Regin: When did protection start?

Regin, advanced malware that is most likely a government espionage tool, is making headlines.

This is because it's a very well-constructed set of tools and also because observers are surprised at how successful it was. It also targeted GSM networks, which is novel.

The big question is, how could the major anti-malware firms have missed this threat for so long?

Or, one might ask, did they really miss it or quietly detect it?

Some people appear to believe that, as Regin was probably created and used by Western governments, then Western anti-malware companies colluded to ignore the threat.

Symantec seems to have been slow to notice Regin because its write-up of Backdoor.Regin claims that it was discovered in December 2013, which is much later than March 2011, when Microsoft updated its definitions to include Regin.A.

In an effort to find a history of Symantec's detection of this malware I obtained an archive of Regin samples from security researcher Claudio Guarnieri and asked the kind folk at VirusTotal to discover when, if ever, Symantec's scanner first detected each sample.

Before we look at these results I want to be clear about what these results mean and what they do not because VirusTotal data is easily abused and dodgy conclusions readily-reached.

The table below indicates that Symantec's technology was capable of detecting most of the samples as being at least suspicious from February 2010. It then made a clearer classification of being a 'Trojan' from March 2011.

Only yesterday (24th November 2014) did it officially label the threat as 'Regin'. This corresponded to its announcement of the Regin threat.

Usually the problem with using VirusTotal is that someone will upload some files, show that product X failed to recognise them and then conclude that the product, or the entire anti-virus industry, is useless.

In this case we can see dates relating to when the product detected the files as threats. Possibly the product would have protected against these files even earlier, and possibly those that appear as having been missed (Classification = 'nothing') would have been stopped through some other layer of protection not related to file signatures.

So I see the following as a worst-case scenario. Symantec's scanner recognised most of these files as threats from around 2011 onwards. Maybe it was capable of stopping them and maybe not - we can't know that for sure. But it's fair to assume that if a signature-based scanner can recognise a file then it will probably generate an alert at the very least.

I've focussed one Symantec simply because it first announced the Regin malware, minutes before other vendors joined in.

Aircraft hacking myths busted

Two avionics experts have explained why it is impossible for an attacker to take remote control of a commercial airliner.

Speaking at the Defcon 22 conference in Las Vegas Dr. Phil Polstra and Polly Kadolph explained in detail why some types of attacks are impossible and others are exceptionally unlikely to succeed.

The Register covers some of the technical detail but see below for a non-technical summary:

• You can't hack the entertainment system and then connect to more important systems, such as the flight controller.
• There is no way to access critical systems using wireless networks.
• The way an aircraft's networks are set up means that they are not compatible with the sort of networks familiar to most computer experts.
• All major control systems can be operated manually by the pilot(s).
• Pilots won't just blindly follow what they are told by air traffic control (ATC), or someone pretending to be ATC.
• Pilots always have control of the plane, even if its electronics fail or fall under someone else's control.
• The auto-pilot can be turned off.

There has been some recent media coverage about plane hacking, but this sort of thing has been discussed for a few years. In 2011 a researcher claimed to have accessed a Boeing 747 engine control system via the entertainment system.

Malware shuts down border control

A computer virus is being blamed for causing havoc at two Turkish airports late last week.

A malware attack reportedly disabled the border control computers at Ataturk and Sabiha Gokcen airports.

According to a Google translation of a report on Star Gundem's website, huge delays in crossing the border were due to a failure in the "İstanbul Police Department Polnet'teki information system".

There is no mention of what security measures, such as anti-virus software, were in place to prevent a malware infection. Nor indeed do we know what operating systems are involved.

The Register provides a little more information and notes that, "PolNet is the Computer Network and Information System of the Turkish National Police". A link to the TNP's website provides more information:

PolNet is the Computer Network and Information System of Turkish National Police. Turkish Police network connects over 3000 locations each other, which constitute 81 provincial police departments, 100 border gates and other small units. Using a developed technology, it also enables police officers in the field to access national databases via a police network.

Polnet  is...

…a common database enabling information automation and providing a rapid and an uninterrupted access from all around the country.

 …a secure data sharing environment for correspondence and exchange of information.

… the infra-structure of computer technology and information system of Turkish National Police (TNP).

