In an Age of Cyber War, Where Are the Cyber Weapons? 94
chicksdaddy writes "MIT Tech Review has an interesting piece that asks an obvious, but intriguing question: if we're living in an age of cyber warfare, where are all the cyber weapons? Like the dawn of the nuclear age that started with the bombs over Hiroshima and Nagasaki, the use of the Stuxnet worm reportedly launched a global cyber arms race involving everyone from Syria to Iran and North Korea. But almost four years after it was first publicly identified, Stuxnet is an anomaly: the first and only cyber weapon known to have been deployed. Experts in securing critical infrastructure including industrial control systems are wondering why. If Stuxnet was the world's cyber 'Little Boy,' where is the 'Fat Man'? Speaking at the recent S4 Conference, Ralph Langner, perhaps the world's top authority on the Stuxnet worm, argues that the mere hacking of critical systems is just a kind of 'hooliganism' that doesn't count as cyber warfare. True cyber weapons capable of inflicting cyber-physical damage require extraordinary expertise. Stuxnet, he notes, made headlines for using four exploits for "zero day" (or previously undiscovered) holes in the Windows operating system. Far more impressive was the metallurgic expertise needed to understand the construction of Iran's centrifuges. Those who created and programmed Stuxnet needed to know the exact amount of pressure or torque needed to damage aluminum rotors within them, sabotaging the country's uranium enrichment operation."
Really? (Score:3, Interesting)
Haven't you been watching the news for the last six months?
Re:Really? (Score:5, Interesting)
MIT Tech Review, (of all organizations) should know that cyber weapons aren't loaded onto airplanes and dropped like bombs, nor do they make a big noise.
When you read the article they don't sound quite as clueless as the summary makes them out to be. Yet the comparison with nuclear weapons is one the article made right off the top.
They speculate that Stuxnet was an anomaly not likely to be repeated. But that is only because Stuxnet was intended to be stealth and un-traceable. It is hardly the platform you would expect for a WAR time attack.
Such weapons probably already exist, but since nobody with the cyber-weapon capability is actually at war with any other cyber target country, the weapons aren't being used. Its not like we used nuclear weapons on Iraq. Its not like the Syrian Electronic Army is much besides a bunch of script kiddies looking for weak spots.
To use Cyber weapons, (as opposed to stealth cyber sabotage) you pretty much have to be at war. No one is willing to start one just to test a weapon. You can use clean room labs for that, and you are not likely to invite the MIT Tech Review to watch.
Re: (Score:2)
Thursday - a weapon to take down gvt computers (Score:2)
The government's newest major computer system is healthcare.gov. What kind of weapon you need to take down major, modern government computer systems ? Apparently, Thursdays are you sufficient to take down healthcare.gov.
Super advanced cyber weapons simply aren't needed. How many programmers who ended up working government jobs even know what a "SQL injection" is, much less how to prevent it? One small sample suggests only 20% of government programmers know what it is, and 10% use parameterized queries, le
Re: (Score:3)
As fast as the internet generations flash by, I hate to say it, but cyber weapons are still at the throw rocks, wave spears and scream cat calls level. Think of cyber weapons (for now anyway) more as PC based biological warfare.
We currently have limited vectors available. Stuxnet was sneakernet delivered to the systems it was designed to attack. It was essentially at the VD level of disease propagation. Yes it reached a large number of systems, but look at how many people end up with Syphilis and Gonorrhea
Re: (Score:2)
True, and from the disease perspective, a very apt example.
But instead of relying on the disease model, perhaps there is still a capability for attack more along the bullet model.
Its not inconceivable that a small bug could be found (or built) in every network chipset that just waits for that magic sequence of packets, and fries itself. You don't need to take out every PC, all you need to do is disable routers.
Is the US worry about having Chinese infrastructure components (routers and cellular equipment) l
Re: (Score:2)
I would point to 3com as an exaple of an instance of your magic bullet to the brain bug, though that bug did not 'fry the chip,' it simply introduced an error into the packet that caused any packet carrying a specific bit pattern to be discarded by the next ethernet adapter the packet traversed and was checksummed before doing any further handling. That bug caused a large number of problems as the symptom looked like there was random noise on the network, but was very repeatable. As a result, there are a re
Re: (Score:2)
It happened in the past with telephone exchanges. They had some self-maintenance code built in such that if one exchange detected a malfunction of some sort (accounts balance fail to match, line quality not good enough), it would send a fault message and a shutdown notice to it's neighboring exchanges. But there was a little bug. The message first hop was correct as it sent the ID of the originating exchange, the message relayed second and later hops was wrong because it sent the ID of the current exchange.
