Iran denies cyberattack hurt nuclear program -- but expert isn't sure

Iran denied Wednesday that its nuclear systems had been infected with a virus, after days of reports that a new kind of malware had struck the Bushehr nuclear plant.
But the head of its nuclear program admitted that a virus had been found on the personal laptops of some staff at the reactor, the Iranian Students News Agency reported.

"We succeeded in preventing the enemy from achieving its objectives," IRNA quoted Ali Akbar Salehi as saying on Wednesday. But a top computer security expert who analyzed a new kind of virus called Stuxnet says Iran is the most probable target of the malware, which he says could only have been designed by "the best of the best.
"We have never seen anything like this before," said Ralph Langner. "It's the most complex piece of malware in the history of computing. "What the thing does, is actually it's designed to blow something up, it's as simple as that," he said. "The virus is a cyberwar weapon."

Langner, who was among the first to study the virus, presented his findings at a cyber security conference in Maryland last week.The virus is designed to attack only a specific machine at a specific time, Langner told CNN Wednesday.
Langner has detected "the highest number of infections" in Iran, suggesting that Tehran's controversial nuclear program is the target. "If you look at all the sophistication that went into Stuxnet, if you look at the fact that it's about sabotage, about destroying a specific piece of machinery, then the only target that makes sense given the target region... would be the Iranian nuclear power program," he said.
A government is almost certainly behind it, he said."You can take for granted that a hacker group is not able to create anything like Stuxnet, because the development requires much more resources than any such hacker group could afford," he said. To use it as a weapon would require insider information, he said. "You need to have very detailed and specific knowledge about the targeted application and process," he said.
"You will need to build up a lab model to test all that and if you take all that together into account, the only background that makes any sense is to assume that a nation-state is behind it."

It was probably delivered via infected USB sticks, he said, speculating that a Russian engineering firm that worked on the Iranian nuclear program had been infiltrated.
That would explain the pattern of infections around the world, he said -- anywhere the company worked would end up with the virus. But only one specific target would be affected by it.

It's as if a virus were designed not only to target a computer running Microsoft Word, he said, but to search for a specific document created with Word.
And it's designed to hit industrial control systems, he said, activating itself only once its target reaches a certain state, like a designated temperature or pressure.
"When it finds a specific match, let's say in specific temperatures or pressures to reach certain thresholds, then the attack routine is executed," he said.
Stuxnet itself is no longer a cause for concern, he said.
"Don't worry about Stuxnet any longer," he said. "Obviously it hit its target. It is so specific it won't attack anything else."

But now that it's out there, other people will try to replicate it, he warned.
"Everybody will be able to study exactly what Stuxnet does and how it is done," he said. "So we must assume that Stuxnet will now act as a template for any kind of hackers, organized crime, terrorists in order to study how it can be done.

"Stuxnet is history," he said. "We need to work on what will come next."[1]

Reference:

[1]http://edition.cnn.com/2010/WORLD/meast/09/29/iran.cyberattack/index.html?iref=allsearch

The cyber raiders hitting Estonia

As Estonia appeals to its Nato and EU partners for help against cyber-attacks it links to Russia, the BBC News website's Patrick Jackson investigates who may be responsible.

Estonia, one of the most internet-savvy states in the European Union, has been under sustained attack from hackers since the ethnic Russian riots sparked in late April by its removal of a Soviet war memorial from Tallinn city centre.
Websites of the tiny Baltic state's government, political parties, media and business community have had to shut down temporarily after being hit by denial-of-service attacks, which swamp them with external requests.
Some sites were defaced to redirect users to images of Soviet soldiers and quotations from Martin Luther King about resisting "evil".
And hackers who hit the ruling Reform Party's website at the height of the tension on 29 April left a spurious message that the Estonian prime minister and his government were asking forgiveness of Russians and promising to return the statue to its original site.
 
Getting hit hard
 
The government's response has been to close down sites under attack to external internet servers while trying to keep them open to users inside Estonia, but the attacks are taking a toll and have been likened by the defence ministry to "terrorist activities".

"Of course [sites] can be put up again, but they can be attacked also again," Mihkel Tammet, head of IT security at the Estonian defence ministry, told BBC World Service's Newshour programme.
Estonia, he said, depended largely on the internet because of the country's "paperless government" and web-based banking. "If these services are made slower, we of course lose economically," he added.
While the government in Tallinn has not blamed the Russian authorities directly for the attacks, its foreign ministry has published a list of IP addresses "where the attacks were made from".
 
The alleged offenders include addresses in the Russian government and presidential administration.
Dmitry Peskov, the Kremlin's chief spokesman, told the BBC's Russian Service there was "no way the [Russian] state [could] be involved in cyber terrorism".
 
