Winter Patriot Community Blog

Great snooping, McJ! You'd think these 'security' dickheads would learn the nature of their own business after a while, wouldn't you?

It's funny, I thought of the Crypto AG scam (and laughing again about it - too funny) when reading about all this and here you have them hooked up firmly with Siemens. Perfect. haha. And how smart are those Iranian security people (and all the others), eh? Good job they're not driving the bus. Oh, wait . . . . .

Yeah, I've found Eileen to be infallible (if not infallable) in these matters. She always leads the way to the bottom of things; fighting her way through all the hot air till she gets to the solid bedrock of cold, hard facts.

So that makes three of us on MIHOP. Ok, all holding hands now . . ready . . . one, two, three . . . . . Hop

Great work, McJ. Thanks again

There was a time -- within living memory, believe it or not -- when this story itself would have been considered "fantastic" ... as in "the stuff of fantasy".

Sending the decryption key as part of the ciphertext is so ... outrageous!

In the previous spy-gate thread you highlighted the danger of hard-coded credentials (*), and this is more or less the same trap-door as that one, only worse.

Hard-coded credentials entail coding the decryption key as part of the encryption/decryption program and the practice is well known to be very, very stupid -- if your aim is security.

The scheme described here is even more counter-security than hard-coded credentials, because it gives the sender the impression that he can change his keys at will. But whenever he does that, his new "encrypted" messages will simply contain his new "decryption key".