Re: (Score:1)
Heck, I've been wondering for years where are all the corporate malware? I mean, back when MSWord was fighting of Word Perfect, for instance (kids, ask your parents) I would have bet that one side or the other would have issued some worn or virus or something that would have had some subtle effect like making the other product take an extra 20 seconds opening a file. I didn't think it would be management, mind you, but I can't believe that none of the programming nuts on either side went rogue. Not to menti
Re: (Score:1)
Indeed, it's a question that only somebody who has his head up his ass could ask.
Cyberwar -- class war, and guess what, you're the victim. If you don't see this, enjoy
your remotely controlled life.
Classified (Score:2, Interesting)
REALLY stupid question. It is not like they are going to wave them about for everyone to see. They most likely exist.
Re: (Score:3)
If Stuxnet was the world's cyber 'Little Boy,' where is the 'Fat Man'?
Cisco gear is deployed in enterprise environments throughout the world.
Windows dominates most desktops and has a large foot print for servers.
The NSA has back-doors into all of them.
Re: (Score:2)
Re: (Score:2)
You have absolutely no proof of any NSA backdoors. The NSA doesn't really need any backdoors when they can waltz right in the front door using legal and not so legal warrants, social engineering attacks, and subtle and not so subtle coercion. Stuxnext was a specifically targeted attack that required expert knowledge of the SCADA configuration and centrifuge control systems. It required physically breaking into two companies to steal the signed certificates used in conjunction with the 0-day exploits used. A
Re: (Score:2)
You have absolutely no proof of any NSA backdoors.
Eat shit, how fucking naive can you be:
[NSA’s backdoor catalog exposed: Targets include Juniper, Cisco, Samsung, Huawei] http://gigaom.com/2013/12/29/n... [gigaom.com]
Re: (Score:2)
So there is a catalog containing high end network hacks that even includes pricing for the various hacks? Is the NSA actually marketing their super secret technology? That would sort of defeat the whole purpose of secret backdoors now wouldn't it. Have any of the listed hacks been proven to exist? I mean you have the exact details on the equipment so it seems it would be pretty strait forward for a knowledgeable computer or network security firm to prove the existence of these backdoors. You basically link
Re: (Score:2)
Cisco responded to the claim of a backdoor. They didn't acknowledge it but they didn't deny it either. What do you think that means?
Let me guess, you don't think the NSA is spying on citizens either because there is no evidence that meets your criteria.
Re: (Score:2)
I think it means CISCO wants to avoid the entire discussion so they are going with "no comment" strategy.
CISCO SVP John Stewart declared "As we have stated prior, and communicated to Der Spiegel, we do not work with any government to weaken our products for exploitation, nor to implement any so-called security âback doorsâ(TM) in our products," CISCO investigated the matter in detail and couldn't find the "backdoor" in their product but they did leave open the small possibility that a "backdoor"
Re: (Score:2)
REALLY stupid question. It is not like they are going to wave them about for everyone to see. They most likely exist.
Yes, the weaponization is built into every Intel processor, and probably most other processors and controllers. The weapons in cyber warfare start with the smart phones we point at our own heads and will shortly be the cars which can crash us into the next tree or fail to stop at the next busy intersection.
Re: (Score:2)
I fail to see the difference, then, between future cyber warfare and the ongoing carnage I see on the sidewalks and streets right now.
Re: (Score:2)
catalog of them (Score:1)
http://leaksource.wordpress.com/2013/12/30/nsas-ant-division-catalog-of-exploits-for-nearly-every-major-software-hardware-firmware/
Seems we heard little of them because secrecy was maintained for quite a while and (shocker) it was the US building/using most of them.
Re: (Score:1)
Only the US has had a mole leak its list. Are you kidding yourself that Russia and China don't have their own?
Re: (Score:1)
China and Russia are certainly involved in cyber espionage, especially for state secrets or intellectual property. I was simply pointing out that the US is the main country talking about how we have to be worried about cyberwar and is also the main country using a vast arsenal of cyberweapons against most developed nations, including allies & neutrals.
This is both a nice irony and a potential explanation for why we know neither specifics of cyber weapons nor how to stop good ones.
LOIC? HOIC? (Score:3)
Backhoes? (Score:3, Informative)
Is there a doubt in anyone's mind?
Well that's obvious... (Score:2)
The cyberweapons are between your fskin' ears. Malware, virii, etc, are just the tools.
Re: (Score:2)
Not between everybody's ears... Polymorphic shell code was spreading in the 90s and since then the researcher has moved far beyond. Most recently a single binary blob which hooks into wildly different embedded operating systems and even architectures was presented openly to the public. The most frightening thing about this current situation is that the NSA turned out to be an industrial-scale bottom-feeder instead of at the forefront in the field. Their lack of sophistication must be why they have resorted
Re: (Score:2)
I found the weapon! [slashdot.org]
Metallurgical expertise? (Score:1)
Those who created and programmed Stuxnet needed to know the exact amount of pressure or torque needed to damage aluminum rotors within them...
