Forgot your password?
typodupeerror
Security The Military

In an Age of Cyber War, Where Are the Cyber Weapons? 94

Posted by Soulskill
from the left-them-in-my-other-cyber-pants dept.
chicksdaddy writes "MIT Tech Review has an interesting piece that asks an obvious, but intriguing question: if we're living in an age of cyber warfare, where are all the cyber weapons? Like the dawn of the nuclear age that started with the bombs over Hiroshima and Nagasaki, the use of the Stuxnet worm reportedly launched a global cyber arms race involving everyone from Syria to Iran and North Korea. But almost four years after it was first publicly identified, Stuxnet is an anomaly: the first and only cyber weapon known to have been deployed. Experts in securing critical infrastructure including industrial control systems are wondering why. If Stuxnet was the world's cyber 'Little Boy,' where is the 'Fat Man'? Speaking at the recent S4 Conference, Ralph Langner, perhaps the world's top authority on the Stuxnet worm, argues that the mere hacking of critical systems is just a kind of 'hooliganism' that doesn't count as cyber warfare. True cyber weapons capable of inflicting cyber-physical damage require extraordinary expertise. Stuxnet, he notes, made headlines for using four exploits for "zero day" (or previously undiscovered) holes in the Windows operating system. Far more impressive was the metallurgic expertise needed to understand the construction of Iran's centrifuges. Those who created and programmed Stuxnet needed to know the exact amount of pressure or torque needed to damage aluminum rotors within them, sabotaging the country's uranium enrichment operation."
This discussion has been archived. No new comments can be posted.

In an Age of Cyber War, Where Are the Cyber Weapons?

Comments Filter:
  • Really? (Score:3, Interesting)

    by Anonymous Coward on Saturday February 01, 2014 @05:02PM (#46130063)

    Haven't you been watching the news for the last six months?

    • Re:Really? (Score:5, Interesting)

      by icebike (68054) on Saturday February 01, 2014 @05:39PM (#46130241)

      MIT Tech Review, (of all organizations) should know that cyber weapons aren't loaded onto airplanes and dropped like bombs, nor do they make a big noise.

      When you read the article they don't sound quite as clueless as the summary makes them out to be. Yet the comparison with nuclear weapons is one the article made right off the top.

      They speculate that Stuxnet was an anomaly not likely to be repeated. But that is only because Stuxnet was intended to be stealth and un-traceable. It is hardly the platform you would expect for a WAR time attack.

      Such weapons probably already exist, but since nobody with the cyber-weapon capability is actually at war with any other cyber target country, the weapons aren't being used. Its not like we used nuclear weapons on Iraq. Its not like the Syrian Electronic Army is much besides a bunch of script kiddies looking for weak spots.

      To use Cyber weapons, (as opposed to stealth cyber sabotage) you pretty much have to be at war. No one is willing to start one just to test a weapon. You can use clean room labs for that, and you are not likely to invite the MIT Tech Review to watch.

      • by gmuslera (3436)
        Knowing how much damage people do misusing current normal systems, you really need weapons when you can intrude everywhere and be attributed to someone's else stupidity ?
      • The government's newest major computer system is healthcare.gov. What kind of weapon you need to take down major, modern government computer systems ? Apparently, Thursdays are you sufficient to take down healthcare.gov.

        Super advanced cyber weapons simply aren't needed. How many programmers who ended up working government jobs even know what a "SQL injection" is, much less how to prevent it? One small sample suggests only 20% of government programmers know what it is, and 10% use parameterized queries, le

      • by rusty0101 (565565)

        As fast as the internet generations flash by, I hate to say it, but cyber weapons are still at the throw rocks, wave spears and scream cat calls level. Think of cyber weapons (for now anyway) more as PC based biological warfare.

        We currently have limited vectors available. Stuxnet was sneakernet delivered to the systems it was designed to attack. It was essentially at the VD level of disease propagation. Yes it reached a large number of systems, but look at how many people end up with Syphilis and Gonorrhea

        • by icebike (68054)

          True, and from the disease perspective, a very apt example.

