Watching The Drone Watchers

I smell China, or maybe Russia. The fact that the virus keeps resisting efforts to remove it shows that there’s some sophistication involved.

U.S. Military Drones Infected With Mysterious Computer Virus

A fleet of U.S. military drones on a Nevada Air Force base has been infected by a keylogger virus that tracks every key and button their pilots press, Wired.com reported Friday — and top Air Force sources strongly contested.

The virus was first noticed by officials at Creech Air Force Base nearly two weeks ago using the base’s security system. It logged every keystroke of the pilots in the control room on the base as they remotely flew Predator and Reaper drones on missions over Afghanistan and other battle zones.

There has been no confirmation of information being lost or sent to an outside source, but the virus has been resistant to military efforts to clear it from the system.

“We keep wiping it off, and it keeps coming back,” a source told Wired.

See also:
Exclusive: Computer Virus Hits U.S. Drone Fleet
Computers Controlling Military Drones Reportedly Infected with Virus
Computer Virus Attacks U.S. Military Drones: Wired
Keylogger virus hits US drone operations
Combat drones’ computer systems reportedly infected with virus
Computer virus hits US’ Predator drone fleet
US war drones keep flying despite computer virus
America’s Drones Have Been Infected by a Virus
Virus infects Pentagon drones’ computers
U.S. Drone Controllers Said To Be Infected By Computer Virus
US drones hit by virus
U.S. Military Facing a Battle Unlike Any Other
Cyberwar: a Whole New Quagmire – When the Drones Come To Roost
Creech Air Force Base

Theses computers didn’t just infect themselves, they were almost surely infected by someone, either deliberately or unwittingly, connecting a malware infected memory stick or other portable media storage device to the network. This has been a known attack vector for a long time now and it’s easily preventable, simply don’t allow portable media storage devices anywhere near classified computer networks!

/search all personnel coming and going if that’s what it takes, it’s a small price to pay for avoiding potentially catastrophic security breaches like this

They Got Fooled Again

Much like the United States, Iran seems to have a real problem protecting its computer networks. Someone seems to be obsessed with sabotaging their nuclear program. I wonder who that might be?

Second computer virus infiltrates Iran’s computer systems

Iran has discovered a second computer virus designed to damage government computer systems.

The discovery of the virus, called Stars, was announced Monday by a senior Iranian official, Gholam-Reza Jalali, head of an Iranian cyberdefense agency, according to reports.

Jalali said in a statement that the damage from the virus, which looks like a regular government computer file, has been minimal and that Iranian scientists are currently studying the virus.

The virus was aimed at nuclear facilities, according to the Washington Post, and seems to suggest “a broader campaign by foreign saboteurs to undermine Iran’s atomic energy program.”

See also:
New Computer Strike Could Target Iranian Atomic Sites
Fresh Virus Outbreak Affects Iran’s Computer Systems
Iran discovers 2nd virus attack
New cyber attack targets Iran
Iran Claims Stars Virus a Second Cyber-Attack
Iranian official: New computer worm discovered
Iran investigates Stars virus
Iran Says It Was Targeted With Second Worm, Stars
As the Worm Turns: Iran Sees Stars
Iran says is uncovers second cyber attack
Iran Under Fresh Malware Attack
Security experts can’t verify Iran’s claims of new worm
Is the Stars Worm Just a Hoax?

Well, I certainly hope the Stars virus attack on Iran’s nuclear program isn’t a hoax and does as much damage as the Stuxnet worm, which was apparently wildly more effective than Iran is admitting to.

/you’ll note that Iran still hasn’t managed to power up the Bushehr reactor, which is as good a yardstick as any that their nuclear program has been ground to a halt

It’s Another New Record And For All The Wrong Reasons

It’s Tuesday, and we all know what fun event happens on Tuesdays.

Patch Tuesday brings record harvest of security fixes

Run Windows? Notice a little icon toward the bottom right of the screen that wasn’t there last night? Please don’t ignore it. That icon is your cue to take part in the monthly Microsoft ritual called Patch Tuesday.

For this month, Microsoft shipped a set of 16 patches that close a record 49 vulnerabilities in such software as Internet Explorer, Word and Windows Media Player.

Many of these holes allow a remote takeover of your computer, in some cases after you do nothing wrong beside visit the wrong Web page. One such opening has frequently been exploited by the Stuxnet worm that’s been running around the world.

Your computer should at least download, if not download and install, these updates for you. But if not, don’t reject Windows’ attempt to help you out. Click that icon, look over the resulting list of security updates, and install them.

See also:
Microsoft security updates for October 2010
Microsoft Plugs a Record 49 Security Holes
It’s Microsoft Patch Tuesday: October 2010
Microsoft Unleashes Massive Security Patch
Microsoft fixes record 49 holes, including Stuxnet flaw
Microsoft Releases Biggest-ever Security Update
Patch Tuesday: Critical flaws haunt Microsoft Office, IE browser
Microsoft Patches Stuxnet Vulnerability in Massive Security Update
Microsoft releases fixes for record number of vulns
Microsoft aims barrage of fixes at Stuxnet and more

So, you know what to do, clean up after Microsoft’s crappy software before someone remotely takes over your computer with a worm and you become part of the problem.