No, they didn't.
They just needed to have a rough idea, and make sure that they experienced forces well in excess of that figure.
Re: (Score:2)
Actually... the real cyberweapons are most likely in government storage; right by the WMDs.
I bet the NSA or FBI has all the decryption keys, required to activate most of them.
The president's nuclear football, probably now includes cyberweapon deployment, and internet shutdown codes.
Re: (Score:2)
I wonder how the world would react to a global internet shutdown.
It would cause immense economic and probably industrial damage. I wouldn't be surprised if it were treated as an act of war by many countries.
The weapons are on chips, firmware or in the OS! (Score:5, Informative)
The weapons are on chips, firmware or in the OS! Did you not read that catalog that the Snowden fella kindly leaked for us?
Ask Intel about iAMT and vPro. Ask China about Manchurian Microchips. Ask Microsoft about NSAKEY again, because if we didn't believe their lame excuses 10 years ago, we REALLY don't buy them today.
Sure, the NSA probably has a large virus arsenal too, but when you can issue a National Security Letter to MS or Apple or Google or Mozilla, or simply activate one of our many programmer agents in place (such as in the IETF or at MS or Google) and just put the exploits wherever you like, viruses start seeming pretty silly. Heck, even our geopolitical adversaries are using US-made cyber-weapons - ahem, I mean operating systems and applications.
Re: (Score:3)
Wow, parent god modded to -1 ...
http://cryptome.org/2014/01/nsa-codenames.htm [cryptome.org]
http://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html [spiegel.de]
http://www.wired.com/threatlevel/2013/12/nsa-hacking-catalogue/ [wired.com]
Re: (Score:1)
I received the Slashdot Death Penalty for making fun of Roblimo's video Slashvertisements a while back, and even if my comments get tons of positive karma they will eventually be god-modded down. Read at -1, people, that's where we Slashdot political prisoners are.
Re: (Score:2)
I received the Slashdot Death Penalty for ...
Well, I'm guessing it was more for things like-
Stallman is an ethnic Jew and I think we all know that sometimes Jewish folks are given to exaggeration and hyperbole. [slashdot.org]
But still, thats wierd because I've made (arguably non credible) death threats against Hillary Clinton and jcr, and somehow I now have 2 accounts with excellent karma. I'd suggest watching, and abandoning your racial stereotyping and focus on the legitimate issue of the ultimate opposite of seperation of church and state going on with Israel.
S
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
And how many times has malware started to take advantage of bugs that Microsoft just patched?
There are people who examine every change to find the backdoors that have been closed so they can attack them on unpatched machines. Do you think they'd ignore a backdoor that was just opened?
Here's where they are. (Score:5, Informative)
Where are the cyber weapons? Already deployed and awaiting activation. Undocumented errata in major CPUs which allow bypassing memory protection. Preset keys in network cards allowing remote administration. Undocumented admin passwords in network firmware. Code signing certs in the hands of intelligence agencies. That's where.
The internet: no place for critical infrastructure (Score:1)
Mainstream media love to turn a spotlight on anything they can label “hypocrisy,” the Merriam-Webster Unabridged Dictionary meaning of which is:
'[T]he act or practice of pretending to be what one is not or to have principles or beliefs that one does not have, especially the false assumption of an appearance of virtue
First Cyber-Weapon? (Score:2)
Wouldn't the Morris Worm qualify as the first "cyber weapon"? Granted it was crude and uncontrollable, but I'd bet that the same could have been made for the Mark 1 Mod 0 Blunderbuss 500 years ago.
And I think that the power of a cyber-weapon would lie primarily in secrecy, like land mines; you don't know you're under attack until you've already taken considerable damage.
Re:First Cyber-Weapon? (Score:4, Informative)
Cybernetics? (Score:2)
There have been other since Stuxnet (Score:5, Informative)
All of those were used by governments. One was used for industrial sabotage; the other two to spy on people who were then assassinated. Are these not "cyber-weapons"? What makes them different from Stuxnet but the degree of press they received?
Same as usual (Score:1)
I'd tell you, but then I'd have to kill you.
Where else? (Score:3)
In the hands of the Cybermen, [wikipedia.org] of course.
There is no such thing as "cyber war" (Score:2)
Re: (Score:2)
Self weaponizing infrastructure. (Score:4, Interesting)
If we started building bunkers out of blocks of TNT, someone would rapidly figure out it was a bad idea.... but not so when it's abstracted several layers deep.
In conventional munitions, it's necessary to deliver an explosive to a target. Thanks to the Unix security model, with its lack of any notion of multi-level security, we've created an entire infrastructure that's ready to self-destruct at a moment's notice. The military went on to actually procure and use multi-level security in a number of cases, while the idea is perceived as impossible, or unnecessary in the civilian space.