          But instead of relying on the disease model, perhaps there is still a capability for attack more along the bullet model.

          Its not inconceivable that a small bug could be found (or built) in every network chipset that just waits for that magic sequence of packets, and fries itself. You don't need to take out every PC, all you need to do is disable routers.

          Is the US worry about having Chinese infrastructure components (routers and cellular equipment) l

          • by rusty0101 (565565)

            I would point to 3com as an exaple of an instance of your magic bullet to the brain bug, though that bug did not 'fry the chip,' it simply introduced an error into the packet that caused any packet carrying a specific bit pattern to be discarded by the next ethernet adapter the packet traversed and was checksummed before doing any further handling. That bug caused a large number of problems as the symptom looked like there was random noise on the network, but was very repeatable. As a result, there are a re

            • by mikael (484)

              It happened in the past with telephone exchanges. They had some self-maintenance code built in such that if one exchange detected a malfunction of some sort (accounts balance fail to match, line quality not good enough), it would send a fault message and a shutdown notice to it's neighboring exchanges. But there was a little bug. The message first hop was correct as it sent the ID of the originating exchange, the message relayed second and later hops was wrong because it sent the ID of the current exchange.

      • by gzuckier (1155781)

        Heck, I've been wondering for years where are all the corporate malware? I mean, back when MSWord was fighting of Word Perfect, for instance (kids, ask your parents) I would have bet that one side or the other would have issued some worn or virus or something that would have had some subtle effect like making the other product take an extra 20 seconds opening a file. I didn't think it would be management, mind you, but I can't believe that none of the programming nuts on either side went rogue. Not to menti

    • Indeed, it's a question that only somebody who has his head up his ass could ask.
      Cyberwar -- class war, and guess what, you're the victim. If you don't see this, enjoy
      your remotely controlled life.

  • Classified (Score:2, Interesting)

    by Anonymous Coward

    REALLY stupid question. It is not like they are going to wave them about for everyone to see. They most likely exist.

    • by NFN_NLN (633283)

      If Stuxnet was the world's cyber 'Little Boy,' where is the 'Fat Man'?

      Cisco gear is deployed in enterprise environments throughout the world.
      Windows dominates most desktops and has a large foot print for servers.

      The NSA has back-doors into all of them.

      • by mjwalshe (1680392)
        the U2, and Blackbird maybe
      • You have absolutely no proof of any NSA backdoors. The NSA doesn't really need any backdoors when they can waltz right in the front door using legal and not so legal warrants, social engineering attacks, and subtle and not so subtle coercion. Stuxnext was a specifically targeted attack that required expert knowledge of the SCADA configuration and centrifuge control systems. It required physically breaking into two companies to steal the signed certificates used in conjunction with the 0-day exploits used. A

        • by NFN_NLN (633283)

          You have absolutely no proof of any NSA backdoors.

          Eat shit, how fucking naive can you be:
          [NSA’s backdoor catalog exposed: Targets include Juniper, Cisco, Samsung, Huawei] http://gigaom.com/2013/12/29/n... [gigaom.com]

          • So there is a catalog containing high end network hacks that even includes pricing for the various hacks? Is the NSA actually marketing their super secret technology? That would sort of defeat the whole purpose of secret backdoors now wouldn't it. Have any of the listed hacks been proven to exist? I mean you have the exact details on the equipment so it seems it would be pretty strait forward for a knowledgeable computer or network security firm to prove the existence of these backdoors. You basically link

            • by NFN_NLN (633283)

              Cisco responded to the claim of a backdoor. They didn't acknowledge it but they didn't deny it either. What do you think that means?
              Let me guess, you don't think the NSA is spying on citizens either because there is no evidence that meets your criteria.

              • I think it means CISCO wants to avoid the entire discussion so they are going with "no comment" strategy.

                CISCO SVP John Stewart declared "As we have stated prior, and communicated to Der Spiegel, we do not work with any government to weaken our products for exploitation, nor to implement any so-called security âback doorsâ(TM) in our products," CISCO investigated the matter in detail and couldn't find the "backdoor" in their product but they did leave open the small possibility that a "backdoor"

    • by mrbluze (1034940)

      REALLY stupid question. It is not like they are going to wave them about for everyone to see. They most likely exist.

