[FoRK] SANS NewsBites Vol. 14 Num. 44 : FLASH: President Obama (and predecessor) ordered Stuxnet and campaign of cyber attacks against Iran's nuclear program

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 FLASH: The New York Times reported this morning that President Obama (and his predecessor) ordered a sophisticated campaign of cyberattacks against Iran's nuclear program, and has either attacked or considered attacking networks in China, Syria, and North Korea as well. Because the publication of this story is likely to herald substantive and far-ranging changes in the way cybersecurity is managed in the US and in many other countries, we have included an analysis by Gautham Nagesh. Under normal circumstances, his thoughtful, in-depth analyses are available only to paid subscribers to CQ Roll Call "Executive Briefing on Technology." This is an abnormal circumstance. There is great value in the security community understanding that the game has changed, and what it means. Alan PS Another very valuable piece of cybersecurity reporting will appear on the front page of the Washington Post on Sunday or Monday and then be discussed on National Public Radio (the Diane Rehm show) on Monday morning. TOP OF THE NEWS --President Obama Ordered Stuxnet and More Attacks on Iran (June 1, 2012) (By Gautham Nagesh, CQ Executive Briefing on Technology) The New York Times has a bombshell this morning: President Obama began ordering cyberattacks on Iran within days of taking office. The story, which is a must-read, finally confirms what many cybersecurity experts have suspected: the Stuxnet worm, which disabled industrial equipment in Iran and Europe, was originally designed by Israel and the U.S. to slow down Iran's nuclear enrichment plant. The virus' escape from Iran's Natanz plant and subsequent discovery in Germany in 2010 was a mistake that U.S. authorities blamed on Israel. Former CIA chief Michael Hayden also acknowledged to the Times that Stuxnet is the first major cyberattack intended to cause physical destruction (to Iranian centrifuges). "Somebody crossed the Rubicon," he said. The article includes a history of the classified cyberweapons program, dubbed "Olympic Games," which began under President Bush, and includes details of how President Obama decided that digital attacks were preferable to a potential military conflict between Iran and Israel. But the bottom line is that President Obama (and his predecessor) ordered a sophisticated campaign of cyberattacks against Iran's nuclear program, and has either attacked or considered attacking networks in China, Syria, and North Korea as well. The Obama administration previously acknowledged that it might respond to cyberattacks with physical force, but the report makes it clear that even as the U.S. was making those threats, it was perpetrating cyberattacks on the very nations it accuses of targeting its networks. In doing so, the White House has seemingly opened a Pandora's box. Administration officials have placed a greater emphasis on cybersecurity and the threat to our nation's networks that any previous administration, doubtless because they had first-hand knowledge of just how much damage sophisticated cyberattacks are capable of causing. Those officials might have also feared reprisals from nations that were targeted by Stuxnet and other digital attacks from the U.S. The revelation also sheds some light on the Pentagon's reluctance to outline its cyberwarfare policies in detail, since doing so might have involved disclosing to Congress that the U.S. already was fully engaged in online battle. Having taken such an aggressive stance on deploying Stuxnet, it will be very difficult for the U.S. to keep casting itself as the innocent victim of unprovoked attacks by countries looking to steal our economic and military secrets. Today's report makes it clear that the White House long ago decided to embrace digital warfare, and puts the onus squarely back on the administration to clearly explain its rules of engagement online. But the greatest impact may be internationally, where hostile nations now have confirmation the U.S. could be targeting their networks. If hackers in those countries weren't already attempting to take down U.S. critical infrastructure, they probably are now. http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?_r=1&pagewanted=all <http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?_r=1&pagewanted=all>

Then the N.S.A. and a secret Israeli unit respected by American intelligence officials for its cyberskills set to work developing the enormously complex computer worm that would become the attacker from within.

