Search This Blog

Monday, September 17, 2012

Agile Cyberweapons, Genesis 2:19

I have been reading about Flame, another middle Eastern-targeted computer virus along the lines of STUXNET.

Since I wrote about STUXNET the NY Times has reported that STUXNET was the product of a US-Israeli collaboration to attack Iran's nuclear infrastructure.

Flame, apparently, is related to STUXNET according to this post.  The claim is there is common DLL code shared between the two as well as other aspects of operation, e.g., similar temp-file names and similar mutex names.

All-and-all pretty convincing evidence that the at some level the two shared common authors.

Using this analysis researchers have concluded that its likely Flame was created first and possibly used to gain information about how to build and target STUXNET.

There are some interesting side elements to these stories.

For one, the fact that Iran stole Siemens controller software (Windows-based) to drive their centrifuges.

Two, that government cyberweapon developers made use of a two-phase approach using standard Windows exploits, e.g., various 0-day exploits and exploits to use USB-drives to spread the virus, to attack these systems.

Now what do these points imply?

For one, Iran is unable or unwilling to develop their own controls for centrifuges.  I think this is an interesting point.

Clearly they are off on their own developing nuclear capabilities.  But they are not really doing so independently.  They have to rely on standard US cyber infrastructure technology to do it.

So just what else might be going on inside Iran using computers that are not home-grown and hence vulnerable to attack by the west?

Missile guidance software, command and control (mission control) software, software for calculating targeting and flight plans?

Viruses like Flame seem to be designed to capture what people working on these types of systems might be doing - surfing the internet to US sites to find key information (hence the ability of Flame to snapshot screen surfing to .gov-class sites).

So is Iran simply stealing these critical technologies from US?

Its hard to say.  But it certainly seems like Windows is the common element to all of this - both on the side of the attackee (Iran) and the attacker (US).

One imagines, for example, the their missile guidance software cannot be 100% home grown - clearly their missiles must be made from standardized parts to some degree - otherwise it would take too long to develop.  Look at how long it took the Germans and the US (Goddard) to develop reliable launch systems.

While I think its unlikely that Windows is flying along on these missiles my guess is that the software used to build, test, and simulate flight control is probably Windows based and therefore a likely target to something like Flame.

I think its also likely that there is exposure inside Iran to the outside world via the internet, e.g., Flame returning data to its controllers via internet connections.

So one imagines engineering folks inside Iran basically Googling for technical information from western web sites.

My, but don't we all rely on the internet a bit too much....??

Flame is basically a tool for visualizing the computational infrastructure inside Iran.

And with the knowledge it brings it allows US to devise counterattacks...

So given this kind of knowledge and tools one wonders how software is developed and tested in Iran?

My guess is that they use modern Agile-like techniques to work with stolen technologies.  Clearly they are stuck at least in part developing from scratch in areas where they cannot buy or steal components - both hardware and software.

But clearly even I could find a substantial amount of rocket science (as I have posted here) freely available.  No doubt with a bit more effort I could find substantial software and technical data freely available.

A state like Iran probably has its own cyberweapons coders who could likely penetrate US and western rocket sites to capture more design and technical data.

My guess is that Israel does not feel that this alone is sufficient to stop Iran.  Certainly they can slow them down and cost them a lot of money in purchasing replacement centrifuges (STUXNET was designed to damage centrifuges beyond repair while displaying GUI information indicating that everything was working at 100% of capacity).

It probably gives them and US a precise tools for viewing their progress.

So why is there no action?

In the region only Israel is a nuclear power currently and I believe they plan to keep it that way.

A nuclear Iran is a very scary scenario that I believe no one wants to see - at least no one rational.

But sadly our US policy seems more or less ambivalent and perhaps too reliant on high-tech spook tools.

Cyberweapons are not a substitute for actual weapons or military superiority.

However the current administration seems to believe otherwise.

Mahmoud Ahmedinejad, Iran's president, seems quite focused on creating another Holocaust in response to the biblical exploits of Abraham, Jacob and Ishmael (Genesis 2:19).

Its a wonder that this conflict is still today at the forefront of the best technical minds in Iran and is the basis for mass destruction.

Its also a wonder that the US administration seems at best distracted from campaigning by this issue.  One which, if improperly handled, will change forever the face of the plant.

No comments:

Post a Comment