Stuxnet almost certainly meant to hobble Iranian uranium

Paul Raven @ 17-11-2010

Remember all the hypothesising about what the Stuxnet worm was supposed to do, and who had designed it for such? Well, the expert verdicts are in, and it appears Stuxnet was designed to very subtly sabotage uranium centrifuges by varying their rotation speeds in a way that, while hard to notice for humans, would effectively negate the enrichment process they are designed to perform.

So Iran’s Bushehr plant was almost certainly the target (or one target among many); and while we don’t have (and may never have) any substantive proof as to exactly who decided that they wanted to spoke Ahmedinejad’s nuclear wheels on the sly, I think we all know how the odds would fall if you were to pop down to your local bookmakers*.

Regardless of who did it, Stuxnet represents the opening of a particularly well-stocked Pandora’s box: highly-specific sabotage targetting of embedded (and potentially critical)  industrial systems. As Bruce Sterling points out, anyone who hadn’t thought of it before has certainly thought of it now. All the recent hyperbole describing the antics of patriotic  DDoS skript-kiddiez as “cyberwar” is gonna look pretty facile when stuff like Stuxnet becomes commonplace… which, with the benefit of hindsight, may have been the entire point all along.

[ * I’ll take a £5 spread on the US and Israel, please. ]


Virus purge on your laptop? That’ll be US$20m, please

Paul Raven @ 11-11-2010

OK, just to pre-empt any angry emails, I’m not posting this to gloat or mock the victim, nor to suggest that this sort of outright bilking of the ignorant is in any way acceptable behaviour. I’m posting it because it’s an astonishing story that says something simple yet profound about the gap of knowledge between technology end-users and technology adepts.

So, the headline says it all, really: a guy from one of those shady “de-virus your computer for ya, mister?” companies managed to screw something approaching US$20million out of composer Roger Davidson, who – pity him as I might – can only be described as a bit on the naive side, and not just with respect to computers [via TechDirt]:

The saga began in August 2004 when Roger Davidson, 58 years old, a pianist and jazz composer who once won a Latin Grammy, took his computer to Datalink Computer Services in Mount Kisco, saying the machine had been infested with a virus. The owners of the company, Vickram Bedi, 36, and his girlfriend, Helga Invarsdottir, 39, became aware of Mr. Davidson’s high profile and allegedly proceeded to convince him that he was the target of an assassination plot ordered by Polish priests affiliated with Opus Dei, a conservative Roman Catholic organization, authorities said.

[…]

When asked to remove the virus from the laptop, Mr. Bedi allegedly told Mr. Davidson that his computer had in fact been attacked with a virus so virulent that it also damaged Datalink’s computers, according to prosecutors.

Mr. Bedi told Mr. Davidson that he had tracked the source of the virus to a remote village in Honduras and that Mr. Bedi’s uncle, purportedly an officer in the Indian military, had traveled there in a military aircraft and retrieved the suspicious hard drive, prosecutors said.

In addition, Mr. Bedi told the victim that his uncle had uncovered an assassination plot against Mr. Davidson by Polish priests tied to Opus Dei, according to prosecutors.

Opus Dei was depicted in the popular Dan Brown novel “The Da Vinci Code” as a murderous cult. Mr. Bedi allegedly told Mr. Davidson that his company had been contracted by the Central Intelligence Agency to perform security work that would prevent any attempts by Opus Dei to infiltrate the U.S. government, authorities said.

In addition to the thousands of dollars charged to secure Mr. Davidson’s computer, Mr. Bedi and Ms. Invarsdottir allegedly charged thousands more to provide 24-hour covert protection for Mr. Davidson and his family.

Davidosn’s naiveté is only matched here by the incredible chutzpah of Bedi and Invarsdottir, who – from the sound of it – could have called it quits after the first million and retired into blissful offshore obscurity with no one any the wiser.

But as I mentioned above, this really highlights the knowledge gap between people who simply use computers and those who understand how they work – a gap regularly exploited by botnet operators and other scammy types. The unanswered (and possibly unanswerable) question is: can we ever effectively legislate or educate against this sort of exploitation of ignorance? Or is the sphere of human knowledge simply too large for these sorts of gaps not to occur?


Cities and security: a Mexican story

Brenda Cooper @ 20-10-2010

For the last few months I dove deeper into topics I’d already covered.  But this month I decided to do something else.  At my job, I get the Homeland Security Newswire (I manage technology for a medium-sized local government).  I keep seeing various articles that reference Mexico – the big country next door to the US that is in some danger of becoming a failed state; the one in the bloody middle of an honest-to-goodness drug war rather than an anemic War on Drugs. Continue reading “Cities and security: a Mexican story”


Biometric scanners “inherently fallible”

Paul Raven @ 04-10-2010

Regular readers (and other brands of cynic) will find this to be no shock whatsoever: natural changes in the human body due to aging and health issues can render biometric identification systems “inherently fallible”. Sometimes stuff gets hacked without anyone even trying.


From carjack to carhack

Paul Raven @ 16-08-2010

As if you didn’t have enough things to worry about when you’re driving… researchers have demonstrated some rather worrying security holes that could allow an attacker to PWN your car’s onboard computer systems by spoofing the signals from the wireless tyre pressure sensors [via George Dvorsky]:

… previous experiments showed what could be done with a physical connection to a vehicle’s computer. The new work by teams from the University of South Carolina and Rutgers tried a different tack: spoofing the wireless sensors in wheels used by tire pressure monitoring systems, required in all new U.S. vehicles since 2008.

The researchers didn’t find a wide-open door so much as the security employed by a 1920s speakeasy: once they learned the secret knock, the unidentified test car’s controls let them in no questions asked. The team sent fake warning messages from 40 meters away, and in another experiment, got the test car to flash a warning that a tire had lost all pressure while beaming the signal from another car as both drove 68 mph.

Because each sensor uses a unique ID tag, it was also possible to track specific vehicles, in a way that would be far less noticeable than roadside cameras.

The hacked car usually reset its warnings after the spoofed messages stopped. But after two days of tests, the electronic control unit for the tire monitors fell off its twig and had to be replaced by a dealer. The researchers note that it took several hours of graduate-level engineering to devise their tools and crack into the monitors, but that the actual technology for doing so cost about $1,500.

Buying off-the-shelf kits to accomplish this sort of hack will be as easy as buying an ATM credit card skimmer or a few hours of run-time on a botnet; it’s just chips and code, after all. And now, would the congregation please join with me in chanting the votive mantra of Futurismic: Everything Can And Will Be Hacked.


« Previous PageNext Page »