Wired has a very fascinating interview with Edward Snowden. You should go read the whole thing, among other things, for the swell picture of Snowden posing with Michael Hayden at some black tie event in 2011.
But I wanted to point to this incident.
One day an intelligence officer told him that TAO—a division of NSA hackers—had attempted in 2012 to remotely install an exploit in one of the core routers at a major Internet service provider in Syria, which was in the midst of a prolonged civil war. This would have given the NSA access to email and other Internet traffic from much of the country. But something went wrong, and the router was bricked instead—rendered totally inoperable. The failure of this router caused Syria to suddenly lose all connection to the Internet—although the public didn’t know that the US government was responsible. (This is the first time the claim has been revealed.)
Inside the TAO operations center, the panicked government hackers had what Snowden calls an “oh shit” moment. They raced to remotely repair the router, desperate to cover their tracks and prevent the Syrians from discovering the sophisticated infiltration software used to access the network. But because the router was bricked, they were powerless to fix the problem.
Fortunately for the NSA, the Syrians were apparently more focused on restoring the nation’s Internet than on tracking down the cause of the outage. Back at TAO’s operations center, the tension was broken with a joke that contained more than a little truth: “If we get caught, we can always point the finger at Israel.”
I assume — but am not certain — this was the outage in question. If so, the response is instructive. At least 3 US-based Internet security firms reported that Syria had brought down the Internet. Were they making stuff up, unable to determine what really happened, or just repeating something US officials told them?
I’m just as interested that — just 6 months after David Sanger’s reporting on how the Israelis let StuxNet escape…
An error in the code, they said, had led it to spread to an engineer’s computer when it was hooked up to the centrifuges. When the engineer left Natanz and connected the computer to the Internet, the American- and Israeli-made bug failed to recognize that its environment had changed. It began replicating itself all around the world. Suddenly, the code was exposed, though its intent would not be clear, at least to ordinary computer users.
“We think there was a modification done by the Israelis,” one of the briefers told the president, “and we don’t know if we were part of that activity.”
NSA’s hackers joked they might hide a major fuck-up by blaming Israel.
I’m sure that’s all just a coinkydink, though.
[Update at end of article.—Rayne 6:45 pm EST]
Between 1030 and 0400 UTC last night or early morning, most of Russia’s GLONASS satellites reported “illegal” or “failure” status. As of this post, they do not appear to be back online.
GLONASS is the equivalent of GPS, an alternative global navigation satellite system (GNSS) launched and operated by Russian Aerospace Defense Forces (RADF). Apart from GPS, it is the only other GNSS with global capability.
It’s possible that the outage is related to either a new M-class solar storm — the start of which was reported about 48 hours ago — or recent X-class solar flare on March 29 at approximately 1700 UTC. The latter event caused a short-term radio blackout about one hour after the flare erupted.
But there is conjecture that GLONASS’ outage is human in origin and possibly deliberate. The absence of any reported outage news regarding GPS and other active satellite systems suggests this is quite possible, given the unlikelihood that technology used in GLONASS differs dramatically from that used in other satellite systems.
At least one observer mentioned that a monitoring system tripped at 21:00 UTC — 00:00 GLONASS system time. The odds of a natural event like a solar storm tripping at exactly top of the hour are ridiculously slim, especially since radiation ejected from the new M-class storm may not reach its peak effect on earth for another 24-48 hours.
It’s not clear whether the new GLONASS-M satellite launched March 24th may factor into this situation. There are no English language reports indicating the new satellite was anything but successful upon its release, making it unlikely its integration into the GLONASS network caused today’s outage.
If the outage is based in human activity, the problem may have been caused by:
— an accidental disabling here on earth, though RADF most likely has redundancies to prevent such a large outage;
— deliberate tampering here on earth, though with RADF as operator this seems quite unlikely; or
— deliberate tampering in space, either through scripts sent from earth, or technology installed with inherent flaws.
The last is most likely, and of either scripts sent from earth or the flawed technology scenarios, the former is more likely to cause a widespread outage.