The unusually tight collaboration with Israel was driven by two imperatives. Israelbs Unit 8200, a part of its military, had technical expertise that rivaled the N.S.A.bs, and the Israelis had deep intelligence about operations at Natanz that would be vital to making the cyberattack a success. But American officials had another interest, to dissuade the Israelis from carrying out their own pre-emptive strike against the Iranian nuclear facilities. To do that, the Israelis would have to be convinced that the new line of attack was working. The only way to convince them, several officials said in interviews, was to have them deeply involved in every aspect of the program.

Soon the two countries had developed a complex worm that the Americans called b the bug.b But the bug needed to be tested. So, under enormous secrecy, the United States began building replicas of Iranbs P-1 centrifuges, an aging, unreliable design that Iran purchased from Abdul Qadeer Khan, the Pakistani nuclear chief who had begun selling fuel-making technology on the black market. Fortunately for the United States, it already owned some P-1s, thanks to the Libyan dictator, Col. Muammar el-Qaddafi.

When Colonel Qaddafi gave up his nuclear weapons program in 2003, he turned over the centrifuges he had bought from the Pakistani nuclear ring, and they were placed in storage at a weapons laboratory in Tennessee. The military and intelligence officials overseeing Olympic Games borrowed some for what they termed b destructive testing,b essentially building a virtual replica of Natanz, but spreading the test over several of the Energy Departmentbs national laboratories to keep even the most trusted nuclear workers from figuring out what was afoot.

Those first small-scale tests were surprisingly successful: the bug invaded the computers, lurking for days or weeks, before sending instructions to speed them up or slow them down so suddenly that their delicate parts, spinning at supersonic speeds, self-destructed. After several false starts, it worked. One day, toward the end of Mr. Bushbs term, the rubble of a centrifuge was spread out on the conference table in the Situation Room, proof of the potential power of a cyberweapon. The worm was declared ready to test against the real target: Iranbs underground enrichment plant.

b Previous cyberattacks had effects limited to other computers,b Michael V. Hayden, the former chief of the C.I.A., said, declining to describe what he knew of these attacks when he was in office. b This is the first attack of a major nature in which a cyberattack was used to effect physical destruction,b rather than just slow another computer, or hack into it to steal data.

b Somebody crossed the Rubicon,b he said.

Getting the worm into Natanz, however, was no easy trick. The United States and Israel would have to rely on engineers, maintenance workers and others b both spies and unwitting accomplices b with physical access to the plant. b That was our holy grail,b one of the architects of the plan said. b It turns out there is always an idiot around who doesnbt think much about the thumb drive in their hand.b

...

But by the time Mr. Bush left office, no wholesale destruction had been accomplished. Meeting with Mr. Obama in the White House days before his inauguration, Mr. Bush urged him to preserve two classified programs, Olympic Games and the drone program in Pakistan. Mr. Obama took Mr. Bushbs advice.

*The Stuxnet Surprise*

Mr. Obama came to office with an interest in cyberissues, but he had discussed them during the campaign mostly in terms of threats to personal privacy and the risks to infrastructure like the electrical grid and the air traffic control system. He commissioned a major study on how to improve Americabs defenses and announced it with great fanfare in the East Room.

What he did not say then was that he was also learning the arts of cyberwar <http://topics.nytimes.com/top/reference/timestopics/subjects/c/cyberwarfare/index.html?inline=nyt-classifier>. The architects of Olympic Games would meet him in the Situation Room, often with what they called the b horse blanket,b a giant foldout schematic diagram of Iranbs nuclear production facilities. Mr. Obama authorized the attacks to continue, and every few weeks b certainly after a major attack b he would get updates and authorize the next step. Sometimes it was a strike riskier and bolder than what had been tried previously.

b From his first days in office, he was deep into every step in slowing the Iranian program b the diplomacy, the sanctions, every major decision,b a senior administration official said. b And itbs safe to say that whatever other activity might have been under way was no exception to that rule.b