"When you look at the IP addresses showing where the attacks are coming from, then there's a wide selection of states from around the world," he added. "But it does not mean that foreign governments are behind these attacks. Moreover, as you probably know, IP addresses can be fake." Russia's own presidential website, he said, came under attack itself "hundreds" of times daily.
 
'Private attacks'
 
David Emm, senior technical consultant at Moscow-based antivirus software company Kaspersky Lab, believes the hackers are likely to be "younger types who, in other days, would have been writing and spreading viruses".
"I would not be surprised if switched-on people were using technical means of expressing themselves," he told the BBC News website's technology correspondent, Mark Ward.
 
Anton Nossik, one of the pioneers of the Russian internet, sees no reason to believe in Russian state involvement in the hacking, beyond the fanning of anti-Estonian sentiment.
"Unlike a nuclear or conventional military attack, you do not need a government for such attacks," he told the BBC News website. "There were anti-Estonian sentiments, fuelled by Russian state propaganda, and the sentiments were voiced in articles, blogs, forums and the press, so it's natural that hackers were part of the sentiment and acted accordingly."
 
Hackers, he points out, need very little money and can hire servers with high bandwidth in countries as diverse as the US and South Korea.

The expertise is "basic", he says, with virus scripts and source codes available online and there are "hundreds of thousands of groups who have the resources to launch a massive virus attack".
"The principle is very simple - you just send a shed load of requests simultaneously," he says.
Estonia's blocking of external servers is in his opinion a smart response but can only work for a country of "1.4 million with a non-international language". In Russia, for instance, foreign servers account for 60% of the net, he says. For Mr Nossik, of more concern is how the global net can protect itself against the big virus attacks like the Backbone Denial-of-Service attack in February which hit three key servers making up part of the internet's backbone. "Compared to the scale of the problem in general, Estonia is small," he says.[1]



Reference:
[1]http://news.bbc.co.uk/2/hi/europe/6665195.stm

Hackers warn high street chains

High street chains will be the next victims of cyber terrorism, some of the world's elite hackers have warned.

 

They claim it is only a "matter of time" before the likes of Tesco and Marks & Spencer are targeted.
Criminals could use the kind of tactics which crippled Estonia's government and some firms last year, they warned.
The experts were members of the infamous "Hackers Panel" which convened in London this week at the InfoSecurity Europe conference.
The panel includes penetration testers and so-called "white hat" hackers, who help companies tighten up their digital security by searching for flaws in their defences.
Previous panellists include Gary McKinnon, known as Solo, alleged by the US government to have hacked into dozens of US Army, Navy, Air Force, and Department of Defense computers.
The "hackers" usually remain anonymous, "for security reasons", but this year's panellists agreed to break cover.
 
Common cause
 
First up was Roberto Preatoni, the founder of the cyber crime monitoring site, Zone-H, and WabSabiLabi, a trading site for security researchers.
His appearance came just a few months after he was arrested by Italian authorities on charges of hacking and wiretapping, as part of the ongoing investigation into the Telecom Italia scandal.
Mr Preatoni told the audience that the attacks in Estonia were a harbinger for a new era of cyber warfare.

"I'm afraid we will have to get used to this," said Mr Preatoni, also known as SyS64738. "We had all been waiting for this kind of attack to happen.
"Estonia was just unfortunate to be the first country to experience it. But very soon, our own [western] companies and countries will be getting attacked for political and religious reasons.
"This kind of attack can happen at any time. And it will happen."
During the two week "cyber war" against Estonia, hackers shut down the websites of banks, governments and political parties using "denial-of-service" (DoS) attacks, which knock websites offline by swamping servers with page requests.
As many of the attacks originated from Russia, the Estonian government pointed the finger at the Kremlin. But Mr Preatoni said that, having spoken to contacts in the hacking community, he was clear that "Putin was not involved".
"In my opinion, this was a collection of private individuals who spontaneously gathered under the same flag.
"Even though Estonia is one of the world's most advanced countries in IT technology, the whole economy was brought to its knees.
"That's the beauty of asymmetric warfare. You don't need a lot of money, or an army of people. You can do it from the comfort of your living room, with a beer in your hand.
 
Gate control
 
His warning was echoed by Steve Armstrong, who teaches seminars in hacking techniques, at the SANS Institute for information security training.
"If someone wants to have a pop at the UK, they are unlikely to go for the government web servers. They will go for the lower hanging fruit - companies which are seen as good representatives of the country.

