Russian Anti-Virus Firm Plans Secure Operating System to Combat Stuxnet

Russian anti-virus firm Kaspersky Lab announced Tuesday that it plans to develop a secure operating system to protect critical infrastructure systems from online attacks.

Kaspersky hopes to develop a pared-down operating system that would be less vulnerable to attack from malicious programs like Stuxnet – a cyberweapon discovered in 2010 that was designed to target industrial systems that control Iran’s nuclear program.

“Today there exists neither operating systems nor software that could be applied in industrial/infrastructural environments whose produced data on processes could be fully trusted,” wrote company founder Eugene Kaspersky in a blog post. “And this left us with no other option than to begin developing something new ourselves.”

Many industrial control system applications — such as distributed control systems (DCS) and supervisory control and data acquisition systems (SCADA) — currently operate on top of the Windows operating system or on versions of Linux, both of which are general operating systems that contain many features that are unnecessary for running industrial control systems.

Industrial control systems are used in a wide variety of critical facilities, including chemical plants, water treatment plants and electric utilities, as well as in factory settings to control assembly lines and to batch-mix ingredients in food production facilities. Using general-purpose operating systems in industrial settings like these opens them to the same kinds of vulnerabilities that general computer users face from malware.

Kaspersky proposes to create a more locked-down system that contains only the most basic functionality necessary to operate industrial control applications, thus reducing the attack surface for malware to target.

“Since John McClane isn’t around to solve the problem of vulnerable industrial systems, … it comes down to KL to save the world, naturally!” Kaspersky wrote, referring to the fictional character that actor Bruce Willis played in the film Live Free or Die Hard.

But according to one computer security expert, Kaspersky isn’t likely to meet with very many takers for such a system.

“It’s a very ambitious effort, and I think it has a long shot of succeeding anywhere outside of Russia,” says Dale Peterson, CEO and founder of Digital Bond, a firm that specializes in industrial control system security. “I think the odds of it actually succeeding in changing anything in the ICS market is very small.”

Peterson says it’s a smart and legitimate endeavor for a country to want to develop a security system for critical infrastructure inside its borders, but outside of Russia, the company would face trust issues around the security of the supply chain.

“You don’t know if they’re getting funding from the Russian government for doing this,” he says.

Although Kaspersky Lab is an independent company, Eugene Kaspersky was educated in his teens at the Institute of Cryptography, Telecommunications, and Computer Science, a facility backed by Russia’s KGB. He also served for a period as an intelligence officer in the Soviet military.

At a time when concerns about backdoors in Chinese telecommunications equipment have prompted a report from Congress about the potential for the Chinese government to spy on communications, companies contemplating a Kaspersky operating system might be concerned that it could have backdoors in it, for example, or that the Russian government was given access to the source code to find vulnerabilities in it to attack.

A Kaspersky Lab spokesman told Wired that the company is receiving no Russian government funding for the project.

But aside from the potential for Russian-government involvement, Peterson says Kaspersky would likely face an uphill battle in convincing industrial control system vendors like Siemens and Rockwell to revamp their applications to run on a Kaspersky operating system.

Kaspersky didn’t provide details about the planned operating system, but said in his blog post Tuesday that for such an operating system to succeed and provide a guarantee of security, “it must contain no mistakes or vulnerabilities whatsoever in the kernel,” and “must be 100 percent verified as not permitting vulnerabilities or dual-purpose code” and would need to “provide the full range of the very latest principles of security.”

Although the operating system is only in the initial planning stages, Kaspersky wrote that he was disclosing the plan to address rumors that have been circulating.

Rumors had been circulating about what Kaspersky Lab was planning for industrial control systems after a Wired magazine story about the company’s colorful founder revealed in July that his company was working on a “secret project” to “save the world,” or at least protect computers from malicious attacks.

In a locked room down the hall from his office, Kaspersky is working on a secret project to fulfill that lofty ambition. Not even his assistant has been allowed inside. But after we’ve spent a day together—and knocked back a few shots of Chivas 12—he unlocks the door and offers me a peek. It’s an industrial control system, a computer for operating heavy machinery, just like the ones that Stuxnet attacked (and, Kaspersky researchers believe, Flame may also have targeted). Kaspersky’s team is quietly working on new ways to harden these systems against cyberattack—to protect the power grids and prisons and sewage plants that rely on these controllers. The idea is to make future Stuxnets harder to pull off. The controllers haven’t been engineered with security in mind, so the project is difficult. But if it succeeds, Kaspersky’s seemingly outsize vision of his company’s role in the world might become a little less outlandish.

Pentagon Hacker McKinnon Wins 10-Year Extradition Battle

Gary McKinnon leaves the High Court in London on July 14, 2009. Photo: Sang Tan/AP

Accused British hacker Gary McKinnon has won his 10-year battle to resist extradition to the U.S. on charges that he hacked Pentagon computers in the U.S.