However, if many or all the core operating systems on board the GLONASS satellites had been updated within the last four years – after the discovery of Stuxnet in the wild – it’s not impossible that both hardware and software were compromised with an infection. Nor is it impossible that the same infection was triggered into aggressive action from earth.
Which begs the question: are we in the middle of a cyberwar in space?
UPDATE — 6:45 PM EST—
Sources report the GLONASS satellite network was back online noon-ish Russian time (UTC+4); the outage lasted approximately 11 hours. Unnamed source(s) said the outage was due to the upload of bad ephemeris data, the information used by the satellites to locate other satellites in space. An alleged system-wide update with bad data suggests RADF has serious problems with change management, though.
There is speculation the M-class solar storm, summarized at 1452 UTC as an “X-ray Event exceeded M5,” may have impacted GLONASS. However early feedback about radiation ejected by an M-class storm indicated the effects would not reach earth for 24-48 hours after the storm’s eruption.
I freely admit to being the oddest of the quadruplets in the Emptywheel sensory deprivation pool, producing the quirky minority report from time to time.
Which may explain the following graphic with regard to current geopolitical tensions.As you can see, not every trending burp in the news about either Venezuela or Ukraine produced a corresponding bump in the fossil fuel market. Some trend-inducing news may have nothing at all to do with energy. It’s quite possible I may not have captured other key businesses as some of them don’t trade publicly, or are don’t trade in a manner readily captured by Google Finance.
But there are a few interesting relationships between news and price spikes, enough to make one wonder what other values may spike with increased volatility in places like Venezuela (which has the largest oil and natural gas reserves in the western hemisphere), and Ukraine (which lies between the EU and the largest natural gas deposits in the world, and the world’s eighth largest oil reserves).
Of course there’s an additional link between these two disparate countries. Both of them have already seen similar upheavals in which the U.S. played a role — Ukraine’s 2004 Orange Revolution, and the 2002 attempted coup in Venezuela.
When someone made noise about an Afghan Muslim being a key locus of the latest unrest in Ukraine, I couldn’t help but think of the Trans-Afghanistan Pipeline for natural gas which has yet to be realized, primarily for a lack of adequate political will among nation-states with a vested interest in its success.
It also made me think of news reports from this past summer when Turkmenistan, sitting on the fourth largest natural gas reserves in the world, expressed a readiness to export gas to Europe. This would cut into Russia’s sales, but not for a few years, requiring continuation of existing relationships for the next three to five years. Note the pipelines, existing and planned on the following U.S. State Department map (date unclear, believed to be post-2006).*Continue reading
Here are some excerpts from the Global Threats report pertaining to the cyber threat.
We assess that computer network exploitation and disruption activities such as denial-of-service attacks will continue.
… many countries are creating cyber defense institutions within their national security establishments. We estimate that several of these will likely be responsible for offensive cyber operations as well.
Critical infrastructure, particularly the Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems used in water management, oil and gas pipelines, electrical power distribution, and mass transit, provides an enticing target to malicious actors. Although newer architectures provide flexibility, functionality, and resilience, large segments of legacy architecture remain vulnerable to attack, which might cause significant economic or human impact.
It’s as if the intelligence community called up NSA and CyberCommand, asked what they had been working on, and then “assessed” that those targets presented threats going forward.
And while I expect that China commits what would be judged the largest number of hacks (in part because much of the information we steal right from the communication backbone they would have to hack to get), the inclusion of SCADA in the list of vulnerabilities is particularly rich, considering we are believed to have pioneered that kind of attack with StuxNet.
Again, I’m not denying these other entities hack (the unclassified version of the report left off Israel and France, as unclassified versions tend to do). Just that we continue to exhibit no awareness that some part of this threat amounts to our genie blowing back in our face.
Playwright August Strindberg wrote, “…There are poisons that blind you, and poisons that open your eyes.”
We’ve been blinded for decades by complacency and stupidity, as well as our trust. Most Americans still naively believe that our government acts responsibly and effectively as a whole (though not necessarily its individual parts).