/unless you’re Iranian, in which case there’s a special set of patches coming out for your computers and they download and install themselves so you don’t even need to worry about this latest bulletin

Pushing The Cyberwarfare Envelope

A computer worm so sophisticated that it attacks specific targets in specific countries, gee I wonder who would be capable of developing something that advanced?

Stuxnet Compromise at Iranian Nuclear Plant May Be By Design

Iran has confirmed that more than 30,000 PCs have been infected by the Stuxnet worm in that country, including some at the Bushehr nuclear power plant. The nature of the Stuxnet worm and the infiltration of Iranian nuclear facilities has led to speculation about whether the worm was developed by the United States or its allies expressly for that purpose.

The Pentagon response to the implication is the standard cagey reply given for just about anything related to national security or military engagements. Fox News reports that, “Pentagon Spokesman Col. David Lapan said Monday the Department of Defense can “neither confirm nor deny” reports that it launched this attack.”

McAfee AVERT Labs has a thorough analysis of the Stuxnet worm which explains the threat in detail. “Stuxnet is a highly complex virus targeting Siemens’ SCADA software. The threat exploits a previously unpatched vulnerability in Siemens SIMATIC WinCC/STEP 7 (CVE-2010-2772) and four vulnerabilities in Microsoft Windows, two of which have been patched at this time (CVE-2010-2568, CVE-2010-2729). It also utilizes a rootkit to conceal its presence, as well as 2 different stolen digital certificates.”

Another interesting tidbit from McAfee supporting the speculation that Iran may have been the intended target of Stuxnet is that the initial discovery seemed to be primarily focused in the Middle East.

Speaking on the subject of whether the threat may have been specifically crafted for Iran, Randy Abrams, director of technical education at ESET said, “It appears that it is possible that Stuxnet may have been responsible for problems in Iran’s nuclear program over the past year, however that is speculation and it is unlikely that the Iranian government is going to say if that was the case. It is even possible that it was the case and they don’t know it.”

Abrams added, “It is entirely possible that Stuxnet was created by the United States working alone or in conjunction with allies. The fact that it is possible does not indicate it is true however. There have been a number of recent defections in Iran. It is also possible that this was an internal attack. There is still a legitimate question as to whether or not Iran was actually the target.”

See also:
Stuxnet Update
Iranian power plant infected by Stuxnet, allegedly undamaged
Iran admits Stuxnet worm infected PCs at nuclear reactor
Pentagon Silent on Iranian Nuke Virus
Stuxnet Worm Affects 30,000 Computers in Iran
Stuxnet worm assault on Iranian nuclear facilities’ computers may be Western cyber attack: experts
Computer worm infects Iran’s nuclear station
Stuxnet: Future of warfare? Or just lax security?
Stuxnet – a new age in cyber warfare says Eugene Kaspersky
Has the West declared cyber war on Iran?
Web virus aimed at nuclear work, says Tehran
Report: Stuxnet Worm Attacks Iran, Who is Behind It?
US, Israel behind cyber-attack on Iran?

Well, diplomacy sure as hell isn’t working and no one really wants to launch airstrikes against the Iranian nuclear facilities, especially fraidy cat Obama. So, maybe this is a third option, use the Iranians’ own computers to remotely destroy their nuclear related equipment, perfect, if it actually works. I know I’ve got my fingers crossed. Go U.S. or go Israel or go whoever is responsible for this brilliant plan!

/all your nuclear related computers are belong to us!

The Cyberwar Rages 24/7

Corporations’ cyber security under widespread attack, survey finds

Around the world, corporations’ computer networks and control systems are under “repeated cyberattack, often from high-level adversaries like foreign nation-states,” according to a new global survey of information technology executives.

The attacks include run-of-the-mill viruses and other “malware” that routinely strike corporate defenses, but also actions by “high-level” adversaries such as “organized crime, terrorists, or nation states,” a first-time global survey by the Center for Strategic and International Studies (CSIS) in Washington has found. More than half of the 600 IT managers surveyed, who operate critical infrastructure in 14 countries, reported that their systems have been hit by such “high-level” attacks, the survey concludes.

A large majority, 59 percent, said they believed that foreign governments or their affiliates had already been involved in such attacks or in efforts to infiltrate important infrastructure – such as refineries, electric utilities, and banks – in their countries.

Such attacks, the survey said, include sophisticated denial-of-service attacks, in which an attacker tries to so overwhelm a corporate network with requests that the network grinds to a halt.