--Pentagon's Plan X Aims to Develop Robust Cyberwarfare Capabilities (May 30, 2012) The Pentagon's Defense Advanced Research Projects Agency (DARPA) is launching a five-year, US $110 million research program dubbed Plan X. DARPA is seeking input from private sector organizations, universities, and computer game companies in its effort to develop improved cyberwarfare capabilities. Goals include creating a comprehensive map of cyberspace that is updated continuously, developing an operating system strong enough to launch cyber attacks and withstand counterattacks, and creating systems that allow commanders to launch speed-of-light attacks. http://www.washingtonpost.com/world/national-security/with-plan-x-pentagon-s... --US Legislators Poised to Reauthorize FISA Amendments Act (May 31, 2012) US legislators appear to be ready to reauthorize the FISA Amendments Act, which grants the government authority to conduct warrantless surveillance on American citizens. The law allows the government to eavesdrop on phone calls and email correspondence of Americans as long as one of the parties in the conversation is outside the US. The FISA Amendments Act requires the Foreign Intelligence Surveillance Act Court to give blanket approval to electronic surveillance requests. The target of the surveillance does not have to be identified, and the surveillance can begin up to a week before the request is made. The FISA Court rulings are not public. Some US legislators did say that intelligence agencies need to be more accountable for how they are using the authority. http://www.wired.com/threatlevel/2012/05/congress-mulls-spy-powers/ --Backdoor in Privacy Tool Sparks Concern Over Cyber Surveillance in Iran (May 30, 2012) Versions of a privacy tool called Simurgh that contain backdoor components have been detected on filesharing sites in Iran, leading to speculation that the government could be using the software to spy on its citizens. Simurgh, a proxy tool, is widely used in Iran to evade censorship technology that the government has put in place. Simurgh in its original form is standalone software that can be run from a USB stick. The version with the backdoor must be installed on PCs. It has the capacity to log users' keystrokes and gather information about which sites they visit. The harvested data are sent to US-based servers that are registered to a Saudi Arabian organization. Because both versions of the software connect with a page that confirms the use of a proxy, the developers are using the opportunity to warn users whose versions appear to be infected. http://www.theregister.co.uk/2012/05/30/trojaned_privacy_tool_hits_iran/ [Editor's Note (Ullrich): Hashes are good. Even better to have the software digitally signed. If you are publishing software, and you are not offering signatures, you are putting your customers (and with that your reputation) at risk.] --White House Anti-Botnet Effort (May 29 & 30, 2012) The US government is planning to take a number of steps in an effort to fight botnets. The coordinated efforts will be undertaken by the Departments of Commerce and Homeland Security, the White House Cybersecurity Office, and the Industry Botnet group, a coalition of private organizations. Plans include increased sharing of information about botnets among government agencies and private organizations and a campaign to educate consumers about botnets. http://krebsonsecurity.com/2012/05/white-house-aims-to-stoke-botnet-fight/ http://www.computerworld.com/s/article/9227569/White_House_launches_coordina... http://news.cnet.com/8301-1009_3-57443380-83/white-house-prepares-to-convene... http://www.darkreading.com/threat-intelligence/167901121/security/antivirus/... http://www.nextgov.com/cybersecurity/2012/05/new-partnership-aims-combat-zom... [Editor's Note (Ullrich): The US Govt. might consider just declaring Wednesday "Botnet Day". Appears these efforts spring up about once a week.] --Pentagon to Issue New Social Media Policy for DoD Employees (May 25 & 29, 2012) A new policy to be used by the Pentagon will require troops to hide certain identifying information on social media sites. There have been reports that hackers could gather sensitive information, including military unit location, from some social media posts. The new policy comes in the wake of an attack on a dating site that compromised the personal information of military users. The new policy will require that DoD employees "use non-mission related contact information ... to establish personal accounts." http://www.nextgov.com/cybersecurity/cybersecurity-report/2012/05/no-more-do... http://gcn.com/articles/2012/05/29/dod-social-media-policy-no-dot-mil.aspx [Editor's Note (Murray): We call this "operational security," OPSEC for short. OPSEC policy must be implemented with training. sdw _______________________________________________ FoRK mailing list http://xent.com/mailman/listinfo/fork ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE