"TAP não sobrevive se se mantiver pública", garante Pinto Luz

[atomez]

Iran Says It Arrested Computer Worm Suspects

TEHRAN — Iran has arrested an unspecified number of “nuclear spies” in connection with a damaging worm that has infected computers in its nuclear program, the intelligence minister, Heydar Moslehi, said Saturday.
Related

Mr. Moslehi also told the semiofficial Mehr news agency that the ministry had achieved “complete mastery” over government computer systems and was able to counter any cyberattacks by “enemy spy services.”

Iran confirmed last week that the Stuxnet worm, a malicious self-replicating program that attacks computers that control industrial plants, had infected computers in its nuclear operations. Officials said it had been found in personal computers at the Bushehr nuclear plant, a power generator that is not believed to be part of a weapons program, and that it had not caused “serious damage” to government systems.

While the origins of the worm remain obscure, many computer security experts believe it was created by a government with the intent of sabotaging Iran’s nuclear program, which Western countries believe is aimed at creating a nuclear weapon. The United States and Israel have cyberwarfare programs and both countries have sought to undermine Iran’s nuclear enrichment program, but neither has commented on the Stuxnet worm.

Iran has portrayed the worm as a cyberattack by Western powers and Israel intended to derail the country’s nuclear program, which the government says is for peaceful purposes.

“All of the destructive activities perpetrated by the oppressors in cyberspace will be discovered quickly and means of combating these plans will be implemented,” Mr. Moslehi said. “The intelligence Ministry is aware of a range of activities being carried out against the Islamic Republic by enemy spy services.”

He provided no further details on the arrests, which could not be independently verified.

Hamid Alipour, an official at the state-run Iran Information Technology company, has said that the worm is spreading. “This is not a stable virus,” he said last week. “By the time we started to combat it three new variants had been distributed.” He said his company hoped to eliminate it within “one to two months.”

[Elias]

A propósito de vírus...


Phishing ataca utilizadores do LinkedIn
Publicado por Casa dos Bits às 17.16h no dia 30 de Setembro de 2010 | 4 comentários

Os utilizadores da rede social profissional LinkedIn estão a ser, nos últimos dias, vítimas de um "ataque massivo de phishing", que usa o nome do serviço para enviar mensagens aos visados com vista a atrai-los para páginas falsas.

A informação tem sido reportada por vários meios de comunicação internacionais e foi hoje alvo de um comunicado por parte das empresas de segurança ESET e WhiteHat, alertando para o problema - que também já assolou a caixa de correio do TeK.

Segundo explicam, a rede social, que conta com mais de 60 milhões de utilizadores a nível mundial, está a ser usada como isco pelos cibercriminosos, que enviam emails com o nome do serviço como remetente.

[atomez]

Isto é algo completamente diferente e é inédito.

New Clues Point to Israel as Author of Blockbuster Worm, Or Not



New clues released this week show a possible link between Israel and sophisticated malware targeting industrial control systems in critical infrastructure systems, such as nuclear plants and oil pipelines.

Late Thursday, security firm Symantec released a detailed paper with analysis of the headline-making code (.pdf), which reveals two clues in the Stuxnet malware that adds to speculation that Israel may have authored the code to target Iran.

Or, they could simply be red herrings planted in the code by programmers to point suspicion at Israel and away from other possible suspects.

The malware, called Stuxnet, appears to be the first to effectively attack critical infrastructure and in a manner that produces physical results, although there’s no proof yet any real-world damage has been done by it. The malware’s sophistication and infection of thousands of machines in Iran has led some to speculate that the U.S. or Israeli government built the code to take out Iran’s nuclear program.

Symantec’s paper adds to that speculation. It also provides intriguing data about an update the authors made to it in March of this year that ultimately led to it being discovered. The update suggests the authors, despite launching their malware as early as June 2009, may not have reached their target by March 2010.

The code has so far infected about 100,000 machines in 155 countries, apparently beginning in Iran and recently hitting computers in China. Researchers still have no idea if the malware reached the targeted system it was designed to sabotage.

Liam O’Murchu, researcher at Symantec Security Response, said in a press call Friday that even though the malware’s command-and-control server has been disabled, the attackers can still communicate with infected machines via peer-to-peer networking. Symantec hopes that experts in industrial control systems who read their paper may help identify the specific environment Stuxnet was targeting.