By effectively, I mean Americans believed their government would not deliberately launch a military attack that could affect civilians — including Americans — as collateral damage. Such a toll would be minimized substantively. Yesterday’s celebration related to the P5+1 interim agreement regarding Iran’s nuclear development program will lull most Americans into deeper complacency. The existing system worked, right?
But U.S. cyber warfare to date proves otherwise. The government has chosen to deliberately poison the digital waters so that all are contaminated, far beyond the intended initial target.
There’s very little chance of escaping the poison, either. The ubiquity of U.S. standards in hardware and software technology has ensured this. The entire framework — the stack of computing and communications from network to user applications — has been affected.
• Network: Communications pathways have been tapped, either to obtain specific content, or obtain a mirror copy of all content traveling through it. It matters not whether telecom network, or internal enterprise networks.
• Security Layer: Gatekeeping encryption has been undermined by backdoors and weakened standards, as well as security certificates offering handshake validation
• Operating Systems: Backdoors have been obtained, knowingly or unknowingly on the part of OS developers, using vulnerabilities and design flaws. Not even Linux can be trusted at this point (Linux progenitor Linus Torvalds has not been smart enough to offer a dead man’s switch notification.)
• User Applications: Malware has embedded itself in applications, knowingly or unknowingly on the part of app developers.
End-to-end, top-to-bottom and back again, everything digital has been touched in one layer of the framework or another, under the guise of defending us against terrorism and cyber warfare.
Further, the government watchdogs entrusted to prevent or repair damage have become part and parcel of the problem, in such a way that they cannot effectively be seen to defend the public’s interests, whether those of individual citizens or corporations. The National Institute of Standards and Technology has overseen the establishment and implementation of weak encryption standards for example; it has also taken testimony [PDF] from computing and communications framework hardware and software providers, in essence hearing where the continued weak spots will be for future compromise.
The fox is watching the hen house, in other words, asking for testimony pointing out the weakest patches installed on the hen house door.
The dispersion of cyber poison was restricted only in the most cursory fashion.
• Stuxnet’s key target appears to have been Iran’s Natanz nuclear facility, aiming at its SCADA equipment, but it spread far beyond and into the private sector as disclosed by Chevron. The only protection against it is the specificity of its end target, rendering the rest of the malware injected but inert. It’s still out there.
• Duqu, a “sibling” cyber weapon, was intended for widespread distribution, its aims two-fold. It delivered attack payload capability, but it also delivered espionage capability.
• Ditto for Flame, yet another “sibling” cyber weapon, likewise intended for widespread distribution, with attack payload and espionage capability.
There could be more than these, waiting yet to be discovered.
In the case of both Duqu and Flame, there is a command-and-control network of servers still in operation, still communicating with instances of these two malware cyber weapons. The servers’ locations are global — yet another indicator of the planners’/developers’ intention that these weapons be dispersed widely.
Poison everything, everywhere.
But our eyes are open now. We can see the poisoners fingerprints on the work they’ve done, and the work they intend to do. Continue reading
Over the last handful of days breathless reports may have crossed your media streams about Stuxnet infecting the International Space Station.
The reports were conflations or misinterpretations of cybersecurity expert Eugene Kaspersky’s recent comments before the Australian Press Club in Canberra. Here’s an excerpt from his remarks, which you can enjoy in full in the video embedded above:
[26:03] “…[government] departments which are responsible for the national security for national defense, they’re scared to death. They don’t know what to do. They do understand the scenarios. They do understand it is possible to shut down power plants, power grids, space stations. They don’t know what to do. Uh, departments which are responsible for offense, they see it as an opportunity. They don’t understand that in cyberspace, everything you do is [a] boomerang. It will get back to you.
[26:39] Stuxnet, which was, I don’t know, if you believe American media, it was written, it was developed by American and Israel secret services, Stuxnet, against Iran to damage Iranian nuclear program. How many computers, how many enterprises were hit by Stuxnet in the United States, do you know? I don’t know, but many.
Last year for example, Chevron, they agreed that they were badly infected by Stuxnet. A friend of mine, work in Russian nuclear power plant, once during this Stuxnet time, sent a message that their nuclear plant network, which is disconnected from the internet, in Russia there’s all that this [cutting gestures, garbled], so the man sent the message that their internal network is badly infected with Stuxnet.