U.K. Home Secretary Theresa May announced on Tuesday that her office would block the U.S. extradition request on human rights grounds, since McKinnon, 46, was at high risk of suicide were he to be sent to the U.S. to face trial.

“I have concluded that Mr. McKinnon’s extradition would give rise to such a high risk of him ending his life, that the decision to extradite would be incompatible with Mr. McKinnon’s human rights,” May said.

It marks the first time that the U.K. has blocked an extradition request since signing a treaty with the U.S. in 2003, according to the Guardian.

McKinnon, who was dubbed the “biggest military computer hack of all time” by U.S. authorities, has admitted to accessing U.S. government computers more than a decade ago, but claims he did so only to find proof of a military coverup regarding the existence of UFO’s.

McKinnon has been accused of hacking into more than 90 unclassified Pentagon and NASA systems in 2001 and 2002, causing some of them to crash. Authorities say his actions led to $900,000 in damages.

McKinnon allegedly left a message on one Army computer he breached in 2002, saying, “U.S. foreign policy is akin to government-sponsored terrorism these day…. It was not a mistake that there was a huge security stand down on September 11 last year…. I am SOLO. I will continue to disrupt at the highest levels.”

McKinnon was facing a sentence of between six months and six-and-a-half years in prison under federal sentencing guidelines, but in 2003, he rejected a plea offer that would have had him serving a prison sentence in the U.S. of just six to 12 months at a low-security facility, followed by a transfer back to the U.K. for a six-month parole.

He fought extradition in part by insisting that the U.S. planned to ship him off to Guantanamo Bay, and has spent a decade – nine years more than he would have spent in prison had he accepted the plea deal – keeping the case alive in the U.K. media.

McKinnon and his supporters argued that he should be tried in the U.K., since that was the location from which he allegedly committed his crimes.

McKinnon lost previous appeals in the High Court, the House of Lords and European Court of Human Rights. But two years ago a High Court judge ruled that McKinnon, who suffers from Asperger’s syndrome and depression, could be at risk of suicide if he were extradited to the U.S., which led the Home Office to conduct a psychiatric investigation. Psychiatric examiners concurred that McKinnon was at risk of suicide if extradited.

McKinnon’s case has shone a spotlight on the U.S.-U.K. extradition treaty, which U.K. critics say make it too easy for U.S. authorities to extradite U.K. citizens. May announced on Tuesday that she would introduce a so-called “forum bar” to determine if a British court should be given the power to bar prosecutions overseas if it believes the accused would get a more fair trial in the U.K.

As Drone Debate Rages, Police Move on to Million-Dollar Spy Planes

A Pilatus PC-12 NG Spectre in flight.

While the nation disputes if, when and where the government should use drones over U.S. soil, Texas state police are taking their surveillance efforts to the next level.

In a little-noticed July purchase, officials at the Texas Department of Public Safety inked a $7.4 million contract with the Swiss company Pilatus Aircraft Ltd. for a high-altitude spy plane. Unique technology affixed to the state’s new aircraft could raise the ire of civil libertarians and privacy advocates.

Among its features is a $1 million array of surveillance cameras with high-resolution and thermal-imaging capabilities, and a $300,000 downlink system that enables the plane’s crew to send real-time surveillance images anywhere in the state, according to records obtained by the Center for Investigative Reporting through the Texas Public Information Act. The package will also come with four sets of night-vision goggles worth about $60,000, records show.

The latest fleet addition for Texas has a single engine instead of two, which saves on costs while still permitting a relatively large payload. The Pilatus cabin is also pressurized so it can fly at higher altitudes, up to 30,000 feet in the air.

Texas state police spokesman Tom Vinger said most of the plane’s missions will be carried out on the border between the United States and Mexico, and “serve as a tool in assisting specific joint operations that are clearly defined by area and duration.”

Known as the Pilatus PC-12 NG Spectre (.pdf), the company says the plane was conceived specifically in response to demand from law enforcement. Authorities in Texas expect the aircraft to arrive after modifications sometime next year.

Leonard Luke, vice president of government business for Pilatus, which has operations in Colorado, said the aircraft was developed because both federal and local law enforcement “inquired about the possibility of a surveillance-type platform.”

Texas politicians have long asserted that Washington wasn’t doing enough to secure the nation’s boundary with Mexico. The Lone Star State has reportedly devoted $600 million in taxpayer money to beef up the border since 2007, according to news accounts.

No one has benefited more than the Texas Department of Public Safety, which formed military-esque Ranger Reconnaissance Teams, constructed intelligence command centers and procured high-speed gunboats with .30-caliber, fully automatic machine guns.