This event, if caused by a hacker or malware attack, is reminiscent of a distopian William Gibson novel. Whether intentional or not, computer failures caused by criminals or other miscreants are no longer the fantasy of science fiction or cyber punk authors.

In the past few years we've seen malware attacks that have affected hospital equipment, traffic lights and an ambulance control system. We've also learned of possible attacks on electricity supplies, aeroplanes and jail cell control systems. Read more...

S Korean banks and media hacked

A computer virus has disrupted computer networks run by some South Korean banks and TV broadcasters.

According to a BBC report, two banks (Shinhan and Nonghyup) and three TV stations (KBS, MBS and YTN) have reported that their networks shut down without warning on Wednesday afternoon.

Computers crashed and could not be restarted.

The report makes a diversion into Independence Day-style science fiction with this insightful observation from KISA, which aims to make South Korea the "strongest country on internet":

There were also reports of skulls popping up on some computer screens, which could indicate that hackers had installed malicious code in the networks, the Korean Internet Security Agency said.

Skulls appearing on screens does indeed sound like a symptom of malware, but it's so flippant that it doesn't resemble something a state-sponsored attack would usually produce.

Rather sensibly, officials are neither ruling out North Korea's involvement nor are they claiming that it is responsible.

UPDATE: KBS employee Luke Cleary has uploaded a photo of his hacked PC's monitor (see below).

A KBS computer screen, today.

Computer virus danger to hospital patients

Would you trust a heart monitor
running Windows 98?

Hospital medical equipment running old versions of Windows is often infected with malware.

Some fear that patient safety could be affected if critical systems run too slowly or fail altogether.

Medical facilities always face the risk of exposing already vulnerable patients to infection, but the BBC reports that hospital computers in the US and UK host malware that is "rampant" on their systems.

The core problem seems to be that very important systems are left alone and not updated, presumably because any change could adversely affect how they work.

This is similar to the security approach taken with industrial control systems. The priority is constant operation and, as security expert Eugene Kaspersky notes in his blog, those who run such systems have this attitude:

"Rule #1 is 'Do not touch. Ever.'"

According to the BBC, Kevin Fu ("a leading expert in medical technology"), can imagine a situation in which a heart-monitoring system running Windows could slow down due to a malware infection and malfunction. In reality, though, he notes that,

"there is no evidence as yet that the malware is reaching medical machines as a result of being targeted by criminals."

The good computer virus

Is it possible or even advisable to create a good computer virus?

Let's take Wikipedia's current definition of a computer virus is of "a computer program that can replicate itself and spread from one computer to another."

There is no "malicious intent" in that definition, so it sounds like creating an automatic, self-distributing security program could work. Certainly Dr Cyrus Peikari thinks so.

I first heard Dr Peikari's argument in favour of creating good viruses, the presence of which would increase a host's immune system, at the Defcon conference in 2001. He wrote a paper on the subject three years later.

One significant problem with this approach is that once a viral program starts spreading there is no telling how it might affect systems. The creator may not be able to maintain control of the virus either, which means that they could initiate a potentially catastrophic sequence of events.

Let's say that someone wrote a worm that sought out and destroyed a (fictional) malware threat called Hercules. And let's say that this malware exists not only on home PCs but also on some smart TVs, mobile phones, ATMs and prison door control systems.

Our imaginary Hercules-killing worm might spread between all of these systems and attempt to deactivate the threats that it finds. It might work with 100 per cent effectiveness, or not. When it fails, or even when it succeeds, it might have unexpected side-effects.

As our benevolent worm interacts with Windows XP PCs running no anti-virus software, it does exactly as was intended. However, in other cases, where security software is in place, its unexpected presence is noted and blocked. As we all know, anti-virus software is not without its faults so maybe the worm makes some changes to the system before it is stopped.

We now have a damaged Windows XP PC.

The case becomes even more complex when you consider the other platforms in use (Android, Chromium OS, iOS, OS X, Linux etc.). The smart TVs might crash, mobile phones might be unaffected and hopefully any life-support systems or prison doors remain operational. But there is no guarantee.

There is also a legal issue. This worm, no matter how beneficial its intentions, and how effective its execution, is running on systems without authority. This falls foul of many laws, including the UK's Computer Misuse Act.