[27:50] Unfortunately these people who are responsible for offensive technologies, they recognize cyber weapons as an opportunity. And a third category of the politicians of the government, they don’t care. So there are three types of people: scared to death, opportunity, don’t care.”
He didn’t actually say the ISS was infected with Stuxnet; he only suggested it’s possible Stuxnet could infect devices on board. Malware infection has happened before when a Russian astronaut brought an infected device used on WinXP machines with her to the station.
But the Chevron example is accurate, and we’ll have to take the anecdote about a Russian nuclear power plant as fact. We don’t know how many facilities here in the U.S. or abroad have been infected and negatively impacted as only Chevron to date has openly admitted exposure. It’s not a stretch to assume Stuxnet could exist in every manner of facility using SCADA equipment combined with Windows PCs; even the air-gapped Russian nuclear plant, cut off from the internet as Kaspersky indicates, was infected.
The only thing that may have kept Stuxnet from inflicting damage upon infection is the specificity of the encrypted payload contained in the versions released in order to take out Iran’s Natanz nuclear facility. Were the payload(s) injected with modified code to adapt to their host environs, there surely would have been more obvious enterprise disruptions.
In other words, Stuxnet remains a ticking time bomb threatening energy and manufacturing production at a minimum, and other systems like those of the ISS at worst case. Continue reading
Admittedly, Keith Alexander made things very easy on himself in this article on “Defending America in Cyberspace” by not mentioning the way DOD (or our ally, Israel) let StuxNet go free, not only exposing the attack on Iran, but also providing a map and code that others can use on us.
That reckless mistake and its potential consequences remains unmentioned, however, in the piece in which Alexander claims that his team has found and is implementing the magic formula for defending the country in cyberspace.
We have learned through two decades of trial and error that operationalizing our cyberdefenses by linking them to intelligence and information-assurance capabilities is not only the best but also the only viable response to growing threats.
We know how to defend the country, Alexander says. It involves creating security holes, then using them to find out who will attack us, all while living on the network and watching what private citizens are also doing.
But then Alexander utterly contradicts the claim that his team has found the successful formula by describing the sheer scale of successful attacks against the US, suggesting it rivals the plunder of the Mongols and the colonies (though curiously, not slavery).
Three times over the previous millennium, military revolutions allowed forces to conquer huge territories and forcibly transfer riches from losers to winners (namely, in the Mongol conquests of China, Russia and Baghdad; the Spanish conquests of the Americas; and the European empires in the nineteenth century). Remote cyberexploitation now facilitates the systematic pillaging of a rival state without military conquest and the ruin of the losing power. We have seen a staggering list of intrusions into major corporations in our communications, financial, information-technology, defense and natural-resource sectors. The intellectual property exfiltrated to date can be counted in the tens to hundreds of thousands of terabytes. We are witnessing another great shift of wealth by means of cybertheft, and this blunts our technological and innovative edge. Yet we can neither prevent major attacks nor stop wholesale theft of intellectual capital because we rely on architecture built for availability, functionality and ease of use—with security bolted on as an afterthought.
This repeats a claim he and others have made repeatedly, though after having been proven wrong about past claims about the scale of financial wealth transfer, he seems to have shifted to measuring the plunder that has occurred on his watch in terabytes, not dollars. Our country — which he has served in a key defense role for 8 years — has been plundered like a colony (I don’t buy this, mind you — I find the analogy downright offensive. But it is the argument he’s making).
In much of the rest of his paper, Alexander explains his future plans, which we should follow, he tells us, because he has been so successful that our country has been plundered like a colony.
I wonder. Might the most sane response to this paper be to, at a minimum, question what success looks like? At a minimum, might we discuss publicly some alternatives? And if being plundered like a colony is not our goal, perhaps we should consider whether what Alexander presents as the “only viable response” really is?
Less than 10 days ago, Keith Alexander admitted to Patrick Leahy that the single solitary case in which the phone dragnet proved critical was that of Basaaly Moalin. But that was not an attack. Rather, it was an effort to send money to al-Shabaab (and others) because they were protecting Somalia against a US backed Ethiopian invasion.