“We hope someone will look at the values and say this is a configuration you’d only find in an oil refinery or power plant,” said O’Murchu. “It’s very important to find out what the target was. You can’t tell what [Stuxnet] does unless you know what it was connected to. ”

The code targets industrial control software made by Siemens called WinCC/Step 7, but is designed to deliver its malicious payload to only a particular configuration of that system. About 68 percent of infected systems in Iran have the Siemens software installed, but researchers don’t know if any have the targeted configuration. By contrast, only 8 percent of infected hosts in South Korea are running Step 7 software, and only about 5 percent of infected hosts in the U.S. do. An apparent “kill” date in the code indicates that Stuxnet is designed to stop working June 24, 2012.

The first clue that may point to Israel’s involvement in the malware involves two file directory names – myrtus and guava – that appear in the code. When a programmer creates code, the file directory where his work-in-progress is stored on his computer can find its way into the finished program, sometimes offering clues to the programmer’s personality or interests.

In this case, Symantec suggests the name myrtus could refer to the biblical Jewish Queen Esther, also known as Hadassah, who saved Persian Jews from destruction after telling King Ahasuerus of a plot to massacre them. Hadassah means myrtle in Hebrew, and guavas are in the myrtle, or myrtus family of fruit.

A clue to Stuxnet’s possible target lies in a “do not infect” marker in the malware. Stuxnet conducts a number of checks on infected systems to determine if it’s reached its target. If it finds the correct configuration, it executes its payload; if not, it halts the infection. According to Symantec, one marker Stuxnet uses to determine if it should halt has the value 19790509. Researchers suggests this refers to a date — May 9, 1979 — that marks the day Habib Elghanian, a Persian Jew, was executed in Tehran and prompted a mass exodus of Jews from that Islamic country.

This would seem to support claims by others that Stuxnet was targeting a high-value system in Iran, possibly its nuclear enrichment plant at Natanz.

Or, again, both clues could simply be red herrings.

O’Murchu said the authors, who were highly skilled and well-funded, were meticulous about not leaving traces in the code that would track back to them. The existence of apparent clues, then, would belie this precision.


One mystery still surrounding the malware is its wide propagation, suggesting something went wrong and it spread farther than intended. Stuxnet, when installed on any machine via a USB drive, is supposed to spread to only three additional computers, and to do so within 21 days.

“It looks like the attacker really did not want Stuxnet to spread very far and arrive at a specific location and spread just to computers closest to the original infection,” O’Murchu said.

But Stuxnet is also designed to spread via other methods, not just via USB drive. It uses a zero-day vulnerability to spread to other machines on a network. It can also be spread through a database infected via a hardcoded Siemens password it uses to get into the database, expanding its reach.

Symantec estimates it took between 5 and 10 developers with different areas of expertise to produce the code, plus a quality assurance team to test it over many months to make certain it would go undetected and not destroy a target system before the attackers intended to do so.

The WinCC/Step 7 software that Stuxnet targets connects to a Programmable Logic Controller, which controls turbines, pressure valves and other industrial equipment. The Step 7 software allows administrators to monitor the controller and program it to control these functions.

When Stuxnet finds a Step7 computer with the configuration it seeks, it intercepts the communication between the Step 7 software and the controller and injects malicious code to presumably sabotage the system. Researchers don’t know exactly what Stuxnet does to the targeted system, but the code they examined provides a clue.

One value found in Stuxnet – 0xDEADF007 – is used by the code to specify when a process has reached its final state. Symantec suggests it may mean Dead Fool or Dead Foot, a term referring to an airplane engine failure. This suggests failure of the targeted system is a possible aim, though whether Stuxnet aims to simply halt the system or blow it up remains unknown.

Two versions of Stuxnet have been found. The earliest points back to June 2009, and analysis shows it was under continued development as the attackers swapped out modules to replace ones no longer needed with new ones and add encryption and new exploits, apparently adapting to conditions they found on the way to their target. For example, digital certificates the attackers stole to sign their driver files appeared only in Stuxnet in January 2010.

One recent addition to the code is particularly interesting and raises questions about its sudden appearance.