Some facts worth remembering, when thinking about well-intentioned viruses:

1. One person's good intentions are not necessarily someone else's.
2. The Morris Worm was allegedly written to discover the size of the internet, rather than to cause denial of service (DoS) problems. However, DoS it did.
3. The Code Blue worm, when released in 2001, appeared to be designed to remove a prevalent threat at the time called the Code Red worm. It even patched infected systems to prevent re-infection. However, it reduced system stability (presumably unintentionally) and also launched DoS attacks (presumably intentionally).

In January 2012 Rig Ferguson wrote about a Japanese project to create a defensive virus. This supposed "cyberweapon" appears to have a benign, healing component. Let's hope that it works with the telly.

UK mass internet monitoring

There are plans for new laws that will allow the UK government to monitor its citizens' phone calls, web site visits and email (incoming and outgoing).

This will, I predict, cost a lot of money and will fail to deliver what you might expect.

Let's put aside the possibly massive abuse of civil liberties that such a scheme invites and focus on how useful it will be for its intended purpose.

Who will pay?

It looks like the Internet Service Providers (ISPs) will be doing the bulk of the work. The additional work will cost money, which will almost certainly be passed to the customers (us).

What will be tracked?

According to the BBC, the system will:

"enable intelligence officers to identify who an individual or group is in contact with, how often and for how long."

My understanding of this is that ISPs will track who receives emails from who, but not the content. So if Individual A (Alan) sends an email to individual B (Brian) then the government can discover this fact, although without necessarily knowing the content of that email.

No doubt IP addresses will be tracked too, adding to the likelihood that Alan really is Alan, and that Brian is Brian.

From the sketchy information available so far it seems that this will allow the government to track fairly low-level criminals who have the technical naivety of Luddites.

Organised criminals have been using 'burner' mobile phones for years, treating their devices as disposable. Buy a phone for cash, set up a free webmail account and it would be tough for anyone to work out if you were Alan, Brian or Ayman Al-Zawahiri.

Rik Ferguson from Trend Micro agrees that dangerous criminals have at least a semblance of security sense:

"If national governments and law enforcement organisations truly believe that online criminals and international terrorists don’t know how to hide their online traces, then we have a bigger problem than we thought (sending an encrypted email with spoofed sender address from an Internet café is only lesson one)."

Stuxnet explained: video

Stuxnet is one of the most interesting pieces of malicious code found in the last few years.

It provides significant evidence that nation states are using computers to undermine each other.

The well-made video below explains what Stuxnet is (a weapon in code form), what it did and poses some questions about the future.

It suggests, incorrectly as far as I know, that the source code is available. Thus far it is not "open source", as claimed in the video.

This is one of many pieces of recent media that explores the concept of cyber war. It is a controversial area, largely because there is little proof. Stuxnet is tangible evidence, which is why security companies are so excited about it.

Cold war, cyber war or simply war?

Eugene Kaspersky has just written an interesting article that poses the view that this type of cyber war, in which malicious code is used as a form of weapon, is a series of acts of international aggression. He believes that it is tantamount to cyber terrorism.

Malicious code such as Stuxnet can do a few things but one of the most interesting characteristics is its capacity for sabotage. In the Cold War of the 1980s there were claims of sabotage, but rarely anything as direct as the tasks that Stuxnet is capable of carrying out.

One similar incident involved the Trans-Siberian pipeline back in 1982. The US is said to have planted a logic bomb that resulted in a massive explosion. Rather than introducing a virus from a network or USB key, the theory goes that US programmers planted the malicious code into a program that they knew would be stolen by the Russians.


Stuxnet: Anatomy of a Computer Virus from Patrick Clair on Vimeo.

Computer virus theory on missile explosion

Did a computer virus cause the explosion of an Iranian ballistic missile, capable of carrying a nuclear warhead?

The story that is doing the rounds claims that on the 12th November 2011 a missile exploded in an Iranian army base. A number of Iranian officers and rocket experts were killed.

The Stuxnet worm is considered to be the culprit.

So far the facts seem rather vague, as the coverage of this event stems almost entirely from a report on one website, that being Debkafile. This site appears to be "unabashedly in the hawkish camp of Israeli politics" and uses unattributed sources extensively.