      Yes, the weaponization is built into every Intel processor, and probably most other processors and controllers. The weapons in cyber warfare start with the smart phones we point at our own heads and will shortly be the cars which can crash us into the next tree or fail to stop at the next busy intersection.

      • I fail to see the difference, then, between future cyber warfare and the ongoing carnage I see on the sidewalks and streets right now.

    • Not only do they exist but they're almost assuredly being used right now. It's just that the virus writers are the best (CIA / NSA) money can buy so their work remains anonymous.
  • by Anonymous Coward

    http://leaksource.wordpress.com/2013/12/30/nsas-ant-division-catalog-of-exploits-for-nearly-every-major-software-hardware-firmware/

    Seems we heard little of them because secrecy was maintained for quite a while and (shocker) it was the US building/using most of them.

    • by Anonymous Coward

      Only the US has had a mole leak its list. Are you kidding yourself that Russia and China don't have their own?

      • by Kishin (2859885)

        China and Russia are certainly involved in cyber espionage, especially for state secrets or intellectual property. I was simply pointing out that the US is the main country talking about how we have to be worried about cyberwar and is also the main country using a vast arsenal of cyberweapons against most developed nations, including allies & neutrals.

        This is both a nice irony and a potential explanation for why we know neither specifics of cyber weapons nor how to stop good ones.

  • by ganjadude (952775) on Saturday February 01, 2014 @05:08PM (#46130099) Homepage
    We have E-cannons already, skript kiddies have been using them for years now.
  • Backhoes? (Score:3, Informative)

    by TheVillageIdiot (137836) <<ten.tenkcirderf> <ta> <ttam>> on Saturday February 01, 2014 @05:09PM (#46130101) Homepage

    Is there a doubt in anyone's mind?

  • The cyberweapons are between your fskin' ears. Malware, virii, etc, are just the tools.

    • Not between everybody's ears... Polymorphic shell code was spreading in the 90s and since then the researcher has moved far beyond. Most recently a single binary blob which hooks into wildly different embedded operating systems and even architectures was presented openly to the public. The most frightening thing about this current situation is that the NSA turned out to be an industrial-scale bottom-feeder instead of at the forefront in the field. Their lack of sophistication must be why they have resorted

    • by Tablizer (95088)

      I found the weapon! [slashdot.org]

  • Those who created and programmed Stuxnet needed to know the exact amount of pressure or torque needed to damage aluminum rotors within them...

    No, they didn't.

    They just needed to have a rough idea, and make sure that they experienced forces well in excess of that figure.

  • by RocketRabbit (830691) on Saturday February 01, 2014 @05:19PM (#46130147)

    The weapons are on chips, firmware or in the OS! Did you not read that catalog that the Snowden fella kindly leaked for us?

    Ask Intel about iAMT and vPro. Ask China about Manchurian Microchips. Ask Microsoft about NSAKEY again, because if we didn't believe their lame excuses 10 years ago, we REALLY don't buy them today.

    Sure, the NSA probably has a large virus arsenal too, but when you can issue a National Security Letter to MS or Apple or Google or Mozilla, or simply activate one of our many programmer agents in place (such as in the IETF or at MS or Google) and just put the exploits wherever you like, viruses start seeming pretty silly. Heck, even our geopolitical adversaries are using US-made cyber-weapons - ahem, I mean operating systems and applications.

  • by Animats (122034) on Saturday February 01, 2014 @05:23PM (#46130161) Homepage

    Where are the cyber weapons? Already deployed and awaiting activation. Undocumented errata in major CPUs which allow bypassing memory protection. Preset keys in network cards allowing remote administration. Undocumented admin passwords in network firmware. Code signing certs in the hands of intelligence agencies. That's where.

  • "What is Critical? To what degree is critical defined as a matter of principle, and to what degree is it defined operationally? I am distinguishing what we say from what we do.

