Wall Street Journal
WORSE THAN WE THOUGHT
The impact of the SLAMMER worm was greater than we realized at the time.
On 20 September 2004, Forbes magazine reported additional disruptions to corporations.
"A total 270 utilities that generate 80% of the nation's electricity
use control systems that are ripe for hacking, according to research by
Ted G. Lewis for the Navy Postgraduate School." [Presumably they
used unhardened SCADA Supervisory Control & Data Acquisition,
and DCS Distributed Control System technology.]
"... Slammer infected a private computer network at [the dormant]
David-Besse nuclear power plant in Oak Harbor, Ohio, disabling a safety
monitoring system for nearly five hours, says the Nuclear Regulatory
Commission. The dormant plant's process computer failed, and it
took six hours to get it up and running again. At another
utility, in an undisclosed city, Slammer downed the computer network
controlling vital equipment."
infection doubled every 8.5 seconds, and every new machine immediately
sought the next wave of recruits. In 3 minutes, 55 million
systems were being scanned per second for possible entry. After
ten minutes, 90% of the world's vulnerable hosts were in thrall.
(Stefan Frei, ETH Zurich)
2009: IT'S TOO LATE
PRANKS BY KIDS TURN INTO ATTACKS BY NATIONS
Security problems will not be successfully tackled until the
corporations responsible for them become legally responsible for
the financial losses they cause others. Our lack of national
courage and political will to take this step is an advertisement of
weakness that invites others to attack us. In 2009, our
invitation was accepted: China attacked over 30 American corporations.DECEMBER 2009: CHINA HACKS 32 US COMPANIES
The 12/09 attack was publicly disclosed by Google on Tuesday, 12 January 2010.
really makes this is a watershed moment in cybersecurity is the
targeted and coordinated nature of the attack with the main goal
appearing to be to steal core intellectual property."
--McAfee Chief Technology Officer George Kurtz, quoted by
Steven Musil writing in C-Net news.
code was stolen from some of the 32 Silicon Valley companies.
Adobe Systems has confirmed that it was targeted by an attack, and
sources have said Yahoo, Symantec, Juniper Networks, Northrop Grumman,
and Dow Chemical also were targets.http://news.cnet.com/8301-1009_3-10436476-83.html?tag=mncol
apparent target of the Google penetration was Google's g-mail service,
in order to find Chinese dissidents in the US trying to support
democracy in China. Being able to find and read dissidents'
e-mail correspondence would enable China to identify and imprison
activists in China as well as threaten family members in China in order
to silence dissidents in the United States -- a double-sided win-win
SecurID from RSA, Inc. is a keychain fob with a
little LCD screen that shows a changing 6-digit number.
Corporations issue SecurID to employees who need access to
classified data systems while on the road. The numbers on every
keyfob are different. To enter the corporate network, you must
possess the keyfob and log on with the correct 6-digit number for your
name and PIN.
In March 2011 SecurID data was stolen from RSA,
Inc. and in June 2011, the theft came home to roost, when
Lockheed-Martin and L-3 Communications experienced many attempted
penetrations by would-be intruders who knew the SecurID authorization
codes that opened their corporate networks.
The details:The RSA SecurID keychain fob
a different 6-digit random number every 30 seconds or so. A
server in headquarters can calculate each person's number and admit him
if he types that number in. This parallel calculation at the
server and for all the keyfobs in the field is possible because both
the HQ server and the keyfob are synchronized to the same starting
number -- called the "seed" -- and are programmed to run the same
cryptographic algorithm to get a fresh 6 digit number every 30 seconds.
Corporate and military networks are protected world-wide by 40 million SecurID keyfobs.
17 March 2011, RSA revealed in a letter to customers that its
computer network had been attacked by an "advanced persistent
threat". The data extracted by a "sophisticated" attacker was
information about RSA's SecurID key fobs. If the data was
the serial number of individual SecurID units and their random number
"seeds", then the thief could potentially calculate the magic number
for any keyfob at any time in the future, and breach a key barrier to
unauthorized access to the nation's corporate and military
networks. How advanced, persistent and sophisticated was the
How RSA was penetrated
Here's how it was done, according to F-Secure:
The attackers spoofed an e-mail to make it appear to come from "web
master" at Beyond.com, a job-seeking and recruiting site. The
entire message? "I forward this file to you for review. Please
open and view it." This was apparently enough to get the intruders the
keys to RSAs kingdom. This was enough to break the cryptography
behind 40 million SecurID entry keys because RSA kept spare copies of
all the keys issued to its customers and their servers on its own
server, which was on the Internet, not isolated.
"Please open and view it."
the recipient clicked on the attachment, an Excel spreadsheet opened,
which was completely blank except for an "X" that appeared in the first
box of the spreadsheet. The "X" was the only visible sign that there
was an embedded Flash exploit in the spreadsheet. Excel
automatically activated the Flash code -- the user didn't have to do
anything, and the Flash code didn't do anything either, except drop a
"backdoor" entrance into the user's computer system, in this case a
backdoor known as Poison Ivy. A security flaw in Adobe's Flash
player which the company had not patched enabled malicious software
developers to modify the big Flash program to contain and install the
small "Poison Ivy" program. So another corporation, not RSA Inc.,
released insecure software and the didn't fix it in time.
installed, Poison Ivy reaches out to a command-and-control server that
the attackers controlled at good.mincesur.com, a domain that F-Secure
says has been used in other espionage attacks, giving the attackers
remote access to the infected computer at EMC (EMC Inc. acquired RSA
Security on 30Jun2006 for $2.1B). From there, they were able to
reach the systems and data they were ultimately after.