"The likes of Tesco, Marks & Spencer and B&Q can be seen as legitimate targets.
"We have to get the message across to companies [to invest in information security].
"At the moment Chief Executives are only interested in the bottom line. But remember - if tesco.com goes down, that's a lot of shopping."
Mr Preatoni said that the Estonian government's repeated failure to thwart the attacks was proof that we still have "no good solutions" for denial of service attacks.
The panellists then argued over whether Internet Service Providers should do more to tighten security, by helping customers' protect their computers from being "zombified" by hackers for use in distributed DoS attacks.
"Actually, I don't think the ISPs should have any role in security," said Preatoni.
"In my opinion, that's like asking the Royal Mail to be responsible for the quality of your post."
But his view was immediately challenged by the third panellist, Jason Creasey, head of research at the independent Information Security Forum.
"I believe ISPs can play a phenomenal role in security, with a little bit of legal pressure," he claimed.
 
Net weakness
 
He was backed by an audience member, Angus Pinkerton, of Lynks Security Consulting. "The only way to defend against a distributed attack is with a distributed defence," he argued.
"I think it's unacceptable that ISPs are content to let their customers be part of bot-nets."
He challenged Steve Armstrong's view that asking ISPs to perform security duties was "fundamentally, censorship."
"This is not about free speech," said Mr Pinkerton. "Free speech does not entitle you to shout fire in a crowded theatre."
In the meantime, Mr Preatoni warned the audience it is "only going to get easier" to carry out a DoS attack, because he claimed the latest net address system, known as Internet Protocol Version 6 (IPv6), is actually more amenable to DoS.
Later, he told the BBC that the rise in cyber attacks originating in China was a convenient cloak for western countries to disguise their own cyber espionage activities.
"It's too easy to blame China," he said. "In fact, legitimate countries are bouncing their attacks through China. It's very easy to do, so why not?
"My evil opinion is that some western governments are already doing this." [1]


Reference:
[1]http://news.bbc.co.uk/2/hi/technology/7366995.stm

Singapore tackles 'cyber terror'

      

 Singapore has passed strict new legislation to protect the country's computer systems from attack.

The government has said the legislation was necessary because of the damage that computer hacking can cause. The laws allow the monitoring of all computer activity and "pre-emptive" action, though an official said they would be used "sparingly". Some members of parliament said the measures could be open to abuse, with threats to individual liberty.


Singapore's Senior Minister of State for Law and Home Affairs, Ho Peng Ke, said the law aimed to fight "cyber terrorism." He said it would be used mainly against threats to national security and essential services like banking and finance. "Instead of a backpack of explosives, a terrorist can create just as much devastation by sending a carefully engineered packet of data into the computer systems which control the network for essential services, for example the power stations," Mr Ho said.
 
Hacking
 
The new law allows police to take "pre-emptive action" to protect computer networks from unauthorised entry by hackers. Those found guilty of hacking or defacing a web site could get up to three years in jail, or be fined up to $5,800. The government has said the measures are necessary because of rising cases of successful hacking - there were just 10 in 2000, but that had risen to 41 last year.
Singapore has been tightening security since last year's Bali bomb attacks in neighbouring Indonesia.
But some MPs said the new law was another aspect of the city state's authoritarian side.
Chin Tet Yung, chairman of the Government Parliamentary Committee for Home Affairs and Law, said that it could become, "an instrument of oppression itself." [1]

Reference:
[1] http://news.bbc.co.uk/2/hi/asia-pacific/3259601.stm

EU Amendment of the Framework Decision on Combating Internet Terrorism, 18 April 2008

The EU formally agreed on April 18th in Brussels to an Amendment establishing for all 27 EU member states a standardized criminal definition for the crime of incitement of terrorism on the Internet.
Legislation fighting terrorism is already in place, but did not specifically focus on the Internet. The amendment, in keeping with already existent legislation covering acts of terrorism have further outlined what the acts are sanctioned.

Some committee members were concerned about civil liberties aspects, while others demanded a strong and robust defense of democracy and the rights of freedom of speech. The Commission was looking to revise existing EU counter-terrorist policies and to provide a common legal framework and a common definition of terrorist offenses. The Commission claims the change s were needed due to the "multiple and changing faces of terrorism".

The EU's official statement describes the intent of the framer's of the Amendment as "to harmonize national provisions on public provocation to commit a terrorist offence, recruitment for terrorism and training for terrorism, so that these forms of behavior are punishable, also when committed through the Internet, throughout the EU, and ensure that existing provisions on penalties, liability of legal persons, jurisdiction and prosecution applicable to terrorist offences, apply also to such forms of behavior."

The law describes what the punishment will be for, "Individuals disseminating terrorist propaganda and bomb-making expertise through the Internet- can therefore be prosecuted and sentenced to prison insofar as such dissemination amounts to public provocation to commit terrorist offences, recruiting for terrorism or training for terrorism and is committed intentionally."