Taking this main report on its merits, let's see what the 'facts' are, versus the 'theory'. I'll assume that the following four details are accurate:

1. Maj. Gen. Moghaddam presents a new type of warhead to experts.
2. He runs a computer simulation on a system attached to the missile.
3. The missile explodes, killing over one dozen people.
4. The extent of the explosion means that there are no witnesses and little physical evidence.

The Debkafile report also notes the following:

1. The missile exploded because the computer sent it an order to do so.
2. Iranian intelligence have two theories:
• Western or Israeli intelligence services planted a technician, who sent the signal ordering the missile to explode.
  [Note: I think the reporter meant that the technician programmed, rather than signalled, the computer.]
• The computer was responsible, having been infected with the Stuxnet worm.
3. Iranian intelligence considers the second theory (above) to be more plausible than the first.

To summarise, a missile has exploded in an apparent accident and there are no living witnesses. The computer involved is completely destroyed, as is the missile.

Somehow Debkafile is able to deduce that the computer sent the order to explode, despite no apparent evidence to support this. This is a significant problem with Debkafile's report. It contains no attributed facts, just statements of fact without any evidence.

Which of the following do you think is more likely?:

1. The missile exploded, accidentally.
2. A spy programmed a computer to explode the missile.
3. A computer virus programmed a computer to explode the missile.

It's coming to something when the idea of computer viruses exploding nuclear-capable missiles is more plausible that accidents or more mundane methods of sabotage.

How malware can explode an engine

An engine exploding due
to unauthorised programming

The following is an excellent video that demonstrates the potential impact of a cyber attack against 'real' systems, as opposed to hacking into computers and stealing data.

What makes this four year-old video particularly interesting is that is clearly shows how accessing computer systems with malice can compromise safety, productivity and preconceptions about what 'computer hacking' can achieve in the modern world.

When you read stories about hacking prison doors, aeroplanes and other Hollywood-style exploits, bear in mind what you are about to see. It is essentially the same thing.

Catch phrases that are relevant to this and other stories include SCADA and PLC. All you really need to know about these is that they refer to computer-controlled, automated physical systems.

This means systems that are controlled by computers and are able to do physical jobs like un/lock prison doors, control aircraft engines and moderate the speed of nuclear refinement equipment.

The first time I encountered this footage was in an F-Secure video that covered the Stuxnet worm. This is definitely worth watching in its own right. But if you just want to see how changing some computer code can blow stuff up, click on the video below...

Jail breakers open cells via internet

Researchers have found a way to open prison doors remotely from the internet.

The discovery came hot on the heals of a strange event one Christmas eve, when all of the doors to a US prison's death row cells opened, apparently on their own.

An investigation into this potentially disastrous event found that the problem was due to an electrical fault. However, further checks revealed that the door locks could be tripped on purpose. Furthermore, while prison locking systems are not supposed to have any internet connectivity, in practice this seems not to be the case.

Sean McGurk, formerly of the US Department of Homeland Security, claims that when he inspected over 400 prison facilities, "in no case did we ever not find connections. They were always there."

The discovery that prison door locks can be hacked over the internet was made by ex-CIA officer John Strauchs. He claims that maximum security prisons use programmable logic controllers (PLCs) to handle automating door locking and unlocking. PLCs were hacked in the infamous Stuxnet attack on Iranian nuclear facilities.

The Stuxnet worm was able to reprogram the systems controlling centrifuges used to enrich Uranium. It did so in a way that would damage the equipment and, therefore, slow down the Iranian nuclear programme. Strauchs took a similar approach to his research and has demonstrated an internet attack on prison doors. It seems from his description as if he used a rootkit-type approach.

"You could open every cell door, and the system would be telling the control room they are all closed," he told The Washington Times.

In an interview with VentureBeat he also proposed another, possibly more sinister scenario than a mass jailbreak. He imagined the possibilities of an assassination in which, "if you are a [gang member], you prevent a door from opening, and you start a prison fire."

Strauchs presented his findings at the Halted Hacker conference in Miami on 26th October 2011.

Virus knocks out ambulance response system

Ambulance workers had to allocated vehicles to incidents manually after a computer virus took down the automatic paging systems.

