The award is judged by a group of retired senior US military and intelligence personnel, and past winners. This year the award to Julian Assange was unanimous.
Previous winners and ceremony locations:
Coleen Rowley of the FBI; in Washington, D.C.
Katharine Gun of British intelligence; in Copenhagen, Denmark
Sibel Edmonds of the FBI; in Washington, D.C.
Craig Murray, former UK ambassador to Uzbekistan; in New York City
Sam Provance, former sergeant, U.S. Army, truth-teller about Abu Ghraib; in Washington, D.C.
Frank Grevil, major, Danish army intelligence, imprisoned for giving the Danish press documents showing that Denmark’s prime minister disregarded warnings that there was no authentic evidence of WMDs in Iraq; in Copenhagen, Denmark
Larry Wilkerson, colonel, U.S. Army (retired), former chief of staff to Secretary Colin Powell at the State Department, who has exposed what he called the “Cheney-Rumsfeld cabal”; in Washington, D.C.
http://original.antiwar.com/mcgovern/2010/08/15/can-wikileaks-help-save-lives/
Not sure yet where this year’s award ceremony will be held, but I’ll be there.
Say hi to Connie!
http://blogs.telegraph.co.uk/news/author/concoughlin/
Ah! What a visage! Would make the demons in the ninth layer of Hell, tremble!
Hello!
Anyone here?
“Anyone here?”
Nope [makes gentle clucking noises].
Hello Richard!
More on Stuxnet, from
http://www.schneier.com/blog/archives/2010/09/the_stuxnet_wor.html
“4. Official data confirmed a huge reduction in the number of centrifuges operating during the time number of centrifuges operating during the time the Wikileaks article claimed”
[…]
The “centrfuge” design is something which has a “Pakistan” link as well as “North Korea”.
If you look back a while you will see that one of Pakistan’s top nuclear scientists went rouge and started selling “Nuke tech know how”. Due to the fortunes of war and the US now regarding Pakistan as “one of the good guys” these days the centrafuge plant design became well known even outside the intel community.
That is there are quite a few places (around 24) the rouge scientist flogged the designs to.
It is one of the reasons the US are in my top three suspects for “state sponsor” (in alphabetical order Iran Israel USA).
Because the worm would (if it had not been seen) have very likely have “air gap jumped” all the other places the rouge scientist had sold the centrafuge plans to.
The problem with this is it also means that any one of the other states buying the technology could have produced the worm likewise so could India all as a way of removing the capability from potential enemies.
Further there are many ex CCCP nuclear scientists who might well be interested with “Russian Mafia” interest in “trashing the market” to then sell their own “system” in as replacment.
I have a subjective measure when looking at these things, I call it the “Tom Clancy Test”, that is if the idea looks like a valid plot line for one of his novels then it has the capability of reality.
However at the end of the day it showes for real that “air gap crossing” is now in amongst the low hanging fruit. It’s happened in considerably less than the eight years I predicted when I thought up a way to do it a couple of years ago. And importantly it has very real security implications for defenders using the physical issolation model.
I guess based on this that we should start thinking in terms of the “embeded in chip” attack vector (from the likes of China etc) as being the next candidate to join the low hanging fruit in the next couple of years…
It might be worth watching who goes “back in house” with the likes of the NSA in the next couple of years, and what silicon level “secure by design” hardware mask micro code checking programs apear…
Posted by: Clive Robinson at September 25, 2010 4:55 PM
Note the “Embedded in chip” attack vector warning above. This is one of the reasons I like to hang on to old hardware – Crab take note!
Hi, Clark.
I do like the idea of somone Going Rouge …
Stuff to do, more time later, see you. Shopping, rain, yuck.
“one of Pakistan’s top nuclear scientists went rouge”
Did he indeed! That must have been quite a sight 🙂
Seriously though, having older technology is often no bad thing. My mobile is about 10 years old, and lacks the ability to become my personal tracking device., nor can it be remotely turned into a bug by the security services.
Hi Clark,
Stuxnet looks potentially very serious, with the capability to cause catastrophic failures within powerstations and production plants. If it is confirmed that Iran is the target, it could be seen of more than a provocation, an actual act of War.
This is unlike any computer virus threat to date, the virus is created to be capable of causing immediate physical crisis -meaning large explosions and power losses at affected powerstations and production plants.
Although the infection has been detected now, it is managing to reinfect by mutating and using as yet undiscovered reinfection routes.
Hopefuly it has been caught early enough and can be safely disinfected by the worlds antivirus gurus. But the fact that some military has decided fit to unleash it on Iran or the area, is already woeful.
I hope it has been caught early and the global response will prodcue some sane reflection on its purpose and origin.
Somebody (from the previous thread), yes, Alexander Allen is a colourful figure with an odd story that has never fully been explained.