All of our Linux, Mac OS, and Windows machines share the same brain dead security model. When you run code, you have to trust it not to be a virtual grenade, each and every time.
The existence of billions of computers which blindly run code without actual security protecting the operating system (as a multi-level secure system does) is astoundingly stupid, and yet 99.9% of the "tech" community is just fine with this state of affairs.
The infrastructure IS the weapon, its your job to change that over the next 20 years.... get crackin'
Re: (Score:2)
thats why the government wrote SELinux, which is a completely diffrent approach to permissions than Drwxrwxrwt
and yes, there are other permission schemes in various UNIX implementations to include linux, besides traditional POSIX two byte permissions.
Re: (Score:2)
Access control lists are not adequate security, no matter how careful you are. You need the Bell-LaPadula or something like it that implements mandatory access controls to actually secure a system.
SELinux is an attempt to push a little bit towards a secure system, but it's not the real deal.
Re: (Score:2)
The infrastructure IS the weapon, its your job to change that over the next 20 years.... get crackin'
We've already tried changing it for the past 20 years. The problem is that IT is largely commercial, and in the commercial world, "good enough" is enough. If it's not threatening the bottom line, then it's ok. And that's not limited to IT security. Physical security at most corporate headquarters is pathetic and only detracts non-determined break-ins. It's trivial to get hired into a position with access to even sensitive areas (say, in the cleaning crew) with no background checks. And I could say something
Re: (Score:2)
Re: (Score:2)
As with most things, the proper balance and context matter.
When you're in the countryside or suburbs, leaving your door unlocked is probably cool. When you live in the center of a large city, less so.
In times of NSA... (Score:1)
To kill a centrifuge (Score:1)
cold cyber war - 100,000 attacks from China daily (Score:4, Interesting)
I'd guesstimate on average, we log about 50-100 attack attempts from Chinese IPs per server per day. Our sample size is only several thousand customer servers, but that's enough to get a rough idea of what's happening on the internet generally.
There IS cyber war going on, much like the Cold War. It's not on the news every day, but it's happening just as much as Reagan was trying to defeat the USSR. The weapons aren't that advanced most of the time simply because they don't need to be - the targets very cooperatively run PHP scripts written by kids with NO security training whatsoever. When your admin interface is open to brute force and SQL injection attacks, advanced weapons aren't needed. The secretary of state and chairman of the senate defense committee have the same unpatched Linksys router at home as any random person. How many high level bureaucrats have VoIP at home? VoIP "protected" by Netgear's firewall?
why go through double firewalls unnecessarily (Score:3)
All available evidence suggests that the vast majority originate in China. That makes sense - it would be silly to go through the great firewall, twice, and slow yourself down by going around the world and back, when you could just as easily use a US zombie.
Great Firewall of china (Score:1)
Where are they? (Score:4, Interesting)
Sitting in some cyber arsenal, awaiting use. The problem with cyber attacks is that once discovered, they can be defended against. So from a tactical point of view, they are best kept in reserve until the case for their use is overwhelming.
As a part of Operation Orchard [wikipedia.org], it is theorized that Israel may have disabled Syrian air defense via back doors in their IT systems. If so, the existance of such back doors was revealed by a post mortem analysis and the holes in the systems plugged. So that would be a case of a one time use. It had better be worthwhile (and arguably, it was).
The cyber weapons in the hands of criminal organizations are best used in a very low key manner, so as not to attract attention and patches. Criminals are probably continuing to bleed some credit cards for $9.85 here and there, hoping to stay under the radar for as long as possible.
Overloading unprepared equipment isn't difficult. (Score:2)
" Those who created and programmed Stuxnet needed to know the exact amount of pressure or torque needed to damage aluminum rotors within them, sabotaging the country's uranium enrichment operation."
Mechanic with machinist training here. That's no big deal. Overloading a system by running it as hard as the drive motors allow will often break it as many machines aren't built with protective mechanical safeties such as simple wasp-waist shear points on driveshafts, shear pins, or mechanical governors.
It's easi
Re: (Score:2)
Overloading a system by running it as hard as ...
Not that I'm accusing Lennart Poettering of cyberwarfare, but a highly relevant anecdote is that when pulseaudio was first thrust upon me in fedora, I and many(?) others discovered that it was only software that was preventing our PC's audio out from being overdriven to the point of health and property risk. I discovered this as my volume, due to bug, instantaneously jumped to 400% as I had my sony earbuds in listening to music. The result was excruciating ear pain for the duration of time (about half a s
Re: (Score:2)
Re: (Score:1)
cyber-physical damage (Score:1)
Where are the cyberweapons? (Score:1)
Iraq?