F-Secure notes that neither the phishing e-mail nor the backdoor it
dropped onto systems were advanced. One might call the zero-day
Flash exploit used to drop the backdoor into the victim PC "advanced",
if only because it was "zero day". Most vulnerabilities are discovered
by white-hat security experts, who tell the corporations which
own the vulnerable software about them. One then counts the days
(weeks, months) it takes the corporation to admit the fault, admit
others were more clever than they to discover it first, and then incur
the expenses needed to fix (patch) the fault. A zero-day exploit
is one that exploits a fault discovered by black-hat security experts
who do not tell the company -- the company has had zero days to protect
itself and its users.
THE OTHER SHOE DROPS:
1June2011, Lockheed and L-3:
L-3 Communications became the second victim of an attempted hack attack
that relied on the RSA SecurID intrusion that took place in March of
the same year.
L-3's Stratus group had been actively targeted with attacks based on
"leveraging compromised information" from the SecurID keyfob two-factor
authentication system, according to a company memo obtained by Wired
magazine. L-3, which supplies command and control systems
to the US military, would only say that this particular incident had
been resolved, without saying how, or after what damage.
News of the attempted L-3 breach comes days after Lockheed Martin
suspended remote access and began re-issuing the SecurID keyfob tokens
following the detection of hacking attacks also linked to the
high-profile breach against RSA back in March. The manufacturer of F-22
and F-35 fighter planes confirmed the attempted hack, first reported by
tech blogger Robert Cringely, which took place on or around the weekend
on 21 May. http://www.theregister.co.uk/2011/06/01/military_contractor_2nd_rsa_securid_hack/2025: IT WILL GET WORSE
War III: Scenario for 2025
The technology of space and cyberwarfare is so new
and untested that even the most outlandish scenarios may soon be superseded by a
reality still hard to conceive. If we simply employ the sort of scenarios that
the Air Force itself used in its 2009 Future Capabilities Game, however, we can
gain “a better understanding of how air, space and cyberspace overlap in
warfare,” and so begin to imagine how the next world war might actually be
It’s 11:59 p.m. on Thanksgiving Thursday in 2025. While
cyber-shoppers pound the portals of Best Buy for deep discounts on the latest
home electronics from China, U.S. Air Force technicians at the Space
Surveillance Telescope (SST) on Maui choke on their coffee as their panoramic
screens suddenly blip to black. Thousands of miles away at the U.S.
CyberCommand's operations center in Texas, cyberwarriors soon detect malicious
binaries that, though fired anonymously, show the distinctive digital
fingerprints of China's People's Liberation Army.
The first overt strike
is one nobody predicted. Chinese “malware” seizes control of the robotics aboard
an unmanned solar-powered U.S. “Vulture” drone as it flies at 70,000 feet over
the Tsushima Strait between Korea and Japan. It suddenly fires all the rocket
pods beneath its enormous 400-foot wingspan, sending dozens of lethal missiles
plunging harmlessly into the Yellow Sea, effectively disarming this formidable
Determined to fight fire with fire, the White House authorizes a
retaliatory strike. Confident that its F-6 “Fractionated, Free-Flying”
satellite system is impenetrable, Air Force commanders in California transmit
robotic codes to the flotilla of X-37B space drones orbiting 250 miles above the
Earth, ordering them to launch their “Triple Terminator” missiles at China's 35
satellites. Zero response. In near panic, the Air Force launches its Falcon
Hypersonic Cruise Vehicle into an arc 100 miles above the Pacific Ocean and
then, just 20 minutes later, sends the computer codes to fire missiles at seven
Chinese satellites in nearby orbits. The launch codes are suddenly
As the Chinese virus spreads uncontrollably through the F-6
satellite architecture, while those second-rate U.S. supercomputers fail to
crack the malware's devilishly complex code, GPS signals crucial to the
navigation of U.S. ships and aircraft worldwide are compromised. Carrier fleets
begin steaming in circles in the mid-Pacific. Fighter squadrons are grounded.
Reaper drones fly aimlessly toward the horizon, crashing when their fuel is
exhausted. Suddenly, the United States loses what the U.S. Air Force has long
called “the ultimate high ground”: space. Within hours, the military power that
had dominated the globe for nearly a century has been defeated in World War III
without a single human casualty.THE BOTTOM LINE
need to be made legally liable for what it costs customers to
shut down and clean their computer systems when programs and operating
systems are insecure. We would then see secure software and
much faster fixes. Automobiles are recalled and faults are
fixed in special places called garages, but any software problem is
your problem, not theirs. Some will observe the software
industry is younger than the automotive industry and just needs to
mature in the fullness of time. I say these corporations
lack of loyalty to the country and our needs as a nation is an attack
on our national security.
J. I. Nelson, Ph.D.
jerry-va at speakeasy dot net--end
top of this page: There is still time
It is too late.
It will get worse.
home page of this Website
Rev 12/06; Rev 14Oct2011 Chinese attacks of 2010