The Amendment also empowers courts or administrative authorities to request internet service providers to collect and remove this information according to rules from the Directive on electronic commerce. The framers worked to make the wording as close as possible to the wording of the Council of Europe Convention on the Prevention of terrorism as possible. They suggest they have dealt with the problem of balancing fighting Internet usage for terrorist purposes with respect for the freedom of speech.

In putting together the Amendment, one of the key issues was how to frame the definition of "public provocation to commit terrorist offences"? For "public provocation", the Commission proposed adding "three new crimes aimed at covering "traditional" and modern terrorist methods - recruiting terrorists, training for acts of terrorism and "public provocation" to commit terrorist offences."

MEP French Socialist Roselyne Lefrançois told the framers the term public provocation "needs definition" and stressed civil liberties implications, asking "where does freedom of expression stop?" Lefrançois added, "we need a clear formulation, a safeguard clause and provisions guaranteeing respect for fundamental rights."

Spanish MEP Luis de Grandes Pascual said, "I am worried that the debate is oriented towards an artificial dichotomy between fighting terrorism and freedom of expression". He added, "democracy is a "public opinion regime", but the defence of democracy calls for a particular strength - in order not for us to fall into weakness."

According to the EU, in 2007 there were 583 failed, foiled or executed terrorist attacks. Most were attempted by separatist terrorist groups in Spain and France. Also, there were 4 failed "Islamist" attacks. In association with the investigation of these crimes, 1,044 people in Europe were arrested.

Anti-terrorist coordinator Gilles de Kerchove claims there is "a real threat on our borders" and that "EU nationals are at risk" both in and outside the Union and when traveling outside it. Last year, Europeans traveling in Yemen were attacked. He added that, "Al-Qaeda will remain an international threat for years to come". The Commission stated that "virtual training camps" have been setup on the Internet, as Mr de Kerchove claims "around 5000 websites are helping to radicalise our young people in Europe". Ms Lefrançois states "the internet offers (terrorism) a global stage"[1].

Reference:

http://www.ibls.com/internet_law_news_portal_view.aspx?s=latestnews&id=2040

Brazilian man charged in cyber-terrorism case

A Brazilian man was charged by a federal grand jury in New Orleans for his role in a conspiracy to sell a network of computers infected with malicious software, Acting Assistant Attorney General Matthew Friedrich of the Criminal Division and Jim Letten, US Attorney for the Eastern District of Louisiana, announced on Friday.

Leni de Abreu Neto, 35, of Taubate, Brazil, is charged with one count of conspiracy to cause damage to computers worldwide. The indictment alleges that more than 100,000 computers worldwide were damaged. If convicted, Neto faces a maximum penalty of five years in prison and up to three years of supervised release. Neto also faces the greater of a $250,000 fine or the gross amount of any pecuniary gain or the gross amount of any pecuniary loss suffered by the victims.

According to the indictment, Neto participated in a conspiracy along with others, including an unindicted coconspirator, Nordin Nasiri, 19, of Sneek, Netherlands, to use, maintain, lease and sell an illegal botnet. As defined in the indictment, a botnet is a network of computers that have been infected by malicious software, commonly referred to as "bot code."

Bot code is typically designed to permit an operator or controller to instruct infected computers to perform various functions, without the authorization and knowledge of their owners, such as launching denial of service attacks to disable targeted computer systems or sending spam e-mail. Installation of bot code is typically accomplished by "hacking" computers with particular security vulnerabilities. Bot code typically contains commands for infected computers to search local networks or the Internet for other computers to infect, thereby increasing the botnet's size and power.

The indictment alleges that prior to May 2008, Nasiri was responsible for creating a botnet consisting of more than 100,000 computers worldwide, and that Neto used the botnet and paid for the servers on which the botnet was hosted. According to the indictment, between May and July 2008, Neto agreed initially with Nasiri to broker a deal to lease the botnet to a third party. The indictment alleges Neto expected the botnet to be used to send spam through the infected computers. Subsequently, Neto agreed with Nasiri to broker the sale of the botnet and underlying bot code to the third party for 25,000 euros.

Neto was apprehended by Dutch authorities on July 29, 2008, in the Netherlands and is currently in confinement in the Netherlands pending resolution of extradition proceedings. Nasiri was also apprehended by Dutch authorities and is being prosecuted by Dutch authorities in the Netherlands.

The case is being prosecuted by Trial Attorney Jaikumar Ramaswamy of the Criminal Division's Computer Crime and Intellectual Property Section, with extensive assistance from Senior Counsel Judith Friedman of the Criminal Division's Office of International Affairs. The case is being investigated by the Cyber Squad of the FBI's New Orleans field office, with assistance from the Dutch Hi-Tech Crimes Unit and the Cyber Section of the Brazilian Federal Police[1].



Reference:
[1]http://www.renewamerica.com/columns/kouri/080825