The New York Times reported today that US military officials considered using cyber weapons to aid in the attacks on Libya earlier this year. Officials allegedly reconsidered concerned about setting a dangerous precedent.
The hacker collective known as Anonymous has expressed interest in hacking industrial systems that control critical infrastructures, such as gas and oil pipelines, chemical plants and water and sewage treatment facilities, according to a Department of Homeland Security bulletin.
But DHS doubts the anarchic group has the necessary skills. At least for now.
Anonymous efforts to attack such systems could be thwarted by the lack of centralized leadership in the loosely collected group, the bulletin says, as well as a lack of “specific expertise” about how the systems work and how to attack them. However, the report notes, the latter could easily be overcome through study of publicly available information.
“The information available on Anonymous suggests they currently have a limited ability to conduct attacks targeting [industrial control systems],” according to DHS. “However, experienced and skilled members of Anonymous in hacking could be able to develop capabilities to gain access and trespass on control system networks very quickly.”
The assessment comes in a bulletin issued recently (.pdf) by the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, and published Monday by the web site Public Intelligence. The bulletin was marked “For Official Use Only,” a designation that means the data isn’t classified but is meant only to be shared with government agencies and trusted outside sources.
The bulletin says that members of Anonymous have not yet demonstrated attacks on such systems, instead choosing to “harass and embarrass their targets using rudimentary attack methods.” But the group’s interest in attacking these systems could grow once they realize how poorly the systems are secured, and they figure out how to leverage information that is already publicly available about vulnerabilities in the systems.
NCCIC predicts a ”moderate likelihood” that the group’s protest activities could be accompanied by hacking attacks on core infrastructure in the future.
“[T]here are control systems that are currently accessible directly from the internet and easy to locate through internet search engine tools and applications,” the bulletin notes. “These systems could be easily located and accessed with minimal skills in order to trespass, carry out nefarious activities, or conduct reconnaissance activities to be used in future operations.”
As evidence of Anonymous’ interest in control systems, the bulletin points to a July 11 post at Pastebin, a site where programmers and hackers post code and missives. The post discussed a denial-of-service attack against Monsanto and possible future plans against the company.
We blasted their web infrastructure to shit for 2 days straight, crippling all 3 of their mail servers as well as taking down their main websites world-wide. We dropped dox on 2500+ employees and associates, including full names, addresses, phone numbers, and exactly where they work. We are also in the process of setting up a wiki, to try and get all collected information in a more centralized and stable environment. Not bad for 2 months, I’d say.
What’s next? Not sure… it might have something to do with that open 6666 IRC port on their nexus server though.
And on July 19, a known member of Anonymous tweeted the results of browsing the directory tree for Siemens SIMATIC software, the same industrial control system software that was exploited by the Stuxnet worm last year to sabotage uranium-enriching centrifuges at an Iranian nuclear plant.
Another Anonymous member subsequently pointed to XML and HTML code that could be used to query the SIMATIC system to find vulnerabilities in it, and also indicated he was already inside multiple control systems.
The posted xml and html code reveals that the individual understands the content of the code in relation to common hacking techniques to obtain elevated privileges. It does not indicate knowledge of ICS; rather, it indicates that the individual has interest in the application software used in control systems.
The posted xml and html contained administration code used to create password dump files for a human‐machine interface control system software product from Siemens. The code also contained OLE for Process Control (OPC) foundation code that is used in server communication with control system devices such as programmable logic controllers, remote terminal units, intelligent‐electronic devices, and industrial controllers.
While the latter information indicated the individual had an interest in control systems, NCCIC could find nothing to indicate that the person actually possessed the capabilities necessary to hack an ICS.
“There are no indications of knowledge or skill in control systems operations, design, or components,” the bulletin notes. “The individual may possess the necessary skill to exploit elevated privileges by hijacking credentials of valid users of the ICS software product posted based on traditional exploitation methods, not anything ICS specific. ”
According to the NCCIC bulletin, oil and gas companies could become particularly attractive targets to Anonymous and its sympathizers, owing to the hacking collective’s “green energy” agenda and its members’ past opposition to pipeline projects.
“This targeting could likely extend beyond Anonymous to the broader [hacker activist] community, resulting in larger-scope actions against energy companies,” DHS warns in the bulletin.
The security of industrial control systems, which are used in commercial manufacturing facilities and critical infrastructure systems around the world, was thrown into the spotlight over the last year, after the Stuxnet worm infected more than 100,000 computers in Iran and elsewhere. Although the worm was designed to target the SIMATIC industrial control system made by Siemens, it only released its destructive payload on a specific Simatic system – believed to be the system that controls centrifuges at Iran’s uranium enrichment plant in Natanz.
The discovery of the worm helped bring attention to the serious security vulnerabilities that exist in the Siemens system. Researchers who have further examined Siemens systems, as well as industrial control systems made by other manufacturers, have found them all to share the same kinds of security vulnerabilities.