The St John communication centres in New Zealand had to resort to using station phones and manually relaying information after the automatic alert system failed.

According to a report by the Waikato Times, anti-virus software detected the threat and "protected the systems" but still the virus was able to impact "on some of the systems (sic) services."

How to hack a plane

This plane is powered by UNIX

You would hope that the passenger entertainment systems on aircraft were not connected to the systems controlling the engines.

You might imagine that passengers would have no way to re-tune the engines in-flight, from the comfort of their seat.

You might not want to read on.

Security risk assessor Craig S. Wright claims to have audited the security of a Boeing 747 aeroplane and found it possible to access the engine control systems via the video over IP entertainment system.

"They had added a new video system that ran over IP. They segregated this from the control systems using layer 2 - VLANs. We managed to break the VLANs and access other systems and with source routing could access the Engine management systems."

Wright further claims that Boeing dismissed his findings with the statement, "the engine management system is out of scope [for the test]."

That's all right then. If the test doesn't allow breaching of the engine management system then the problem presumably doesn't (officially) exist...

Postscript: I was so tempted to tag this post with the 'Protection in the cloud' label.

Air traffic control details leaked via eBay

A network switch sold on eBay has been found to contain sensitive information about a network belonging to the National Air Traffic Services (NATS) centre in Prestwick.

The Cisco Catalyst switch was sold on eBay for £20. The buyer found that it held:

• Details of the VLANs in use and associated services
• Full VTP trunking data
• Device management accounts
• Read and Write SNMP community strings
• Full details of upstream switching

According to the lucky bidder, IT consultant Michael Kemp, the switch was using the manufacturer's default passwords and that the data it held was fairly recent:

"The password policies associated with the device are simple (I’m not providing pasword (sic) details in an open forum, but it’s a Cisco device so have a guess eh?) and it really was an absolute treasure trove of data no older than 18 months old (yes, we did get the last power cycle data)."

As the screenshot below indicates, the switch had previously been used by Serco PLC. Serco provides management services to NATS.

Michael points out on his Lo-Fi Security site that someone could plug a rogue switch configured this way into Prestwick ATC's network and "monkey" with it.

He also notes that the eBay seller was also offering a further 13 switches. One can only speculate as to whether or not these were sanitised before being sent to successful bidders. One can also only speculate as to why such hardware was sold in this condition rather than being wiped or even destroyed, because it should have been. According to Channel 4 news, NATS responded with a statement that includes the following:

""We have a contract with a specialist firm to handle the secure destruction and disposal of our equipment. We are investigating with them why equipment that we have a destruction certificate for was subsequently sold online."

Mass US power hack possible

Cyber warfare is most certainly no longer the subject of blockbuster Hollywood movies. An ex-chief of US national intelligence has told CBS' 60 Minutes programme that not only is the country vulnerable to cyber warfare but that it is unprepared for an attack. Speculating on what an attacker might do, Retired Admiral Mike McConnell said:

"If I were an attacker and I wanted to do strategic damage to the United States, I would either take the cold of winter or the heat of summer, I probably would sack electric power on the U.S. East Cost, maybe the West Coast, and attempt to cause a cascading effect. All of those things are in the art of the possible from a sophisticated attacker." A couple of years ago this would have been a Jame Bond/Die Hard baddy-plan. Now the guy whose day job involved running the CIA and NSA is talking about hackers turning the lights out on the US.

The report also quoted President Obama as saying, "We know that cyber intruders have probed our electrical grid, and that in other countries cyber attacks have plunged entire cities into darkness." He is most likely referring to hacker attacks against Brazilian power supplies in 2005 and 2007. The report states, "Several prominent intelligence sources confirmed that there were a series of cyber attacks in Brazil: one north of Rio de Janeiro in January 2005 that affected three cities and tens of thousands of people, and another, much larger event beginning on Sept. 26, 2007."*

So when you're watching the inevitable action movies this Christmas, don't scoff at the evil hacker elements of the baddys' plans. They're probably realistic.

Watch the report or read about it.

* UPDATE: Brazilian government officials have recently denied that the 2007 blackout was the result of hacker action. The cause was apparently "pollution in the chain of insulators due to deposits of soot", as claimed in a report by Brazil’s independent systems operator group (Spanish).