He also had a website – or his wife did – that published his address; this became a mini-scandal a little akin to Jonathan Evcans in Speedos! I think his wife, a prominent visual artist, died of cancer recently.
He seems an eccentric character, Grateful dead fan, etc., flamboyant and not your typical spook whose aim is to sink into the backgfround.
But perhaps, this is an example of what I mentioed earlier, that in spite of Alexander Allen’s obvious talents, systemic oversight of the security and intelligence services is inadequate.
Does this stuxnet have the capability to replicate itself in other ‘nuclear installations?
It seems to be quiet known for some time, but has morphed somewhat, not that I have any clue of Computers.
Or has the Westinghouse systems in western nuclear plants been spared such attacks due to the programming of the virus?, naughty…
This from Mr. Tanese from Kaspersky GREAT in the Bankok tech.:
What is amazing is that Stuxnet uses two different rootkit technologies. One is in the controlling PC to prevent the Stuxnet worm from being seen. It also uses four zero-day attacks and two more vulnerabilities to enable elevation of privileges.
An infected PC will neither see the Stuxnet work nor the malicious code it is injecting into the programmable logic controllers (PLC).
Stuxnet spreads through USB sticks, which is the only way to infiltrate factories with networks not connected to the open Internet.
Infected machines then become part of the Stuxnet Botnet and the controller can steal codes, documents and designs and inject new orders into the PLC.
The authors of Stuxnet were not out to steal, but to modify, but in order to modify, first you need to see what the code is doing.
Stuxnet can spread through versions of Windows from XP to Windows 7.
“This is unheard of. If a malware used one zero day, that was amazing, but malware using four zero-days is mind-blowing,” Tanase said.
And the intrigue continues. The files were signed with real digital signatures, stolen from real companies, in this case J-Micron and Realtek. Malware is rarely signed and the fact that they were signed with real stolen certificates from two companies in the same industrial park in Taiwan is fuelling conspiracy theories. Did someone break into Realtek and J-Micron? Did they have insider access? Or did someone just drop a couple of infected USB drives in the parking lot?
The certificates were later revoked, but only after Stuxnet was discovered. This marks another milestone and poses a new dilemma for security experts, whether signed code and certificates can be trusted at all.
And what of the target? The biggest point of infection for Stuxnet was Iran or India, depending on when. But infections were global and Tanase believes Iran was targeted as it had by far the highest infection rate per capita. What exactly was targeted is not known.
Today, the command and control for Stuxnet has been taken offline, but it still has peer-to-peer control. Someone can still inject updates into the Botnet as long as infected machines are out there. What it was used for, what its payload was and whether it had already accomplished its task or not, is anyone’s guess.
“Stuxnet brings targeted attacks to a whole new level of sophistication,” said Tanase.
“I’m not just making these allegations when you look at what’s being applied: Four zero-days, two stolen certificates and using SCADA networks as a target. They had to have immense technical resources, and to get those certificates is probably the reason people suspect nation state involvement.”
Stuxnet is the first moment where cyber crime is moving from pickpocketing to something that can really affect national infrastructure. Attacks like Stuxnet are too complicated to become mainstream.
I note that Alex Allen was the British HC to Australia – so Craig Murray will know him, or know of him, I’d have thought.
He seems like a colourful, High Tory type of figure.
Was he poisoned? Who knows, and if not, why the silence?
“Stuxnet is the first moment where cyber crime is moving from pickpocketing to something that can really affect national infrastructure”
It isn’t, though. This may be an “over-excited reporting” alert.
http://www.eweek.com/c/a/Security/A-Year-of-CyberAttacks-Georgia-Not-First-and-Wont-be-Last-to-Fall-Victim-to-Hackers/ is a couple of years old.
(Getting a bit picky, one could also look at the constant flood of junkmail, unwanted adverts & godonlyknows what else, and consider that as a degradation of infrastructure. What proportion of our bandwidth is wasted on this parasitism ?)
“The Privy Council allied with the Joint Intelligence Committee (JIC) and the Cabinet and Cabinet Intelligence Unit which is the real control over the security and intelligence services are part of the secret permanent unaccountable Government.
We have seen from the arms to Iran, Iraq affairs, the Sandline affair and other scandals that politicians and Parliament have little or no control and are more like players in a pantomime put on for the general public and gullible public.”
Gerald James.
I dont think the hyped reporting has started yet Richard, so far this is coming from the ‘Nerdy’ sources.
http://www.virusbtn.com/conference/vb2010/abstracts/LastMinute7.xml
“Stuxnet is the first publicly known worm to target industrial control systems, often generically referred to as SCADA systems. Not only did Stuxnet include malicious STL (Statement List) code, an assembly-like programming language, which is used to control industrial control systems, it included the first ever PLC (programmable logic controller) rootkit hiding the STL code. It also included a zero-day vulnerability to spread via USB drives, a Windows rootkit to hide its Windows binary components, and it signed its files with certificates stolen from other unrelated third-party companies. All of these characteristics are noteworthy in their own right, however when they all converge within one threat it is clear that there is a special force at work. Any threat that is capable of taking control of a real-life physical system is worthy of a closer look, and here we present our analysis of such a threat.”
thanks for that crab, that virus seems as virulant as Avigdor Liebermann.