What's chilling and obvious about this scheme is that it could only have been developed by someone who understood its role completely from the get-go. This is such an obviously fraudulent "take" on "encryption"... I am lost for words. Wow!

~~~

(*) I am currently working on a project which actually uses hard-coded credentials, and this was one of the first things I noticed when I first saw the code. Yes! -- I could tell right away that there was something "funky" going on there, and any other programmer would have known instantly as well.

It turns out that the client knows all about it, wants it that way, and doesn't consider it "security feature" (just a place-holder for real security in a future version), so it's all right. But if none of the above were true, only thoroughly corrupt programmers could work on such a project. (Not that they are impossible to find, or anything...)

(**) I have always wondered, considering that the NoSuchAgency has long had control of all the encryption software sold legally in the USA, what "features" an encryption algorithm would have to contain in order to be approved by "the most powerful code-breaking agency on the planet" ... and this may be the answer (or something like it): the NoSuchAgency may have been approving only those "encryption" programs whose ciphertext could be read by anyone who knew where to look for the decryption key secretly embedded in the message. Of course I am just speculating here but wouldn't that be typically lame?!

(***) Thanks for the very kind words regarding the continuing saga, and -- ironically? or is irony dead?? -- Holmes and Watson are just about to get into a discussion of basic cryptography / cryptanalysis !!

So ... this is all not only excellent but also very timely in more ways than one.

Thanks and please keep rockin'!

Thanks WP and AP. It was a very fortuitous stumble!

AP: I hadn't read the piece by G. Duff but that is very interesting. He does some really good work.

WP: Thanks for the explanation! And as usual there seems to be a lot of synchronicity that happens on this blog. At least when we are active. I don't think your speculation about the NoSuchAgency is too far out. I know they are involved somehow with the keys that Microsoft puts in Windows for export out of the country. I read something about it in my snooping around about this. I will try to find it again.

This all takes some rethinking. If everyone knows what everyone else is doing (secretly, strategecally etc.) how does that effect their decision making. It must really change the game plan. And the rest of us schmoes are left going WTF.

I am also curious to know why Iran would buy software from Siemens considering the history. It almost appears they are in on the game this time. I am also curious about the connection to Taiwan with the stolen key coming from the Taiwan company Realtek and the fact that the worm has also attacked China.

I don't know where this is going and I am pressed for time right now so I hope to get back to this sometime this evening.

Symantec has just released a detailed paper with analysis of the Stuxnet code. You can get the pdf file at the link. http://www.wired.com/images_blogs/threatlevel/2010/10/w32_stuxnet_dossie...

It is a very technical report which is way over my head but I noted a couple of things which may or may not mean anything since I really don't understand the report.

This is their summary of the threat.

Stuxnet is a threat targeting a specific industrial control system likely in Iran, such as a gas pipeline or power plant. The ultimate goal of Stuxnet is to sabotage that facility by reprogramming programmable logic controllers (PLCs) to operate as the attackers intend them to, most likely out of their specified boundaries.
Stuxnet was discovered in July, but is confirmed to have existed at least one year prior and likely even before. The majority of infections were found in Iran. Stuxnet contains many features such as:
Self-replicates through removable drives exploiting a vulnerability allowing auto-execution.
• Microsoft Windows Shortcut ‘LNK/PIF’ Files Automatic File Execution Vulnerability (BID 41732)
Spreads in a LAN through a vulnerability in the Windows Print Spooler.
• Microsoft Windows Print Spooler Service Remote Code Execution Vulnerability (BID 43073)
Spreads through SMB by exploiting the • Microsoft Windows Server Service RPC Handling Remote Code Execution
Vulnerability (BID 31874).
Copies and executes itself on remote computers through network shares.•
Copies and executes itself on remote computers running a WinCC database server.•
Copies itself into Step 7 projects in such a way that it automatically executes when the Step 7 project is • loaded.
Updates itself through a peer-to-peer mechanism within a LAN.•
Exploits a total of four unpatched Microsoft vulnerabilities, two of which are previously mentioned vulner•
abilities for self-replication and the other two are escalation of privilege vulnerabilities that have yet to be disclosed.
Contacts a command and control server that allows the hacker to download and execute code, including up•
dated versions.
Contains a Windows rootkit that hide its binaries.•
Attempts to bypass security products.•
Fingerprints a specific industrial control system and modifies code on the Siemens PLCs to potentially sabo•
tage the system.
Hides modified code on PLCs, essentially a rootkit for PLCs.

Anyone know what the part I bolded mean? And what would be the reason they are not being disclosed?

Below is a screen clip of the Stuxnet Timeline. Notice the entries on July 17 and July 21. This means the Stuxnet drivers have been signed by certificates from both JMicron Technology Corp and Realtek Semiconductor Corp. Both these companies are from Taiwan and have offices in the the Hsinchu Science and Industrial Park. See link: http://www.securelist.com/en/blog/2236/Stuxnet_signed_certificates_frequ...

Also on page 6 there is chart showing the geographic distribution of the worm. Iran has by far the most infections at 58% with Indonesia next at 18% and India at 10%. China isn't even on the chart.

And finally on page 20 at the bottom of a section title "Windows Rootkit Functionality" Symantec added this comment.

"Guavas are plants in the myrtle (myrtus) family genus. In addition, according to Wikipedia, “Esther was originally named Hadassah. Hadassah means ‘myrtle’ in Hebrew.” Esther learned of a plot to assassinate the king and “told the king of Haman’s plan to massacre all Jews in the Persian Empire...The Jews went on to kill only their would-be executioners.” Symantec cautions readers on drawing any attribution conclusions. Attackers would have the natural desire to implicate another party."

It really struck me as a strangely inappropriate place for it.

In addition, there is this from Secure List which has done a series of posts on Stuxnet.
http://www.securelist.com/en/blog/283/Myrtus_and_Guava_Episode_5

Siemens also confirms that the worm is able to transmit process and production data, and that it attempts to establish a connection with the cybercriminals’ servers. At the moment, however, the servers are apparently inactive.

Are they spying with this worm as well. The big question - Who owns/controls the servers and what happens when and if they become active?

Let me see if I have the basics correct. Someone (PTB_US/ISRAEL) are setting things up via computer code that they can at a future time use to stuff up things(?) in Iran (our, latest worst enemy), but not doing a real good job of either doing it or hiding that it is them that is doing it. Phew! that was a sentence and a half. This of course makes the threat of cybert terrorism really scary, because we all know that the best terrorists in the world come from the countries in which we all reside. Boy are we stuffed-again.

thanks winter

You did an excellent job putting all that info together.
And there is lots of info there.
If I could make a suggestion, re-title it and leave it up as a must read post.

In one of my older posts on the stuxnet virus i had some articles linked that explained how the virus worked.
Quoting from that older article-

"Researchers say Stuxnet was designed to target control systems like those used at the Bushehr plant in Iran. In particular, they say it targets supervisory control and data aquisition systems or SCADA systems designed by the German company Siemens.

They say that after finding a way into a plant's system, the worm can simply steal data or potentially wreak havoc, causing its systems such as cooling pumps to malfunction."

That all said, I am hoping there is not a misunderstanding on what my post was about?

Because I thought I made it clear that a stuxnet infection could definitely no tbe ruled out.

The sad truth, however, is that there were so many problems with the power plant, as I mentioned, TEPCO has a history of cutting corners and covering up.
Then the idiotic way the plant was constructed, with all those spent fuel rods sitting right on top of the reactors??!!

This was done to save money, bottom line. So called nuclear engineers who designed that shit, should have known without a doubt that design would present a problem.

But it always comes down to making maximum profits and dam safety all to hell!

Thanks again McJ

... and many other places, too!

Even if we disregard the evidence of nuclear sabotage by software for a moment, it still strikes me as perhaps the most unusual act of war we have ever seen, though it will not be treated as such.

I mean, to mess with the geology of a place like Japan ...

If Japan breaks down and falls into the ocean, it will trigger a tsunami that would roll across the Pacific in a matter of hours, obliterate Hawaii, and keep going till it hit the Rockies. For all practical purposes we could say goodbye to SF, LA, SD, Seattle, Van and Vic and many other cities large and small, all the way up to Alaska. Much the same fate would await Acapulco, Managua, Panama City, Lima ... All of Central America could easily be washed into the Caribbean!

But the damage it would do to East Asia would dwarf the all that. Indonesia, Malaysia, Vietnam ... we wouldn't hear much about it here if some of our own cities were gone, but every place that is separated from Japan by nothing but water would be in danger, and the less distance, the more danger. Taiwan, Hong Kong, Sayonara. Massive damage to China, both Koreas and Russia. Not much would remain of the Philippines.

Possibly PNG would help to protect the north coast of Australia. NZ would have no protection at all.

On the other hand, Washington and Tel Aviv would be relatively safe. Comforting, no?

Some days I think I missed my calling. I shoulda been an alarmist.

You are exactly right Winter and this is alarming stuff. An event of that magnitude would cause a massive tsunami the likes of which today's world could not fathom nor would be likely to contemplate. However, such things are not unheard of in our distant past. There is evidence that events like this have happened. I watched a documentary once about what would happen if a known precarious chunk of the Canary Islands were to break off and fall into the sea. The tsunami produced would be hundreds of feet high and moving at incredible speed when it hit land. Basically, the same scenario you have just described except in the Atlantic. It would wipe out the entire eastern seaboard of the the US and Canada.

And yes this could be a warning to Japan and just about anywhere else that is paying attention. So, good point!