And yet two crack “journalists” used this as the lead of their “interview” with Alexander with not a hint of pushback.
The director of the National Security Agency, Gen. Keith B. Alexander, said in an interview that to prevent terrorist attacks he saw no effective alternative to the N.S.A.’s bulk collection of telephone and other electronic metadata from Americans.
The phone dragnet has never — never! — been more than one tool in preventing any attack, and yet Alexander gets to imply, unchallenged, it is critical going forward.
Instead of actual reporting, we get platitudes like this.
General Alexander was by turns folksy and firm in the interview. But he was unapologetic about the agency’s strict culture of secrecy and unabashed in describing its importance to defending the nation.
That culture is embodied by two installations that greet visitors to Fort Meade. One is a wall to honor N.S.A. personnel killed on overseas missions. The other is a tribute to the Enigma program, the code-breaking success that helped speed the end of World War II and led to the creation of the N.S.A. The intelligence community kept Enigma secret for three decades.
The only thing remotely resembling a challenge came when these “reporters” note Alexander’s claim to have willingly shut down the Internet metadata program (which the NSA has largely kept secret, in spite of having been disclosed) ignores NSA claims it (like the phone dragnet now, purportedly) was critical.
But he said the agency had not told its story well. As an example, he said, the agency itself killed a program in 2011 that collected the metadata of about 1 percent of all of the e-mails sent in the United States. “We terminated it,” he said. “It was not operationally relevant to what we needed.”
However, until it was killed, the N.S.A. had repeatedly defended that program as vital in reports to Congress.
The rest consists of more of the same kind of rebuttal by redefinition. The claim that NSA shares data with Israel is wrong, this “journalism” says, because “the probability of American content in the shared data was extremely small” (which of course says nothing about the way it would violate minimization procedures in any case). The claim that NSA launched 200 offensive cyberattacks in 2011 is wrong because many of those were actually other “electronic missions.” Besides, Alexander claims,
“I see no reason to use offensive tools unless you’re defending the country or in a state of war, or you want to achieve some really important thing for the good of the nation and others,” he said. [my link, for shits and giggles]
We are not now nor were we in 2006 when StuxNet started “in a state of war” with Iran, so how credible are any of these claims?
Mostly though, this appears to be an attempt, four months after highlighting the importance of PRISM against cyberattacks but then going utterly silent about that function, to reassert the importance of NSA’s hacking to prevent hacking.
Even there, though, Alexander presented dubious claims that got no challenge.
General Alexander said that confronting what he called the two biggest threats facing the United States — terrorism and cyberattacks — would require the application of expanded computer monitoring. In both cases, he said, he was open to much of that work being done by private industry, which he said could be more efficient than government.
In fact, he said, a direct government role in filtering Internet traffic into the United States, in an effort to stop destructive attacks on Wall Street, American banks and the theft of intellectual property, would be inefficient and ineffective.
“I think it leads people to the wrong conclusion, that we’re reading their e-mails and trying to listen to their phone calls,” he said.
The NSA already is filtering Internet traffic into the United States (and also searching on and reading incidentally collected Internet traffic without a warrant) under Section 702 certificates supporting counterterrorism, counterproliferation and … cyberattacks.
But nosiree, Alexander can’t envision doing what he’s already doing — and had been doing in a way that violated statute and the Fourth Amendment for three years already by 2011 — in the name of protecting the banksters who’ve gutted our economy. Only all of that — including the retention of US person data in the name of protecting property (presumably including intellectual property) is baked right into the NSA’s minimization procedures.
And that bit about violating Section 702 and the Fourth Amendment for over three years with a practice that was also baked into NSA’s minimization procedures? Here’s the claim the NYT’s crack journalists allow Alexander to end this charade with.
“We followed the law, we follow our policies, we self-report, we identify problems, we fix them,” he said. “And I think we do a great job, and we do, I think, more to protect people’s civil liberties and privacy than they’ll ever know.”
In the United States, it is usually a safe bet to attribute massive government fuck-ups to the bloated contractors we’ve outsourced our projects to.