“I dont think the hyped reporting has started yet …”
I agree it could well get worse ;-/ (and also, of course, potentially more illuminating, as people have time to dissassemble it more completely).
(That Symantec link seems to have a tinge of vapourware ? Much talk of how a ‘presentation’ ‘will show’ this that and the other, but it doesn’t seem to be actually there and doing it ?)
I’m not saying it isn’t all awesomely clever and etc, I’m just remarking that an expert who doesn’t seem aware of events that were quite loudly reported 2 years ago should maybe be taken with a pinch of salt in his less-checkable assertions.
See also some of the analyses of the Storm botnet, military analogies were drawn there too, though in that case I think the fingers were pointed at Russian mafias.
I’m not saying it isn’t all a major problem, either.
Ruth, that’s exactly it: Pantomimus.
‘welcome Ingo -on that note, people have been refering to this Reuters report from last year –
“Wary of naked force, Israel eyes cyberwar on Iran”
http://www.ynetnews.com/articles/0,7340,L-3742960,00.html
Hi Richard, the previous (known) incidents seem to be just website and email hacks. They might be said to have the same malicious intent, but i can’t see a practical parallel with this combined windows/PLC rootkit.
Sorry i was disappointed to when i realised my link was only the abstract to a talk. I dont really have time for this 🙁 but i will be fascinated to hear more details about this virus. It is like a new genus of malware, -military/industrial malware 🙁
“i was disappointed to when i realised my link was only the abstract to a talk”
There was a German one Clark (? I think) posted, was the same (“geekheim” ? nice name); shocking conclusions, all will be revealed at a speech he’s making later … there are reputations to be made here, if only it’s a really stupendously big-enough issue. People are marking territory.
Which, in the technoworld, is how it works. I guess. People take bits of it apart, guess at conclusions and argue over them, and when the dust settles, the ideas that survive are the one that weren’t wrong; then immune systems are built, and every now and then someone even installs them.
But in the meantime, the reporters only have to sell a story. And, I have to say, the idea of a nuclear reactor running control software from someone who warns that it’ll go titsup if you try and change the passwords, all based on an unlicensed Windows installation, is a striking story, genre “horror”.
“It’s a new genus”. Well, possibly, but all sorts of assorted malware have been the first to do this-that-and-the-other, in their day. The Great Worm of ’86 (breaks into Geordie-accented song) did clever stuff no-one had experienced before, too. It’s an arms-race.
None of which is to dismiss the fact that it appears to exist, and could be serious (or that malware in general is a problem. It is, in a big way). Just, it doesn’t follow that everything written about it will be true.
Spot on, Crab: Military-Industrial (Complex?) malware. Notable points that make Stuxnet special:
1) It modifies actual industrial control systems, not just PCs. This is absolutely new.
2) It uses four Windows ‘Zero Day’ exploits. Two is the most ever seen together before, and could indicate complicity by Microsoft.
3) It can infect PCs not attached to the Internet, via infected USB memory sticks. This is rare.
4) It deliberately LIMITS its own propagation, to help prevent being detected, ie it is stealthy and targeted.
5) It is very well written so as not to crash its host PC – more stealth.
PLCs control industrial systems. Stuxnet’s target is Siemens PLCs, which are prepared for use by Siemens ‘Step 7’ software that runs on Windows. So the attack route is:
Internet to Windows to USB Stick to offline Windows to ‘Step 7’ to PLC to physical machinery.
‘Step 7’ software is password protected to prevent abuse, and Stuxnet uses the default password. Siemens recommend that the default password not be changed. This could indicate complicity by Siemens.
Stuxnet was discovered by an almost unheard of anti-virus company in Belarus called VirusBlokAd in June 2010. It may have been released in June 2009, in which case it may have already completed its ‘mission’.
Ralph Langner says that Stuxnet is precisely targeted at ONE industrial process, by examining Data Block 890 in the PLC – this would require insider knowledge within the targeted organisation. However, Symantec say that Stuxnet creates DB890 itself.
http://www.langner.com/en/
http://frank.geekheim.de/?page_id=128
Richard: Good points there. The reporters haven’t got the faintest clue about the technical issues, being liberal arts graduates that are functionally innumerate and technically illiterate. I’d be pretty surprised if the Iranians (or anyone else for that matter) were running their control systems on Windows-7. That by itself would be a recipe for disaster, you wouldn’t need any virus/worm to destabilise it. And the idea that one could gain real-time control is ludicrous – you’d need a direct “Internets” connection to enable such a thing, and we’ve already heard that the systems are stand-alone.