But they also include efforts to infiltrate a company. Fifty-four percent of the IT executives said their companies’ networks had been targets of stealth attacks in which infiltration was the intent. In two-thirds of those cases, the IT managers surveyed said company operations had been harmed.

The IT managers also believed that these “stealthy” attacks were conducted by “nation states” targeting their proprietary data, says the survey’s main author, CSIS fellow Stewart Baker, in a phone interview. Mr. Baker is a cybersecurity expert formerly with the Department of Homeland Security and National Security Agency.

“It’s all the same kind of stuff – spear-phishing, malware, taking over the network and downloading-whatever-you-want kind of attack,” he says. “Over half of these executives believe they’ve been attacked with the kind of sophistication you’d expect from a nation state.”

The CSIS report describes such attacks as “stealthy infiltration” of a company’s networks by “a high-level adversary” akin to a “GhostNet,” or large spy ring featuring “individualized malware attacks that enabled hackers to infiltrate, control and download large amounts of data from computer networks.” The GhostNet attacks, which Canadian researchers attributed to Chinese state-run agencies, bear similarities to recent attacks on Google and other high-tech companies, Baker says. Google attributed attacks on it to entities in China.

Read the report:
In the Crossfire: Critical Infrastructure in the Age of Cyber War

See also:
In the Crossfire: Critical Infrastructure in the Age of Cyber War
Report: Critical Infrastructures Under Constant Cyberattack Globally
Utilities, Refineries and Banks Are Victims of Cyber Attacks, Report Says
Critical Infrastructure under Siege from Cyber Attacks
Critical Infrastructure Vulnerable To Attack
Critical Infrastructure Security a Mixed Bag, Report Finds
Report shows cyberattacks rampant; execs concerned
Key infrastructure often cyberattack target: survey
Critical infrastructure execs fear China
SCADA system, critical infrastructure security lacking, survey finds

Ironically, the more dependent we become on interconnected network technology, the more vulnerable we become too.

/so keep your fingers crossed and your computers patched against hacking and intrusion, at least you can do your part to avoid being part of the problem

Health Care, Conficker Style

This is certainly a disturbing development.

Conficker worm hits hospital devices

A computer worm that has alarmed security experts around the world has crawled into hundreds of medical devices at dozens of hospitals in the United States and other countries, according to technologists monitoring the threat.

The worm, known as “Conficker,” has not harmed any patients, they say, but it poses a potential threat to hospital operations.

“A few weeks ago, we discovered medical devices, MRI machines, infected with Conficker,” said Marcus Sachs, director of the Internet Storm Center, an early warning system for Internet threats that is operated by the SANS Institute.

Around March 24, researchers monitoring the worm noticed that an imaging machine used to review high-resolution images was reaching out over the Internet to get instructions — presumably from the programmers who created Conficker.

The researchers dug deeper and discovered that more than 300 similar devices at hospitals around the world had been compromised. The manufacturer of the devices told them none of the machines were supposed to be connected to the Internet — and yet they were. And because the machines were running an unpatched version of Microsoft’s operating system used in embedded devices they were vulnerable.

Normally, the solution would be simply to install a patch, which Microsoft released in October. But the device manufacturer said rules from the U.S. Food and Drug Administration required that a 90-day notice be given before

“For 90 days these infected machines could easily be used in an attack, including, for example, the leaking of patient information,” said Rodney Joffe, a senior vice president at NeuStar, a communications company that belongs to an industry working group created to deal with the worm. “They also could be used in an attack that affects other devices on the same networks.”

Joffe, who is scheduled to testify before Congress on Friday, said he will ask lawmakers to remove the barriers to coordination between federal agencies so that cyberthreats like Conficker can be addressed.

In addition to the medical-imaging machines, Joffe said the working group has seen thousands of other machines located in hospitals reach out to the Conficker mastermind by contacting another computer on the Internet for instructions. Researchers have not determined the function of these machines. They could be a personal computer sitting on a secretary’s desk or more sensitive medical devices linked to patient care.

See also:
Conficker infected critical hospital equipment, expert says
Conficker Worm Hits U.S. Hospitals, Infecting Computers and Equipment
Conficker spotted in critical medical equipment
Hospital devices face threats from Conficker computer worm
Conficker infected critical hospital equipment
The Microsoft Tax: Windows Conficker worm hits hospital devices; Macintosh unaffected
Report: Conficker in attack mode
Conficker adds new weapon: spam
Conficker virus begins to attack PCs
SANS Internet Storm Center
Internet Storm Center
SANS Institute
SANS Institute
NeuStar
NeuStar
W32/Conficker.worm
Conficker
Protect yourself from the Conficker computer worm
Conficker Worm: Help Protect Windows from Conficker

Like with the swine flu, if everyone would just take basic, common sense precautions, they won’t have any problems with Conficker and won’t play a part in helping spread it to others.

/do your part, keep your Windows PCs up to date with the most current Microsoft patches and always run currently updated anti-virus and firewall software