencies like the Central Intelligence Agency routinely engage in a vetting process known as Analysis of Competing Hypotheses (ACH). This is something, Carr argues, that Mandiant didn’t do. Thus its rather explosive allegation isn’t ironclad.

“This [ACH] is rarely if ever done by information security companies, and it’s the single biggest objection that I have when it comes to individuals making claims of attribution to nation states,” he writes.

There are, Carr notes, more than 30 countries that have military hacking capabilities who may or may not have the capabilities noted by Mandiant. Also, one of Mandiant’s primary claims has to do with the attacks being traced to a certain area of outer Shanghai, an area where there are a lot of people and a lot of computers. And if the attackers are indeed in China, why wouldn’t they take greater care to cover their tracks?

In the academic world, research papers go through a process called peer review before they’re published. Carr suggests that Mandiant’s report should be subjected to the same thing. He suggests that students at the Mercyhurst College Institute of Intelligence Studies (Mercyhurst, in case you didn’t know, is sort of a feeder school for the intelligence community) take Mandiant’s findings and run them through a thorough review.

“If you’re going to make a claim for attribution, then you must be both fair and thorough in your analysis and, through the application of a scientific method like ACH, rule out competing hypotheses and then use estimative language in your finding,” he writes. “Mandiant simply did not succeed in proving that Unit 61398 is their designated APT1 aka Comment Crew.”

“The supreme art of war is to subdue the enemy without fighting.” The Chinese philosopher Sun Tzu wrote that.

Both come to mind as the world is waking up a newly disclosed body of evidence from the Internet security firm Mandiant, publicly illustrating, in the starkest terms yet, how wide, deep and pervasive computer hacking attacks from China have become. As reported on the front page of today’s New York Times, numerous attacks on American, Canadian and British companies, dating as far back as 2006, have been carried out by a single unit of the China’s People’s Liberation Army. Mandiant, a firm based in Alexandria, Va., has identified it as Unit 61398, operating out of a single building just walking distance from the point in outer Shanghai where the Huangpu and Yangtze Rivers meet.

The company maintains that the unit has compromised the networks of at least 141 companies or organizations, and probably more than that, spending an average of 356 days perusing their networks. In one case, the attackers had unfettered access to a target’s computers and networks for a grand total of four years and 10 months.

Who do they attack? None of the companies are named. But, if you think back, you can remember some names that have disclosed attacks blamed on China, that might fit the bill: Google and Intel have over the years complained in public of attacks carried out by China. The Times says the army unit was the one responsible for the attacks carried out in 2011 against RSA, the security unit of the technology company EMC, which were described at the time as “extremely sophisticated.”

More recently, a series of attacks against media organizations have been attributed to China: The New York Times, The Wall Street Journal (which, like this website, is owned by News Corp.), Bloomberg News, the Washington Post and the Associated Press are among them.

Other targeted industries include information technology, defense and aerospace, energy, transportation, satellites and communications, navigation, chemicals, health care and mining, to name a few.

What do the attackers take? Here’s a list taken directly from Mandiant’s report:

• product development and use, including information on test results, system designs, product manuals, parts lists, and simulation technologies;
• manufacturing procedures, such as descriptions of proprietary processes, standards, and waste management processes;
• business plans, such as information on contract negotiation positions and product pricing, legal events, mergers, joint ventures, and acquisitions;
• policy positions and analysis, such as white papers, and agendas and minutes from meetings involving high-ranking personnel;
• emails of high-ranking employees; and user credentials and network architecture information.

Most of the time, the victim company doesn’t even know that its information has been stolen until it is far too late to do anything about it.

Who gets the information in the end? It’s unclear, exactly, and so Mandiant engages in educated conjecture and looks at the available evidence. In one case in 2008, a targeted company suffered an intrusion lasting two and a half years, during which emails and attachments of the CEO and general counsel were stolen. During the same time period, news reports showed that a Chinese company had managed to negotiate a significant increase in the price of a certain commodity component with an unnamed victim company. It may be a coincidence, Mandiant concedes, but then again, it may not.

How do they attack? Usually by sending innocent-looking attachments in email messages. An employee at the target company opens it, triggering software embedded within it that gives attackers remote access to that employee’s machine, which then serves as a beachhead for more attacks. You can see a short video showing some of the attacks actually taking place in the video below.

Certainly, suspicions about China and its intentions, capabilities and actions in this area have pervaded for months. Knowledge about all this has probably circulated within the classified community for years, and no doubt plays a part in the concern among lawmakers and U.S. federal government agencies about the growth of the Chinese networking company Huawei.

Mandiant points to another: Unit 61398, it says, carried out a series of attacks against a unit of a Canadian company called Schneider Electric. The incident was first reported by security blogger Brian Krebs, and was carried out when the unit was an independent company called Telvent. What does the company make? Remote access tools, basically software that lets you control one computer from another computer far away.

The part that should scare you is what kinds of computers this software is intended to control: They’re known generally as SCADA systems, or supervisory control and data acquisition systems. They’re the stripped-down machines that sit between large industrial machinery like generators or pumps, or any other kind of big, automated equipment, and regular computers.

In a series of letters to customers in September of last year, Telvent disclosed that attackers traced to China had installed malicious software on its network, and had stolen files related to a key product called OASyS SCADA, which is designed to connect older IT assets to certain “smart grid” systems running on electrical power networks.

Attacks on SCADA systems can be very effective, in part because the machines involved are older and have tended to be less well-secured. How effective? Remember Stuxnet? The malware attack carried out by American and Israeli intelligence agencies against the Iranian nuclear research program? In that attack, nuclear centrifuges were caused to spin out of control, and ultimately explode. That was an attack against SCADA systems. We already know how easily attacks like it might be carried out here.

Stealing intellectual property and trying to gain an edge in business negotiations is one thing. Penetrating the systems that run critical infrastructure is rather more serious, bordering on sabotage. Now that the government officially considers cyberspace a theater of warfare, similar to land, sea, and sky, this is starting to look serious.

If you haven’t read it yet, I’ll spare you the effort. Last fall, the Times was getting ready to publish a lengthy report about how relatives of Chinese premier Wen Jiabao had amassed a sizable fortune. Knowing China’s reputation for carrying out hacking attacks against companies and other entities that annoy it, Times executives had the foresight to have the company’s Internet service provider watch for any unusual activity.

Predictably, it showed up. It was a classic spear-phishing attack that contained a remote access tool, packaged in an email attachment innocently opened by an employee. The incident provided the Times and the security firm it hired, Mandiant, the opportunity to watch the intruders’ activity for an extended period of time as they roamed the network. Once Mandiant had a pretty good idea of all the different paths for getting in and out, they shut down and isolated all the affected machines, plugged all the holes and that was that.

Interesting. But it’s not the first time the Times has been hacked in a high-profile manner. The story reports that the first attack occurred on Sept. 13. That’s a notable date because it is, coincidentally, the 15-year anniversary of the day in 1998 that the New York Times Web site was attacked by a hacking group calling itself Hacking for Girliez.

I wrote about that attack for Wired. The attack was a basic Web defacement. The Times front page was replaced with another page (you can see the results, not completely safe for work, here) that contained within its HTML code a rambling message about the then-jailed hacker Kevin Mitnick, and a weird poem.

No one was ever arrested for the attack and it’s a pretty sure bet no one ever will be, mainly because the statute of limitations would have long expired. But someone did get the perpetrators to sit for an interview. Adam Penenberg, then a writer for Forbes and now an editor for PandoDaily, got “Slut Puppy” and “Master Pimp” to answer some questions. Their motivation at the time? They were bored and couldn’t agree on a video to watch.

The 1998 attack was the first incident for the Times, and for a little while its entire Web site was taken down in order to prevent the display of the hacked page. The timing of this attack probably has nothing to do with this latest attack. But then again, hackers of all stripes are known for long memories and a unique sense of humor.

It appears to have been a retaliatory action by Iran that hit a batch of U.S.-based banks last fall with a series of ongoing distributed denial-of-service attacks. The New York Times says that U.S. government officials are internally blaming Iran for the attacks, which since September have disrupted the online banking operations of numerous American banks, including Bank of America, Citigroup, Wells Fargo, U.S. Bancorp and PNC.

The retaliation is for the numerous cyber attacks that have been carried out by the U.S. and Israel against Iran’s nuclear research program. The most famous of these was a sophisticated computer worm called Stuxnet that burrowed deep into industrial control systems at an Iranian uranium enrichment plant and caused centrifuges to spin out of control and explode, while computer screens monitoring their condition displayed readings that appeared normal. Others included Flame, which turned computers into sophisticated spying tools, using built-in video cameras and microphones, and Gauss, which sought to intercept bank-account information.

The educated guesses of computer security experts have all pointed to state actors in these attacks on Iran and, logically, the most motivated parties happen to be the U.S. and Israel. The governments of either country have never officially acknowledged responsibility for the attacks — they never do — but the Times reported the collaboration a year ago.

What’s disturbing in the attacks on the U.S. banks is that data centers used by cloud computing providers — none of them were named — were hijacked in some way to carry out the attacks. It stands to reason that civilian entities like data centers could be used to carry out such attacks. Cloud providers like Amazon Web Services, Google Rackspace and others are simply concentrated havens of computing muscle and capacity available for hire.

As such, like any other piece of civilian infrastructure, it appears that they can be used to carry out denial-of-service attacks, which are meant to bombard a target site with so many false requests for attention that it can’t process legitimate traffic. Not many details about how this was done have yet emerged, or whose data centers were involved. Expect those questions to linger for awhile.

The aim was not to steal money, but to disrupt the flow of it by making it hard for banking customers to access their accounts. Imagine trying to get to a bank teller window to make a deposit or withdrawal with 10 million people in the lobby: Very little real banking business would get done.

Additionally, every cyber weapon deployed by the U.S. and its allies gets studied not only by friendly security experts but by people on the other side. In time, all that collected knowledge is going to be put to use for attacks in the U.S. and other Western countries.

Anyway, expect entities acting on behalf of Iran to look for more opportunities to disrupt the flow of daily life this year. You have to remember, the U.S. is involved in an undeclared cyberwar, and you can’t exactly expect the other side to sit still. That’s war, after all.

In one case documented by the Post, residents at the University of Chicago Medical Center used a shared folder on Dropbox that allowed them to access patient records on their iPads. In another, OpenEMR, an open-source medical records system that had been adopted agency-wide by the Peace Corps, was found to have numerous flaws that opened it to attacks by hackers. Many of the weaknesses found were described as being pretty basic — or as one source quoted in the story put it, “security 101.”

Part of the problem is that the last government guidelines on this issue were published in 2005, and thus aren’t up to speed with what are now considered everyday practices.

More troubling than the vulnerabilities — which expose only the potential for an attack — are the anecdotal bits of evidence that attacks are actually taking place. At the Department of Veterans Affairs, there were nearly 200 instances of medical devices infected with malware between 2009 and 2011. In another case, a server in Utah storing Medicaid data on nearly 800,000 people was attacked earlier this year. The attack was traced to a server in Eastern Europe, though as is always the case with these things, it’s impossible to know exactly where the person carrying out the attack was situated.

The thing is, Iranian media, all state-controlled, can’t seem to get their story quite straight on how the government has responded. First there were reports — citing local civil defense officials — that “skilled hackers” helped the country repel and ultimately foil the attack. Later, local reports tracked by Agence France-Press walked back from that version of events.

Whatever the response, the description of the attack describes a new “Stuxnet-like” Trojan, without going into further detail about its capabilities or behavior. If indeed it is a new incidence, the security research firms like Kasperksy and Sophos will be all over it, though they haven’t yet done so.

Stuxnet, you’ll recall, was the super-worm that infected pretty much any and all versions of Microsoft Windows and searched for a specific set of industrial control computers known as Programmable Logic Controllers made by the German industrial giant Siemens. The target was an installation in Iran. Once found, the worm seized control of nuclear centrifuges and made them spin out of control and explode while indicating on screens monitored by plant workers that conditions were otherwise normal. While the U.S. and Israel never officially took credit for the effort, all the clues about its existence pointed to them.

The local reports say the attack occurred within the “last few months,” but it is the second attack in that country brought to public attention in December. Earlier this month, Iran’s Computer Emergency Response Team announced that it had detected a relatively simple Trojan that deletes hard drive partitions on certain dates of the year.

Throughout the year, other bits of malware have been discovered harassing Iranian systems, including Gauss, Flame and Duqu before them. All of them are difficult to trace back to an original attacker, but like the drone strikes against suspected terrorists often said to be carried out by the CIA, the number of interested parties with the required capabilities are few.

Experts at Russia’s Kaspersky Labs say it’s pretty simple, and thus perhaps not directly connected to the more spectacular malware attacks launched in recent years on Iran by parties widely assumed to be the U.S. and Israel. This new one, dubbed GrooveMonitor, is a variant of a previously-seen Trojan called Win32.Maya.a.

Its primary function is deleting Windows hard drive partitions, but it does so only within nine specific date ranges, each about two days long — starting with the period of December 10-12 of this year and ending with the period of February 2-4, 2015. On those dates, it waits for a little while and then deletes a range of hard drive partitions labeled with the letters D through I.

It may be a case of simplicity being the ultimate sophistication, as Leonardo da Vinci put it. If it does turn out to be the latest shot in the ongoing cyberwar campaign against Iran, it’s an interesting feint after a string of highly sophisticated digital weapons including Gauss — which aimed at stealing the bank and financial account information of people using targeted machines — and Flame, a sort of Swiss Army Knife of spying tools. Then, of course, there was Stuxnet itself, which caused Iranian nuclear centrifuges to spin out of control and explode. After years of finely-tuned, expensive and carefully-targeted cyber weapons, this one is more of a blunt instrument.

In being less than cutting-edge, the malware carries with it the cloak of plausible deniability. As is always the case with these incidents, attribution — figuring out the responsible party — is ridiculously tough. Since it’s a variant of a previously-seen Trojan, the more skeptical view of the Iranian reports might attribute the outbreak to bad luck and poor maintenance. There’s also less of a chance that the world’s computer criminals will learn anything new and nasty from the uber-hackers at the CIA and Mossad. That means less chance — at least in this case — of unintended blowback down the road.

Chevron found Stuxnet in its systems after the malware was first reported in July 2010, said Mark Koelmel, general manager of the earth sciences department at Chevron. “I don’t think the U.S. government even realized how far it had spread,” he told CIO Journal. “I think the downside of what they did is going to be far worse than what they actually accomplished.”

Read the rest of this post on the original site »

There aren’t a lot of specifics to get excited about in the 52-page report, though there are presumably some items of interest in classified portions of the report not released to the public. Huawei has had a difficult time showing to the satisfaction of Western sensibilities that its ties to China’s People’s Liberation Army are severed. If ordered, the thinking goes, Huawei gear could be turned into a valuable espionage tool in the event of war with the U.S. or another country.

The concerns on the part of U.S. lawmakers and the national security establishment are certainly valid, but not for the reasons you think. While Chinese actors have certainly been among the most active when it comes to attacking the networks of large U.S. corporations and stealing their secrets, the U.S. and its allies fret about letting Huawei in because they know from their own experience how imported electronics can be turned into a weapon of espionage and outright sabotage.

Remember that it was intelligence agencies of the U.S., in partnership with Israel, that turned deep knowledge of the numerous variants of Microsoft’s Windows operating system combined with specialized knowledge of industrial control systems to create the Stuxnet worm that damaged the Iranian nuclear research program. Later discoveries included other U.S.-Israeli cyber weapons called Flame and Gauss. Taken together, they amount to evidence that the countries had mounted a less-than-covert military campaign against Iran that could in time have significant unintended consequences.

Prior efforts include a largely forgotten 1982 campaign of electronic sabotage against the natural gas pipeline being built by the Soviet Union that caused so large an explosion that U.S. military forces briefly thought it was an early sign of a nuclear attack. The episode was documented in the book “At the Abyss: An Insider’s History of the Cold War” by Thomas Reed, the late former secretary of the Air Force under President Reagan.

Another incident, this one not as well documented but the subject of a great deal of informed speculation, concerns a 2007 Israeli air strike against what was at the time a suspected nuclear weapons research facility in Syria. A report by the IEEE Spectrum the following year traced reports that a French chip company that supplied the manufacturer of Syrian radar defense gear included a “kill switch” that allowed Israeli bombers to carry out their attack undetected.

So it’s not from out of nowhere that such national security concerns arise about a Chinese telecom concern.

One fundamental failure of all this official hand-wringing is that it neglects the fact that many if not most of the components, with the exception of certain higher-value chips like those from Intel, are manufactured in China. Cisco Systems and Juniper Networks in the U.S., Alcatel-Lucent in France and Ericsson in Sweden, all use Chinese-made parts and carry out at least some portion of the final assembly of their equipment in China.

Huawei certainly hasn’t done itself any favors. While its most senior U.S. employee described the company as “an open book” in a surprisingly short segment on CBS’s “60 Minutes” last night (see the video below), its founder and chief executive, Ren Zhengfei, has never sat for an interview with a Western media outlet. And the precise ownership of the company’s shares are murky. U.S. regulators have prevented it from making certain acquisitions, and in Australia it was blocked from bidding on portions of a project to build a national broadband Internet network.

It hasn’t gotten to be the world’s largest telecom equipment concern for nothing. Wireless phone networks in Africa rely heavily on inexpensive gear sold by Huawei. There are suspicions about its dealings in this area too, though they are mostly economic. Huawei has a history of undercutting Western rivals in competitive bids by as much as 5 percent to 15 percent, raising suspicion that it is the benefactor of state-sponsored subsidies. However, it’s also to the benefit of these rivals to stoke the national security concerns as much as possible.

All told, it’s not as though there is no reason to be suspicious of Huawei, if only because the U.S. and its allies know too well from their own actions in recent years about the potential for electronic espionage, surveillance and warfare.

For its part, Huawei defended itself and attacked the report in a response today (read it in full here). The company said the committee’s report, an 11-month effort, “failed to provide clear information or evidence to substantiate the legitimacy of the Committee’s concerns” and “appears to have been committed to a predetermined outcome” and “employs many rumors and speculations to prove non-existent accusations.”

Without having read the classified portions of the report, which are said to contain more specifics — it mentions only vague instances of “beaconing,” which is intended to mean sending data back to China — it’s hard to argue with Huawei’s position.

Nor is it easy to dismiss the committee’s fears out of hand. Which brings us to the possible unintended result of all this: Might China respond with its own restrictions against U.S. telecom firms like Cisco and Juniper? Is this the first shot of a telecom trade war? We’ll see.

If that happens, expect Cisco to be hurt more than Huawei. U.S. sales account for only 4 percent of its overall revenue, whereas Cisco’s operations in Asia, the Pacific Rim and China account for more than 16 percent, and China was its second fastest-growing market in that region after Japan.

Huawei-ZTE Investigative Report (FINAL)

It’s complicated, but not difficult, to surmise the nature, if not the names, of the targets of this latest state-sponsored malware campaign: Of the 2,500-odd infections that Kasperky’s researchers have counted so far, 1,660 — more than two thirds of them — have occurred in Lebanon. The software is designed to intercept data intended for use with accounts at the Bank of Beirut, Byblos Bank, Fransabank, all of which are either based, or which have significant operations in Lebanon.

Gauss, they say, bears a lot of the same markers as Stuxnet, Duqu, and Flame, which all predated it. It is the latest evidence that the U.S. is participating in a covert, undeclared campaign of computer warfare against parties unknown and of uncertain intent.

Anyone who reads the news of the world can guess at Gauss’s purpose. The prospect of a shooting war with Iran involving the U.S. and Israel in some combination is never far from the minds of anyone in that region these days, as that country continues to develop its capacity to produce materials that might be used in nuclear weapons.

Lebanon is the home base of Hezbollah, a militant and terrorist group that is backed financially by both Iran and Syria, and which even has a political arm that has seats in the current Lebanese government. If there is to be a war with Iran, it follows that Hezbollah would act as an Iranian proxy, and would probably serve as Iran’s offensive arm, launching missile and other attacks against Israel. Naturally, intelligence about the movements of money in that country might be useful information. It might also be useful to drain certain accounts of funds as a way of slowing down operations. You can’t shoot guns and missiles if you can’t buy them first.

Another purpose might also have to do with the efforts to undermine the regime of president Bashar al-Assad in neighboring Syria. For years, Syria essentially occupied Lebanon, and it continues to have a significant interest in the country.

Naturally, there’s a potential for unintended consequences. Attacking the banking services and infrastructure of one country invites a response. And few things give people more pause than the thought that their banking information might be compromised, altered or even wiped out. Imagine going to an ATM tomorrow and seeing a negative balance where you expected plentiful cash.

There is one bit of encouraging news in this: It seems the cyber-warriors are learning from their mistakes. Having watched as Stuxnet was first detected and then de-constructed by the global community of computer security researchers, Gauss’ meatier functions have been carefully and shielded by a cloak of strong encryption. When it encounters a computer of a specific type and configuration, then and only then do those parts decrypt themselves. Stuxnet did something similar, and it was later discovered to be aimed at a specific combination of systems thought to be used in Iran.

Stuxnet was difficult and expensive to create, and as such never intended to be seen in the wild. When it did leak into public view, researchers working for both the good guys and bad guys tore it apart in order to learn as much as they could from it. This time, the most sensitive parts of the weapon — for that is what it is — have been locked up relatively tightly in hope that the bad guys learn less this time around. For people like me who wring their hands over the implications of all this, that has to count as progress.

The renewed emphasis on building up cyberwarfare capabilities comes even as other defense programs have been trimmed. Along with unmanned aircraft and special operations, cyberwarfare is among the newer, more high-tech and often more secretive capabilities favored by the Pentagon’s current leadership.

Read the rest of this post on the original site »

If you needed any further evidence about the possibility of an unexpected blowback from the creation of the Stuxnet worm and other cyber-weapons like it, the U.S. Department of Homeland Security has something for your night table, bound to keep you awake.

Earlier this week, it released a 17-page report, embedded below, detailing the activities of the Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT for short.

It’s the DHS group that responds to cyber-incidents on those specialized computers that control industrial machinery, which are sometimes called SCADA systems. They’re the kind that were targeted in what’s turned out to be a joint U.S.-Israeli cyber-campaign against the Iranian nuclear research program.

Stuxnet was the first worm detected, but it came later, after the creation of Flame, a piece of software that can on command record everything that goes on inside and in the general vicinity of a computer.

The Washington Post, citing intelligence sources, reported that both were created as a result of the combined efforts and resources of the U.S. and Israeli intelligence agencies, filling in some gaps of reporting initially done by the New York Times.

The report details the number of incidents at numerous critical infrastructure sites: Energy plants, water facilities, factories, that sort of thing. The first bit that everyone pays attention to is how the number of incidents reported skyrocketed from nine in 2009 to 198 in 2011. A lot of that increase can probably be attributed to the fact that the ICS-CERT was a relatively new creation.

But the part that caught my eye was what the government wordsmiths at DHS creatively called “sector distribution.” In 2009, there were all of four sectors targeted for some kind of malicious attack: Dams, energy, water and two attacks that crossed sectors. Last year, there were 10 sectors targeted, and 49 cross-sector incidents.

See the graphic below for the breakdown:

On the bottom of Page 9, the report covers a case where a “critical manufacturing facility” — it doesn’t go into any more detail than that — discovered that its engineering workstations were all infected with Stuxnet. ICS-CERT arrived on the scene, confirmed that the malware infecting the machines was indeed Stuxnet and cleaned up the mess.

Consider for a moment that Stuxnet was never intended to be seen in the wild in the first place, but had, in the words of one intelligence official, “escaped,” and you get the idea of the kind of unintended consequences that the cyberwar age brings with it. That is to say: Silent, invisible weapons, adapted and turned back on their creators.

The fact that it was found infecting systems thousands of miles away from its intended target — outside of the control of the people who initially deployed it — raises questions about whether such a weapon can be realistically deployed without causing what in conventional warfare is known as “collateral damage.”

And make no mistake: This is a new age of warfare, comparable with the nuclear age that dawned in 1945 with the atomic bomb attacks. Who says so? No less than the reasoned minds of the Bulletin of the Atomic Scientists, the people who regularly adjust the so-called “Doomsday Clock.”

Kennette Benedict, the Bulletin’s executive director and publisher, summarized, about as eloquently as anyone has so far, the philosophically important moment at which society has arrived:

The parallels with the invention and first use of atomic bombs on Hiroshima and Nagasaki are eerie. Consider the similarities: First, government and scientific leaders invent a new kind of weapon out of fear that others will develop it first and threaten the United States. Second, the consequences of using the new weapon — both the material damage it might cause as well as its effects on international security and arms-race dynamics — are poorly understood. Third, scientists and engineers warn political and military leaders about the dangers of the new weapon and call for international cooperation to create rules of the road. Fourth, despite warnings by experts, the U.S. government continues to develop this new class of weaponry, ultimately unleashing it without warning and without public discussion of its implications for peace and security.

I wish I had said it that well myself. America’s first cyberwar is already under way, and has been for some time, without so much as minute’s serious discussion in the public sphere.

This we already know.

We also know that once the weapons are developed, attacks are easy to carry out. Stuxnet was initially introduced by way of USB thumb drives surreptitiously dropped around a target site. Attacks documented in the DHS report describe employees of a targeted facility being tricked into clicking on PDF files attached to email messages. Brian Ahern, CEO of Industrial Defender, a company that specializes in helping companies prepare for attacks on control systems and the like, says these types of attacks are growing more common all the time.

What we don’t know — and can’t know, before it’s too late — is what might be the result of an advanced cyber-attack on a tender spot here at home. America, and the developed world in general, is more dependent on computer networks that are arguably more vulnerable to similar attacks, because of the knowledge gained by analyzing weapons like Stuxnet and Flame.

Pick your favorite metaphor: Genies let loose from bottles, or perhaps toothpaste squeezed from a one-way tube.

Here’s the report:

ICS-CERT Incident Response Summary Report 2009-2011

It is a big package of software that apparently offers an attacker something like a Swiss Army knife, because it can do a lot of things that might be called for. It can monitor a computer’s network traffic, including tracking which Web sites are visited, and log and copy email coming in and going out. It can turn on a computer’s internal microphone and record conversations in the room and presumably send audio files of those recorded conversations to someone who will listen to them. Ditto with a machine’s internal Web cam. It can record what characters are typed on the keyboard, thereby capturing sensitive information like passwords and other user credentials that can be used later. It can capture shots of what is being displayed on a computer’s screen.

Seen in the wild some weeks back, the Washington Post, citing Western intelligence officials, reported today that Flame was created by the combined efforts and resources of the U.S. and Israeli intelligence agencies. The story matches and fills in some details on reporting by the New York Times on the same subject.

Work on Flame, the Post says, predated and later led to the creation of the Stuxnet worm, which is newer but was seen first in 2010. In that case, an Israeli-created worm that targeted industrial control computers in Iran is thought to have caused some centrifuges used to enrich uranium to spin too fast and explode.

Allow me to stitch this thread together with another: It was about a year ago that the Obama Administration made some broad pronouncements on treating cyberspace — the Internet and other scattered parts of the digital stage — as a new theater of warfare, equal, for military purposes, to land, sea, sky and space. An attack in one place warrants a military response or retaliation in another.

At the time, I wondered what a cyberwar might look like. Now we have an idea. The governments of the United States and Israel have been conducting a not-so-covert war against Iran without having to disclose it to their people.

Knowing this leaves me with two questions, one perhaps a legal technicality, the other more practical.

First, if the U.S. views attacks in cyberspace the same as other attacks, then how is a country being attacked supposed to see that? If the U.S. reserves the right to respond to a cyber attack with an air strike, does that not mean that Iran can do the same thing? And if the U.S. is launching attacks, shouldn’t there be some overt public acknowledgement of that fact? Yes, I’ll grant, fighting with bits is preferable to fighting with bullets and bombs, but if it’s the Obama Administration’s position that fighting with one is legally equal to fighting with another, shouldn’t one be done as readily in the open as the other? Warfare requires a degree of public approval. Espionage doesn’t.

Second, I have longer-term concerns about blowback and unintended consequences. Stuxnet and Flame were hard to make, and they were never intended to be discovered, let alone pulled apart and studied as closely as they have been. The fact that they’ve been studied in detail by both the good guys and the bad guys makes me wonder who might be learning from Stuxnet and Flame in order to adapt them for such things as, say, corporate espionage.

If Flame amounts to an early example of a new type of malware that can both easily evade detection and record everything happening both on and around a computer, then companies will have to respond accordingly. Imagine a world where anytime anyone holds a meeting where sensitive information is discussed, it takes place in a secure room with no electronics present. And that’s just for openers.

There’s an interesting new fundamental thought emerging among computer security companies. The logic goes like this: First, your digital assets are going to be attacked. Second, no matter what preparations you make to defend those assets, a determined attacker is going to find a hole or a method of penetrating your defenses that you didn’t think of.

Most attacks are relatively cheap to carry out, because they’re not that sophisticated. More often than not, attackers copy the methods they use from each other. Attacks are inexpensive, and most attackers have the luxury of limitless time.

The exception is attacks using so-called “zero day” vulnerabilities, where a previously unknown vulnerability, usually in the operating system, is used to gain access to a system. Most — but not all — of the time, once a zero-day vulnerability is seen and documented, the weaknesses it reveals are patched, making it the type of weapon that can be used only once.

As such, zero-day vulnerabilities are often traded on the black market and sold at a high price. For example, when the Stuxnet worm — the malware that was used to attack and sabotage the Iranian nuclear program — was first discovered, security researchers were impressed that it used no fewer than four distinct zero-day vulnerabilities in Microsoft Windows. So many used at once indicated that the cost to carry out the attack was high, leading to the conclusion that only a state-sponsored attacker would have the funds to carry it out. This led to the logical conclusion that either the U.S. or Israel had been behind Stuxnet.

I bring it up because Stuxnet is an example of the conclusion of this new fundamental thought I mentioned at the start. Why not make attacks expensive for the attackers? The early estimates on Stuxnet put its cost at $3 million, and it is believed that it required a team of 10 skilled programmers and as long as six months to develop. It was not a cheap attack. It was expensive.

That’s the idea behind Shape Security, which today announced that it has landed a $6 million Series A round of venture capital funding led by Kleiner Perkins Caufield & Byers and TomorrowVentures, the fund led by Google Chairman Eric Schmidt.

Peter Wagner, a former partner at Accel Partners, as well as executives from LinkedIn, Twitter, and Facebook, will also join the round. Ted Schlein, managing partner at Kleiner Perkins, has joined the board of directors, along with Gaurav Garg, a limited partner at Sequoia Capital and personal investor in the round.

We don’t as yet know a great deal about Shape Security or its intentions. But we do know who’s running it: According to this filing with the U.S. Securities and Exchange Commission, its CEO is Derek W. Smith. Another key exec and director is Sumit Agarwal, the former head of Google’s mobile product management, who in 2010 took a post in the Department of Defense as senior adviser for Cyber Innovation.

Another key exec is Troy Tribe, who appears to be the same person who used to be VP for business development at Solera Networks, which specializes in network-security analytics and forensics.

This is the second time in as many weeks that I’ve noticed a security company talking about changing the economics for attackers. The first was Crowdstrike, which announced that it had hired Shawn Henry from the FBI and landed a $26 million investment from Warburg Pincus. Neither has said yet exactly what you do to make launching a computer attack more expensive. I’m certainly eager to know more.

Those fears were theoretical for a while. If you could attack the industrial computers controlling nuclear centrifuges and make them explode, as happened in the case of Stuxnet, you could, in theory, use the same approach to attack industrial computers controlling critical infrastructure in the U.S. The only thing needed is knowledge about vulnerabilities lurking in those systems.

The bad news is that, as of yesterday, those vulnerabilities are no longer a theory. The good news is that the good guys found them first.

Yesterday, researchers for a volunteer program called Project Basecamp have discovered three vulnerabilities inside a common model of industrial computer known as a programmable logic controller (PLC). These PLCs basically sit between a regular computer running Windows and a big piece of industrial equipment — say, a pump or a generator or a nuclear centrifuge.

PLCs are part of a larger set of industrial computers known as Supervisory Control And Data Acquisition (SCADA) systems. Security research into SCADA systems has increased dramatically since the revelation of the Stuxnet worm in 2010.

The work was done by researchers at Digital Bond, a security research firm specializing in work on SCADA systems. What they built was a software module called “modiconstux,” which carries out a Stuxnet-like attack on a PLC device called a Modicon Quantum, made by Schneider Electric.

Borrowing techniques learned from the Stuxnet worm, modiconstux does two things: It downloads the current set of instructions the PLC is using — a set of programming commands known as “ladder logic” — giving the attacker the ability to understand what the PLC is doing day in and day out. This is key: If you’re going to hijack a PLC to make the machine it’s controlling explode, you have to first understand the process you’re going to sabotage.

The second thing that modiconstux does is upload new ladder logic. The classic example I think of in explaining this comes from the first public demonstrations of Stuxnet carried out by researchers at Symantec. In that case, a Siemens PLC had been programmed to blow up a balloon by instructing a pump to send a certain amount of air to the balloon and then stop. After being hijacked by Stuxnet, the logic was changed in such a way that the pump didn’t stop, and the balloon popped. Not very menacing, but if you use your imagination, you can see that popping balloon as a metaphor for a lot of very dangerous outcomes.

What’s even scarier than the outcome is the fact that the exploit works without any actual computer hacking having to take place beforehand. Dale Peterson, Digital Bond’s CEO, said the attack works because the PLC is insecure in the first place. There isn’t so much as a password required to download the existing ladder logic, nor to upload the altered ladder logic. And if that PLC is connected to the Internet in any way, it is wide open to attack.

The team also released two other vulnerabilities. One tells the same Scheider Electric PLC to stop, essentially freezing it in place until it can be reset. The third is a vulnerability for a type of PLC device made by General Electric.

The vulnerabilities have been released to the wider world through Metasploit, an open source vulnerability monitoring service that’s owned by Rapid7, a Cambridge, Mass-based company that specializes in helping companies stay ahead of new computer security vulnerabilities. Metasploit subscribers can download the exploit code and test it on their own systems, and demonstrate simulated attacks that in all likelihood will scare the heck out of their bosses.

It should also scare the heck out of legislators and policymakers who have talked incessantly about the need to prepare for a “cyberattack.” Chances are, the next time there’s a serious conflict, attacks carried out by way of a computer will be used to sabotage infrastructure, sow confusion, interfere with logistics and so on. Stuxnet proved what could be done, and what to that point had generally been considered only a theory.

Created by parties unknown — though the smart money says it was Israel, with some help from the U.S. — the Stuxnet worm burrowed its way into PLCs at an Iranian nuclear installation, made the centrifuges spin too fast, and caused some of them to explode. The Iranian nuclear enrichment program was thought to be set back by anywhere from one to two years.

Since then, researchers have been on the lookout for the next Stuxnet, assuming that a second worm would be easier to construct. They’ve also been studying the inherent weaknesses in SCADA systems like PLCs. What they’re finding should give us all pause.

At a meeting in Washington, the Senate Armed Services Subcommittee on Emerging Threats and Capabilities heard testimony from experts that, essentially summarized, goes like this: The attackers already have access to the systems, so rather than try to lock them out, it’s now a matter of managing them, now that they’re in. Just as in the real world, spies are going to get into the country whether you want them to or not. So, knowing that they’re there, it makes more sense to make their day-to-day spying activities as difficult and costly as you can. DOD security practices currently focus on trying to keep intruders out.

“I think we have to go to a model where we assume that the adversary is in our networks,” James Peery, director of the Information Systems Analysis Center at the Sandia National Lab, told legislators, as reported by Threatpost, a blog produced by security firm Kaspersky Labs. “They’re on our machines, and we’ve got to operate anyway. We have to protect the data anyway.”

The hearing echoed some things we’ve been hearing on the security front from the likes of Art Coviello, the EMC vice president and former CEO of RSA Security, who spoke to AllThingsD recently.

Current practice calls for perimeter-based defenses that aim to put a defensive ring around a network to keep intruders out. That thinking is out of date and in need of a significant rethink, the panelists said. It should be noted that most of the agencies represented at the hearing were doing what government executives usually do when they go before the U.S. Senate: Jockeying for more funding.

That is, except for one agency: Michael Wertheimer, director of research and development at the super-secret National Security Agency (NSA), an agency whose budget is classified to begin with, said that current levels are sufficient, but that money needs to be spent more wisely. Then again, the NSA just built a massive data center in the Utah desert, which didn’t exactly come cheap.

You can watch a video of the 81-minute hearing here.

It has been almost two years since the infamous and mysterious computer worm known as Stuxnet was first detected by a team of researchers in Belarus.

Opinions on this vary, but the worm that is said to have caused explosions at certain nuclear installations in Iran is thought to have set that country’s alleged nuclear energy and weapons ambitions back by as much as two years.

The fascination persists. Although no one has ever taken official responsibility for it — the leading suspects in its creation are Israel and the U.S., acting together or independently — Stuxnet is widely considered to have been the most successful and innovative weapon of digital warfare ever seen.

And though numerous media accounts have, with the help of anonymous sources, filled in some of the narrative around its development, the subject of the covert cyber campaign against the Iranian nuclear program has generally remained outside the attention envelope of mainstream TV audiences.

That will change Sunday night when CBS’s popular television news documentary show “60 Minutes” turns its attention on Stuxnet, and the concept of offensive cyberwar generally.

If you’re not familiar with the particulars of Stuxnet, here’s a brief explanation: It’s a sophisticated worm that experts say required several months and millions of dollars to design. Via long-since-patched vulnerabilities in Microsoft Windows, it is designed to burrow its way into specialized industrial computers called programmable logic controllers, made by the German industrial company Siemens. These PLCs sit between conventional computers and industrial machinery like factory equipment, generators and centrifuges used to create nuclear fuel. PLCs and systems like them are widely used and, in many cases, not well secured, in part because they were never designed to be connected to the Internet.

(I first wrote about it at my last job in 2010 in stories found here and here.)

The story goes that the worm was first introduced to Iran via infected flash drives that were dropped around the outside of certain targeted facilities. The worm was carefully programmed to target a specific installation and to remain inert until it found its target. When it did, it seized control of some 1,000 Iranian nuclear centrifuges at Natanz, about 200 miles south of Tehran. While displaying seemingly normal operating conditions to workers there, the centrifuges were forced to spin out of control and effectively destroy themselves.

In a preview video released today (embedded below), “60 Minutes” correspondent Steve Kroft appears to get a tour of the U.S. Cyber Command, the military nerve center for U.S. cyberwar operations. And, in what’s likely to be considered a not-so-subtle message in certain circles, as you see Kroft getting his tour, it’s hard not to notice the screen behind him. Plus, his host shows a Google Maps image of Iran with lots of orange dots on it.

The report, for which CBS presumably got a lot of cooperation from the Pentagon, comes not long after the Obama Administration officially declared cyberspace as a theater of war. That means, the military can conduct both defensive and offensive operations, and that an attack on certain computer systems by other countries or terrorists is essentially equivalent to an attack against U.S. territory, property and people.

It’s not the first time that “60 Minutes” has tackled the subject of cyberwar. In 2009, it first introduced TV viewers to the concept of using digital weapons to seize control of industrial infrastructure in order to sabotage it, including some once-classified footage of a test at the Idaho National Lab where a generator was destroyed using nothing more than computer code (although the same report contains references to a 2007 power outage in Brazil which Wired has said wasn’t caused by digital saboteurs after all, though CBS has said it stands by its reporting.) Aside from that, CBS’s older report serves as something of a lead-up to tomorrow’s story on Stuxnet.

It will be interesting to see if “60 Minutes” has unearthed anything new on Stuxnet that fills in more of the picture surrounding its development and use. Neither the U.S. nor Israel has ever acknowledged any involvement in its creation or use. But Israeli officials have occasionally been described as “breaking into broad smiles” when asked about the subject. It will also be interesting to see if the program asks any important questions about the state of cyberwar post-Stuxnet. It’s pretty safe to assume that other parties have learned as much as they can about how it was created and how another worm like it might be created again.

What’s impossible to guess is where the next target is.

Update: I added a link above to a Wired story that disputed some of CBS’s reporting on the 2007 Brazilian blackout. In short, Wired says the real cause of that blackout was poor maintenance and not an attack by hackers, although CBS has said it stands by its reporting on that subject.

Here’s the short preview of tomorrow’s “60 Minutes” report.

The North Atlantic Treaty Organization on Monday will collect bids from some of the world’s top defense companies, including Lockheed Martin Co. and Northrop Grumman Corp., to update and expand the alliance’s cybersecurity abilities.

The €32 million ($42 million) contract, although valued at less than the price of one fighter jet, holds great significance because it cements the alliance’s role in protecting cutting-edge infrastructure, say NATO officials.

“It’s a small amount of money but it’s technically ambitious,” said Suleyman Anil, head of NATO’s Cyber Defense Section, in an interview.

Read the rest of this post on the original site »

And these aren’t the kind of cyber attacks carried out by bumbling troublemakers like the LulzSec gang, which make headlines but really only cause a nuisance for companies like Sony. In these cases, networks were compromised by remote access tools — or RATs, as they’re known in the industry. These tools — and they are tools, because they have legitimate uses for system administrators — give someone the ability to access a computer from across the country or around the world. In this case, however, they were secretly placed on the target systems, hidden from the eyes of day-to-day users and administrators, and were used to rifle through confidential files for useful information. It’s not for nothing that McAfee is calling this Operation Shady RAT.

McAfee says the attacker was a “state actor,” though it declined to name it. I’ll give you three guesses who the leading candidate is, though you’ll probably need only one: China.

Dmitri Alperovitch, McAfee’s Vice President, Threat Research, makes a statement in his blog entry on the discovery that should give everyone minding a corporate or government network pause: “I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact.” He further divides the worldwide corporate landscape into two camps: Those who have been compromised and know it, and those who simply don’t know it yet.

This has been a particularly nasty year on the cyber security front. (I hate to say it, but I told you so.) Prior to this, the big attack whose full impact has not yet been fully sized up was the one against the RSA SecureID system, which uses popular keychain devices that create a constantly changing series of numbers that in turn create a second password for access to system resources. They’re widely used in government and military circles and among defense contractors. Google has been a regular target in recent years.

The RSA attack and Operation Shady RAT are examples, Alperovitch says, of an “Advanced Persistent Threat.” The phrase has come to be a buzzword that, loosely translated into English, means the worst kind of cyber attack you can imagine. Unlike the denial-of-service attacks and network intrusions carried out by LulzSec and its ilk, which require only minimal skill and marginal understanding of how networks and servers work, an APT is carried out by someone of very high skill who picks his targets carefully and sneaks inside them in a way that is difficult to detect, which allows access to the target system on an ongoing basis that may persist for years.

How did these attacks happen? Its very simple: Someone at the target organization received an email that looked legitimate, but which contained an attachment that wasn’t. This is called “spear phishing,” and it has become the weapon of choice for sophisticated cyber attackers. The attachments are not what they appear to be — Word documents or spreadsheets or other routine things — and contain programs that piggyback on the targeted user’s level of access to the network. These programs then download malware which gives the attackers further access. This all happens in an automated way, but soon after, live attackers log in to the system to dig through what they can find, copy what they can, and make a getaway — though they often leave the doors unlocked so they can come back for repeat visits.

Alperovitch notes — correctly, to my mind — that the phrase has been picked up and overused by the marketing departments of numerous security companies. His larger point is that too often those attacked in this way refuse to come forward and disclose what they’ve learned, thereby allowing the danger to continue for everyone else.

Alperovitch says that the data taken in Operation Shady RAT adds up to several petabytes worth of information. It’s not clear how it has been used. But, as he says, “If even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat not just to individual companies and industries but to entire countries that face the prospect of decreased economic growth.” It’s also bad for a target’s national security, because defense contractors dealing in sensitive military matters are often the targets. The best thing that can happen is that victims start talking about their attacks and sharing information with each other so that everyone can be ready for the next one, which is surely coming.