If it depended on interfacing with the various three term controllers (proportional, derivative and integral) that typically manage each of the tens/hundreds of thousands of components comprising typical plants, we’d have to target the systems so accurately, that the information about those systems would have to come from precise blueprints. To make the attack catastrophic, so that automatic safety systems all fail, it would be easier to have set the systems up so that they’d all fail in the first place as an inside job.
I can quite imagine that a lot of personal computers might have been compromised, but that’s the limit of it. A massive series of individually redundant three-term controllers are not going to find themselves all reprogrammed in such a precise way that reactors go into meltdown, by dint of laptops getting a virus. How is such a virus/worm/whatever going to distinguish between petrochemical plants, nuclear reactors, biscuit factories, countries, or official friends as opposed to official enemies? Israel might find its own nuclear programme compromised just as readily – and does it really want another Chernobyl on its doorstep?
The entire story seems a bit overblown for this former writer and designer of software for the nuclear industry to take seriously.
Suhayl Saadi,
a question for you. The following ‘string’ was found within Stuxnet:
b:\myrtus\src\objfre_w2k_x86\i386\guava.pdb
Myrtus? Guava? What significance might these words have?
Glenn,
Stuxnet is specific to Siemens Step 7 PLC programming software, which only runs on Windows. And we know that the Bushehr reactor was (is?) running unlicenced Windows XP.
http://www.upi.com/enl-win/b00bf188f7671cf2f939d18b1453852f/
[Stuxnet] has affected a number of Siemens plants, according to company spokesman Simon Wieland. “We detected the virus in the SCADA [supervisory control and data acquisition] systems of 14 plants in operation but without any malfunction of process and production and without any damage,”
http://www.computerworld.com/s/article/9185419/Siemens_Stuxnet_worm_hit_industrial_systems?taxonomyId=142&pageNumber=1
Clark,
Thanks for the Stuxnet analysis – nice one!
Richard Robinson,
there are two interesting articles from Germany I’ve found. There’s the Langner link above; Langner is a PLC expert who has analysed Stuxnet’s behaviour in PLC chips. I linked to the wrong Frank Geekheim article. His theory is that Stuxnet has already crippled Iran’s uranium centrifuges:
http://frank.geekheim.de/?p=1189
PS
The ‘Malicious software removal tool’ checks for Stuxnet:
Download here if your autoupdate is OFF:
http://www.microsoft.com/downloads/en/confirmation.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
Hi Clark…
The interface might be handled though a windoze interface, but the system itself is running something else altogether, which needs to be programmed through pretty much an assembly language level protocol that needs detailed knowledge before it can do anything more than simply be a tiny malfunctioning component.
The idea that an entire nuclear plant is being controlled by a single (or even a group of) XP systems is utterly ludicrous – many of the monitoring or interfacing control systems might be, but sending in a blind virus to cause a meltdown is pure science fiction, along the lines of the film Independence Day (where a virus is supposedly uploaded to the systems of invading aliens ships, causing their systems to all set to self-destruct).
You’d need to simultaneously re-programme thousands of the three-term controllers to behave in a very specific, catastrophic way on an individual basis. It would require an extensive, advance knowledge of the function and identity of each of the controllers – not to mention the plant – all of which would have to be pre-programmed into the virus, there’s no way it could work it out of the fly, in the vague hope that it would hit the specific group of systems for which it had been individually designed. And just hope nobody had changed anything on the plant between getting the information, designing/writing the virus, sending it out and it reaching the target machines. Pretty staggering odds for a plant which is a work in progress!
It’s an interesting story, but having spent years working at scores of nuclear and other plants (petrochemical and the like), the idea that a windoze virus might make the whole shebang unstable to the point of a catastrophic event occurring is… well, highly improbable to say the least.
Clark “Langner is a PLC expert who has analysed Stuxnet’s behaviour in PLC chips.”
Mmm. I saw a comment on a half-dozen lines of asm. How many more remain to investigate ? And he’ll tell us more details next week, coming soon, watch this space … which doesn’t imply he’s bound to be wrong, just that we haven’t seen the reason to believe he’s right yet. It’s a trailer.
“I linked to the wrong Frank Geekheim article. His theory is that Stuxnet has already crippled Iran’s uranium centrifuges:”
Thanks, yes, I saw that somewhere.
And I saw somebody else asking why it’s got update mechanisms built in if it’s a once-off, why it’s still propagating if it’s so cunningly built and did its job 18 months ago. And somebody else pointing out that actually there are a hell of a lot of infections in Indonesia too, and another place or two that I forget. And stuff. And maybe some of the theories are right.
It’s good to hear from someone who actually has experience of these things, thanks glenn.