    Mainstream media love to turn a spotlight on anything they can label “hypocrisy,” the Merriam-Webster Unabridged Dictionary meaning of which is:

    '[T]he act or practice of pretending to be what one is not or to have principles or beliefs that one does not have, especially the false assumption of an appearance of virtue
  • Wouldn't the Morris Worm qualify as the first "cyber weapon"? Granted it was crude and uncontrollable, but I'd bet that the same could have been made for the Mark 1 Mod 0 Blunderbuss 500 years ago.

    And I think that the power of a cyber-weapon would lie primarily in secrecy, like land mines; you don't know you're under attack until you've already taken considerable damage.

  • In a cyber war, where are all the cybernetics? What even makes it "cyber"?
  • by seibai (1805884) on Saturday February 01, 2014 @06:18PM (#46130411)
    Stuxnet was in 2010. Since then we have at the very least:
    1. 1. Duqu in 2011 [wikipedia.org]
    2. 2. Finfisher in 2011 [wikipedia.org]
    3. 3. Flame in 2012 [wikipedia.org]

    All of those were used by governments. One was used for industrial sabotage; the other two to spy on people who were then assassinated. Are these not "cyber-weapons"? What makes them different from Stuxnet but the degree of press they received?

  • I'd tell you, but then I'd have to kill you.

  • by Chris Mattern (191822) on Saturday February 01, 2014 @06:33PM (#46130485)

    In the hands of the Cybermen, [wikipedia.org] of course.

  • Nor are there any such things as "cyber weapons". Whatever an ever-hype-producing press may want to sell to us. Whatever successive US governments, spending money they don't have, may want us to fear. The things simply don't exist.
    • Knowledge is the most powerful weapon in any contest. Read up on Alan Turing and the enigma machine and how it sank the U-boat fleet and was later used to set up the naval ambush at Midway island. But most of this spook stuff that's been going on since the end of WW2 is about the "five eyes" gathering and sharing industrial espionage from supposedly friendly democratic nations such as Germany and Indonesia.
  • by ka9dgx (72702) on Saturday February 01, 2014 @06:49PM (#46130563) Homepage Journal

    If we started building bunkers out of blocks of TNT, someone would rapidly figure out it was a bad idea.... but not so when it's abstracted several layers deep.

    In conventional munitions, it's necessary to deliver an explosive to a target. Thanks to the Unix security model, with its lack of any notion of multi-level security, we've created an entire infrastructure that's ready to self-destruct at a moment's notice. The military went on to actually procure and use multi-level security in a number of cases, while the idea is perceived as impossible, or unnecessary in the civilian space.

    All of our Linux, Mac OS, and Windows machines share the same brain dead security model. When you run code, you have to trust it not to be a virtual grenade, each and every time.

    The existence of billions of computers which blindly run code without actual security protecting the operating system (as a multi-level secure system does) is astoundingly stupid, and yet 99.9% of the "tech" community is just fine with this state of affairs.

    The infrastructure IS the weapon, its your job to change that over the next 20 years.... get crackin'

    • thats why the government wrote SELinux, which is a completely diffrent approach to permissions than Drwxrwxrwt

      and yes, there are other permission schemes in various UNIX implementations to include linux, besides traditional POSIX two byte permissions.

      • by ka9dgx (72702)

        Access control lists are not adequate security, no matter how careful you are. You need the Bell-LaPadula or something like it that implements mandatory access controls to actually secure a system.

        SELinux is an attempt to push a little bit towards a secure system, but it's not the real deal.

    • by Tom (822)

      The infrastructure IS the weapon, its your job to change that over the next 20 years.... get crackin'

      We've already tried changing it for the past 20 years. The problem is that IT is largely commercial, and in the commercial world, "good enough" is enough. If it's not threatening the bottom line, then it's ok. And that's not limited to IT security. Physical security at most corporate headquarters is pathetic and only detracts non-determined break-ins. It's trivial to get hired into a position with access to even sensitive areas (say, in the cleaning crew) with no background checks. And I could say something

      • Security at my home tonight is lax, it's 11pm, both doors are wide open and there's a nice breeze coming through after a hot Aussie day, most of the day tourists have left the nearby beach. Security is just another word for distrust, and I generally trust my countrymen not to sneak in while I'm napping on the couch. Re sig below: more security may save your life, but more trust may make it worth something.
        • by Tom (822)

          As with most things, the proper balance and context matter.