Photo: matti.frisk / Flickr
Five months ago, Senate Judiciary Committee Chairman Patrick Leahy (D-Vermont) introduced a bill to update the nation’s privacy laws to protect citizen’s data stored in the cloud from warrantless searches. The move was backed by tech powerhouses including Google and Microsoft, though law enforcement opposes restricting their power to easily get data in Gmail and Hotmail.
Five months later, the bill remains in the ether, without a hearing, for the lack of a single Republican senator backing Leahy’s measure to require police to get a warrant to search data stored on any online service if that data is older than six months.
“He is trying to shore up bipartisan support,” Erica Chabot, a Leahy spokeswoman, said in a telephone interview.
Friday is the 25-year anniversary of the law that Leahy’s bill would dramatically amend. Civil rights groups had been anticipating the anniversary celebration at the Capitol Congressional Visitors Center on Tuesday would include some announcement of advancement of the Leahy proposal.
“I”m not telling you we’re not kind of hoping to have something passed out of the Judiciary Committee by now,” Chris Calabrese, the legislative director with the American Civil Liberties Union, said in a telephone interview. “If you are going to move something in this Congress, it’s got to be bipartisan.”
Leahy’s bill would amend the Electronic Communications Privacy Act. Adopted when CompuServe was king, ECPA allows the government to acquire a suspect’s e-mail or other stored content from an internet service provider without showing probable cause that a crime was committed, as long as the content had been stored on a third-party server for 180 days or more.
EPCA, whose main sponsor 25 years ago was Leahy, was adopted at a time when e-mail, for example, wasn’t stored on servers for a long time. Instead it was held there briefly on its way to the recipient’s inbox. E-mail more than 6 months old was assumed abandoned, and that’s why the law allowed the government to get it. At the time there wasn’t much of any e-mail to get because a consumer’s hard drive — not the cloud — was their inbox.
But technology has evolved, and e-mail often remains stored on cloud servers indefinitely, in gigabytes upon gigabytes — meaning the authorities may access it without warrants if it’s older than six months.
The same rule also applies to content stored in the cloud. That includes files saved in DropBox, communications in Facebook, and Google Docs cloud-storage accounts. Such personal storage capabilities were nearly inconceivable when President Ronald Reagan signed the bill.
Leahy’s measure, among other things, would require court warrants to obtain all that cloud data. (.pdf)
Civil rights groups beginning Tuesday will celebrate the ECPA anniversary to lobby for change and to point out that the law which once passed to protect Americans’ privacy has eroded due to the advancement of technology.
Oddly, despite the recent rise of the libertarian-leaning Tea Party faction of the Republican Party, no Republican has decided publicly that privacy protection of Americans’ online communications is a winning issue. However, whether the bill would ultimately pass even with GOP support is unclear, and the White House maintains that warrants for such data are not required.
Still, there is at least bi-partisan support for proposed legislation that for the first time would explicitly require authorities to obtain a court warrant to get geolocational information of a suspect’s movements. That proposal remains sidelined, however, as the U.S. Supreme Court is to hear a case next month testing the government’s position that no warrant is required for that geolocation data.
The cyberattack would have involved breaking through the firewalls protecting Libyan computer networks in order to disrupt military communications and thwart early-warning radar systems that would detect planes coming in for a strike.
The officials and military officers ultimately decided against the plan out of fear that it would set a precedent for other nations to use similar techniques, according to the New York Times. There were also unresolved questions about whether President Obama had the power to approve such an attack without first informing Congress, and whether there was sufficient time to conduct digital reconnaissance and write the attack code that would have been required to pull off such an attack.
Weeks later, there was talk of using similar techniques to thwart Pakistani radar when U.S. Navy Seals were preparing to launch a kill-mission against former al Qaeda leader Osama bin Laden, who had been hiding out in a compound in Pakistan that was surrounded – some say protected – by Pakistani military troops. In the Pakistan case, the administration nixed the idea again, opting instead to use specially modified helicopters designed to evade radar detection.
“These cybercapabilities are still like the Ferrari that you keep in the garage and only take out for the big race and not just for a run around town, unless nothing else can get you there,” an unidentified Obama administration official told the Times.
Had the computer-network attack against Libya gone ahead, administration officials told the Times they were confident the attack code could have been contained within Libya’s networks and not spread to other networks to cause collateral damage.
Such questions have become central to cyberwarfare discussions in the wake of the Stuxnet computer worm – a piece of malware that was launched in 2009 against computers in Iran to disrupt that country’s uranium enrichment program.
Stuxnet spread beyond the targeted systems, however, infecting more than 100,000 computers throughout Iran, India, Indonesia and elsewhere. Because the worm was skillfully crafted to affect only systems operating at one of Iran’s nuclear enrichment plants, it did not harm the other systems it infected.
Photo: A German radar station. Credit: Aperture7.1/Flickr