And the electrical problems plaguing NSA’s new UT data center — described as lightening in a box that has caused $100,000 of damage each of the 10 times it has happened — do seem to stem from poorly supervised contractors.
The Army Corps of Engineers is overseeing the data center’s construction. Chief of Construction Operations, Norbert Suter said, “the cause of the electrical issues was identified by the team, and is currently being corrected by the contractor.” He said the Corps would ensure the center is “completely reliable” before handing it over to the NSA.
But another government assessment concluded the contractor’s proposed solutions fall short and the causes of eight of the failures haven’t been conclusively determined. “We did not find any indication that the proposed equipment modification measures will be effective in preventing future incidents,” said a report last week by special investigators from the Army Corps of Engineers known as a Tiger Team.
It took six months for investigators to determine the causes of two of the failures. In the months that followed, the contractors employed more than 30 independent experts that conducted 160 tests over 50,000 man-hours, according to project documents.
Contractors have started installing devices that insulate the power system from a failure and would reduce damage to the electrical machinery. But the fix wouldn’t prevent the failures, according to project documents and current and former officials.
Now, don’t pee your pants laughing.
But I did have two thoughts as I read this.
First, this extended confusion sounds similar to that which Iranian nuclear scientists experienced as they tried to figure out why their centrifuges kept blowing up, thanks to StuxNet. While I think the chances some kind of hack caused this are small (but not zero), I do find it ironic that we cause ourselves the same kind of havoc we cause our worst enemies.
And consider the mission!
Back in February, Keith Alexander warned of the possibility of cyberattacks on our grid (which, anonymous sources made clear, could probably only be launched by China or Russia, but that didn’t stop Alexander from suggesting Anonymous might launch such attacks). The NSA needs more authority to protect against attacks that might bring down our power sources, the head of the NSA suggested.
But the entity that proposes to wield that authority, it seems, can’t even build a brand spanking new electrical system immune from some kind of failure.
A friendly handshake is offered;
Names are swapped after entry;
The entrant delivers a present;
The present is unboxed with a secret key…
And * BOOM *
This is cyber weapon Stuxnet‘s operations sequence. At two points in the sequence its identity is masked — at the initial step, when identity is faked by a certificate, and at the third step, when the contents are revealed as something other than expected.
The toxic payload is encrypted and cannot be read until after the handshake, the name swap, and then decrypted when already deep inside the computer.
In the wake of the co-reported story on the National Security Agency’s efforts to crack computer and network encryption systems, the NSA claims they are only doing what they must to protect the country from terrorists, criminals, and cyber attacks generated by individuals, groups, and nation-state actors.
Defense, though, is but one side of the NSA’s sword; it has two lethal edges.
While use of encryption tools may prevent unauthorized access to communications, or allow malicious code to be blocked, the same tools can be used to obstruct legitimate users or shut down entire communications systems.
Encryption APIs (ex: Microsoft CryptoAPI embedded in Windows operating systems) are often used by higher level applications — for example, a random number generator within the API used to create unique keys for access can also be used to create random names or select random event outcomes like a roll of the dice.
In Stuxnet alone we have evidence of encryption-decryption used as cyber warfare, the application planned/written/supported in some way by our own government. This use was Pandora’s Box opened without real forethought to the long-term repercussions, including unintended consequences.
We know with certainty that the repercussions weren’t fully considered, given the idiocy with which members of Congress have bewailed leaks about Stuxnet, in spite of the fact the weapon uncloaked itself and pointed fingers in doing so.
One of the unconsidered/ignored/unintended consequences of using weaponry requiring encryption-decryption is that the blade can cut in the other direction.
Imagine someone within the intelligence community “detonating” a cyber weapon built in the very same fashion as Stuxnet.
A knock at the door with a handshake;
Door open, package shoved in, treated as expected goods;
Encrypted content decrypted.
And then every single desktop computer, laptop, netbook, tablet, and smartphone relying on the same standardized, industry-wide encryption tools “detonates,” obstructing all useful information activities from personal and business work to telecommunications. Continue reading