Ebay disk contained rocket launch codes

A hard disk bought from eBay contained launch procedures for a ground to air missile launch system.

According to the BBC, researchers from BT and the University of Glamorgan bought disks from the UK, America, Germany, France and Australia. They then examined these disks to see if they contained sensitive data.

How hard is it to analyse second hand disks? According to Professor Blyth from the University of Glamorgan, "It's not rocket science."

CCTV+

A new control and command centre has been set up by the Port of Long Beach. It has been designed to monitor the comings and goings at the port - and it's very high-tech. Some of the technology is new, while some is still experimental.

Look out for the face recognition system in the background of this video from the BBC.

Traffic Light Hackers

It's just like in the movies (again): Traffic Light Hackers.

Die Hard 4.0 - total bollocks?

A magazine called Total Film asked me to decide whether or not the hacker plotline for Die Hard 4.0 was "bollocks". As I understand it, the story involves a group of hackers that strike at the vulnerable United States computer infrastructure. The baddies systematically shut this system down, beginning with the traffic lights and moving on to crash banking networks and the stock market, thus crippling the economy.

That does sound like a rather ambitious hack and I've not seen the film, so I'm not in a position to comment on any techniques they might use. But essentially there are precedents for the types of attack mentioned above. And let's not forget that self-professed "bumbling amateur" Gary McKinnon managed to access military systems without much effort, allegedly causing $700,000 worth of damage.

So, with that in mind, here was my initial response:

"No, it's not bollocks. All computer systems have weak points, even military and government networks. There have already been real-life cases of hackers disabling US traffic lights by hacking into the central control computer, breaking into banks and even attacking the California power grid. The Russian stock market was hammered by a virus last year, so Bruce had better dig out his copy of Norton AntiVirus quick."

Stars Of Illegal CCTV

It's hardly news that we're under fairly constant scrutiny by video cameras. Closed Circuit TV (CCTV) has been around for a long time in the UK, and webcams mean that everyone can operate their own home video security systems without spending a packet. It seems that the UK has more CCTV cameras than in any other European country. The interesting news is that most of these CCTV cameras are illegal.

According to a report in The Times, "A new national advisory body for the industry, CameraWatch, which has the backing of the police and the Information Commissioner’s Office, claimed yesterday that the vast majority of CCTV is used incorrectly and could potentially be inadmissable in court."

Note that CameraWatch's concern is about how useful the footage will be in a court, rather than anything to do with our rights not to be watched 24/7.

According to The Times, "The proliferation of CCTV by councils, housing associations, businesses, private individuals and police mobile units means that there is estimated to be one camera for every fourteen people. The Home Office has committed £63 million to installing systems." And as many as 90 per cent of these are illegal.

Although the public seems to be relatively unbothered by CCTV, not everyone is happy about its prevalence. Deputy chief constable Ian Readhead has spoken out about his concerns that Britain could become an Orwellian society. It would be easy to become paranoid about Big Brother, especially when the police start getting nervous, but this gives more credit than is due to 'them'. 'They', by the way, are the shadowy people/organisations behind any scary conspiracy theory.

We are a long way off having an intelligent, integrated eye in the sky capable of analysing our every move. Things just aren't as well organised behind the scenes as we'd like/hate to think.

The fact that terrorist suspects are able to carry bombs around, escape surveillance and fly in and out of the UK means that, unless the security services are playing a particularly long game, there are gaps. And these gaps mean that no-one is going to scrutinise you walking down Oxford Street eating a sandwich. If they do, they won't communicate the fact to the other camera operators who pick you up as you reach Tottenham Court Road sucking on a Cola.

Is Your Webcam Legal?

Do you operate an illegal CCTV system? Here are three easy questions that can give you a good idea.

• Do you ever operate the cameras remotely in order to zoom in/out or point in different directions to pick up what particular people are doing?
• Do you ever use the images to try to observe someone’s behaviour for your own business purposes such as monitoring staff members?
• Do you ever give the recorded images to anyone other than a law enforcement body such as the police?

If you answer 'yes' to any of these then, according to the Information Commissioner's Office, then you are subject to the Data Protection Act (DPA). If you answer 'no' to all of them then you're OK. The DPA has specific regulations and also a set of guidelines that you should follow.