A Microsoft .lnk vulnerability that Stuxnet used to propagate via USB drives appeared only in the code in March this year. It was the .lnk vulnerability that ultimately led researchers in Belarus to discover Stuxnet on systems in Iran in June.

O’Murchu said it’s possible the .lnk vulnerability was added late because the attackers hadn’t discovered it until then. Or it could be they had it in reserve, but refrained from using it until absolutely necessary. The .lnk vulnerability was a zero-day vulnerability — one unknown and unpatched by a vendor that takes a lot of skill and resources for attackers to find.

Stuxnet’s sophistication means that few attackers will be able to reproduce the threat, though Symantec says many will try now that Stuxnet has taken the possibility for spectacular attacks on critical infrastructures out of Hollywood movies and placed them in the real world.

“The real-world implications of Stuxnet are beyond any threat we have seen in the past,” Symantec writes in its report. “Despite the exciting challenge in reverse engineering Stuxnet and understanding its purpose, Stuxnet is the type of threat we hope to never see again.”

[Lion_Heart]

Oh Atomez, isso ja foi usado n vezes.

[atomez]

Pela primeira vez na história, um país está a ser atacado por um virus informático!

A ciberguerra começou.

The meaning of Stuxnet

A sophisticated “cyber-missile” highlights the potential—and limitations—of cyberwar

IT HAS been described as “amazing”, “groundbreaking” and “impressive” by computer-security specialists. The Stuxnet worm, a piece of software that infects industrial-control systems, is remarkable in many ways. Its unusual complexity suggests that it is the work of a team of well-funded experts, probably with the backing of a national government, rather than rogue hackers or cyber-criminals (see article). It is designed to infect a particular configuration of a particular type of industrial-control system—in other words, to disrupt the operation of a specific process or plant. The Stuxnet outbreak has been concentrated in Iran, which suggests that a nuclear facility in that country was the intended target.

This is, in short, a new kind of cyber-attack. Unlike the efforts to disrupt internet access in Estonia or Georgia (blamed on Russia), or the attacks to break into American systems to steal secrets (blamed on China), this was a weapon aimed at a specific target—it has been called a “cyber-missile”. One or more governments (the prime suspects are Israel and America) were probably behind it. After years of speculation about the potential for this sort of attack, Stuxnet is a worked example of cyberwar’s potential—and its limitations.

Much of the discussion of cyberwar has focused on the potential for a “digital Pearl Harbour”, in which a country’s power grids and other critical infrastructure are disabled by attackers. Many such systems are isolated from the internet for security reasons. Stuxnet, which exploits flaws in Microsoft Windows to spread on to stand-alone systems via USB memory sticks, shows they are more vulnerable than most people thought. The outbreak emphasises the importance of securing industrial-control systems properly, with both software (open-source code can be more easily checked for security holes) and appropriate policies (banning the use of memory sticks). “Smart” electricity grids, which couple critical infrastructure to the internet, must be secured carefully.

Stuxnet is also illuminating in another way: it reveals the potential for cyber-weapons that target specific systems, rather than simply trying to cause as much mayhem as possible. It infected several plants in Germany, for example, but did no harm because they were not the target it was looking for. Such specificity, along with the deniability and difficulty of tracing a cyber-weapon, has obvious appeal to governments that would like to disable a particular target while avoiding a direct military attack—and firms interested in sabotaging their rivals.


Cyberwar is not declared

But the worm also highlights the limitations of cyber-attacks. Iran admits that some computers at its Bushehr nuclear plant were infected, but says no damage was done. The target may have been the centrifuges at its nuclear refinery at Natanz. Last year the number of working centrifuges at Natanz dropped, though it is unclear whether this was the result of Stuxnet. Even if it was, the attack will only have delayed Iran’s nuclear programme: it will not have shut it down altogether. Whoever is behind Stuxnet may feel that a delay is better than nothing. But a cyber-attack is no substitute for a physical attack. The former would take weeks to recover from; the latter, years.

Stuxnet may have failed to do the damage its designers intended, but it has succeeded in undermining the widespread assumption that the West would be the victim rather than the progenitor of a cyber-attack. It has also illustrated the murkiness of this sort of warfare. It is rarely clear who is attacking whom. It is hard to tell whether a strike has been successful, or indeed has happened at all. This, it seems, is what cyberwar looks like. Get used to it.