          When you're in the countryside or suburbs, leaving your door unlocked is probably cool. When you live in the center of a large city, less so.

  • ... they don't need a cyber weapon, as they can use the law to enforce any american company responsible for the major OS players to give them everythink they need.
  • You just need to understand critical speeds, resonances, and that you shouldn't suddenly change the speed of the rotors. But in _To kill a centrifuge_ Langner describes some games with pressures as well. Adding random valve openings and closings in a refinery, gas plant, sewage plant, etc. will look like intermittent failures and just as hard to 'debug'. Eventually you'll hit a particularly nasty set. Errant monkeys playing with your PLCs. But it must be a slow day at Tech Review..
  • by raymorris (2726007) on Saturday February 01, 2014 @07:44PM (#46130871)

    I'd guesstimate on average, we log about 50-100 attack attempts from Chinese IPs per server per day. Our sample size is only several thousand customer servers, but that's enough to get a rough idea of what's happening on the internet generally.

    There IS cyber war going on, much like the Cold War. It's not on the news every day, but it's happening just as much as Reagan was trying to defeat the USSR. The weapons aren't that advanced most of the time simply because they don't need to be - the targets very cooperatively run PHP scripts written by kids with NO security training whatsoever. When your admin interface is open to brute force and SQL injection attacks, advanced weapons aren't needed. The secretary of state and chairman of the senate defense committee have the same unpatched Linksys router at home as any random person. How many high level bureaucrats have VoIP at home? VoIP "protected" by Netgear's firewall?

  • China could probably ddos attack all of the uSA that counts.
  • Where are they? (Score:4, Interesting)

    by PPH (736903) on Saturday February 01, 2014 @08:22PM (#46131063)

    Sitting in some cyber arsenal, awaiting use. The problem with cyber attacks is that once discovered, they can be defended against. So from a tactical point of view, they are best kept in reserve until the case for their use is overwhelming.

    As a part of Operation Orchard [wikipedia.org], it is theorized that Israel may have disabled Syrian air defense via back doors in their IT systems. If so, the existance of such back doors was revealed by a post mortem analysis and the holes in the systems plugged. So that would be a case of a one time use. It had better be worthwhile (and arguably, it was).

    The cyber weapons in the hands of criminal organizations are best used in a very low key manner, so as not to attract attention and patches. Criminals are probably continuing to bleed some credit cards for $9.85 here and there, hoping to stay under the radar for as long as possible.

  • " Those who created and programmed Stuxnet needed to know the exact amount of pressure or torque needed to damage aluminum rotors within them, sabotaging the country's uranium enrichment operation."

    Mechanic with machinist training here. That's no big deal. Overloading a system by running it as hard as the drive motors allow will often break it as many machines aren't built with protective mechanical safeties such as simple wasp-waist shear points on driveshafts, shear pins, or mechanical governors.

    It's easi

    • Overloading a system by running it as hard as ...

      Not that I'm accusing Lennart Poettering of cyberwarfare, but a highly relevant anecdote is that when pulseaudio was first thrust upon me in fedora, I and many(?) others discovered that it was only software that was preventing our PC's audio out from being overdriven to the point of health and property risk. I discovered this as my volume, due to bug, instantaneously jumped to 400% as I had my sony earbuds in listening to music. The result was excruciating ear pain for the duration of time (about half a s

  • Stuxnet is an anomaly: the first and only cyber weapon known to have been deployed.

    What about this? [wikipedia.org]

    -jcr

  • hm. let's translate that to a form that may make more sense: computer-physical damage. nope, still makes no sense.

Fools ignore complexity. Pragmatists suffer it. Some can avoid it. Geniuses remove it. -- Perlis's Programming Proverb #58, SIGPLAN Notices, Sept. 1982

Working...