Category Archives: Security

Energy, Security

Clean Taxis

Leave a comment

When I traveled around Kathmandu the city was filled with diesel carts that poured black acrid-smelling pollution into the streets. Polluting taxis were banned in 2000.

Kathmandu is one of the most polluted cities in Asia, vehicular emissions accounting for a big share.

Besides posing a health hazard to the public, the growing pollution is also seen as a threat to the tourism industry.

Save the tourists.

I just read about a similar trend finally catching on in other cities such as New York, London and San Francisco. According to the Automotive Insider major innovation in urban taxi technology is just around the corner.

London suffers from severe pollution. Taxis account for 12% of NOX and 24% of particulate matter in central London. In June 2008, Mercedes unveiled the London EVito, a six-seater electric vehicle that is taking the market by storm. Running on a 35w lithium ion (Li-Ion) battery, the EVito runs for 75 miles on a single charge and takes 6 hours to recharge using the UK standard 240v input. It sports anti-lock brakes, electronic stability control and onboard diagnostics. In order to swerve around Blue Bell “kerbs” (curbs), the front-wheel drive EVito utilizes partial rear-wheel drive to achieve its tiny 25-foot turn radius.

That was two years ago and many more are on their way.

In 2013, Volkswagen plans to release its Milano taxi. Using advanced lithium ion (Li-Ion) batteries, the demure, charming Milano has a single broad side-door swerving open to reveal its four spacious seats. It has an electronically-limited speed of 75 mph and 67 continuous horsepower. Nissan plans to unveil its avant-garde Nissan Leaf in 2011, with a 100 mile driving range, while Mitsubishi, Renault, Toyota, Honda, Ford, Chevy and other companies are currently or planning on offering ecological vehicles.

This Milano sounds like the ideal shared commuter car. Hopefully by 2013 some of the usual risks of batteries will be sorted out…or a diesel-hybrid option will be available.

Security

Ig Nobel Prizes and Security

Leave a comment

Several of the Ig Nobel winners this year seem to have done studies relevant to security:

MEDICINE PRIZE: Simon Rietveld of the University of Amsterdam, The Netherlands, and Ilja van Beest of Tilburg University, The Netherlands, for discovering that symptoms of asthma can be treated with a roller-coaster ride.

Asthma symptoms really have their ups and downs.

PHYSICS PRIZE: Lianne Parkin, Sheila Williams, and Patricia Priest of the University of Otago, New Zealand, for demonstrating that, on icy footpaths in wintertime, people slip and fall less often if they wear socks on the outside of their shoes.

Someone has finally proven the value of SOX relative to risk.

PEACE PRIZE: Richard Stephens, John Atkins, and Andrew Kingston of Keele University, UK, for confirming the widely held belief that swearing relieves pain.

Next they will research whether swearing removes Stuxnet.

Last, but not least: A man named Barbeito studied the health risks of beards but was too sick to accept the award:

PUBLIC HEALTH PRIZE: Manuel Barbeito, Charles Mathews, and Larry Taylor of the Industrial Health and Safety Office, Fort Detrick, Maryland, USA, for determining by experiment that microbes cling to bearded scientists.

WHO ATTENDED THE CEREMONY: Manuel S. Barbeito was unable to travel, due to health reasons. A representative read his acceptance speech for him.

History, Security

Stuxnet Pinned on Israeli Unit 8200

Leave a comment

I still am not convinced that it has to be the US or Israel. Just because geo-politically these two are the most adamant about shutting down Iran’s nuclear capability does not mean they are the Stuxnet authors. There is likely to be a more complex relationship of agents at work, such as Iranian dissidents, insiders and then perhaps support from the US and Israel.

Never mind me, however, the Telegraph says Israeli cyber unit responsible for Iran computer worm

Computer experts have discovered a biblical reference embedded in the code of the computer worm that has pointed to Israel as the origin of the cyber attack.

The code contains the word “myrtus”, which is the Latin biological term for the myrtle tree. The Hebrew word for myrtle, Hadassah, was the birth name of Esther, the Jewish queen of Persia.

Well, more to the point (pun not intended) Jewish mysticism associates myrtle with masculinity; specifically the penis. Are the computer experts saying this word “myrtle” is sufficient proof because they see Israel as the most likely nation to want to penetrate (for lack of a better word) Iran?

That interpretation is the opposite of the more traditional Jewish practices during harvest celebrations — myrtle is associated with with doing good deeds.

It seems the myrtle could be taken to mean many things.

Moreover, myrtle is also found in northern Africa. The Greeks link it to Aphrodite, Romans say it is dear to Venus. Code is shared. Teams are diverse. Thus, myrtle not only has many meanings but also appears to be important for many nations. I recently went to a Myrtle Beach in South Carolina. Come to think of it there was a suspicious looking person with a laptop there…

Those two reasons (interpretation and geographic distribution) make it difficult for me to automatically think of Israel when I hear of myrtle. If the official symbol for Israeli Unit 8200 was a branch of (flaming?) myrtle I would be more open to believe there is a clear and simple association.

Perhaps a little history can shed more perspective on the Stuxnet references and investigation; take, for example, the CIA document “Clandestine Service History — Overthrow of Premier Mosaddegh of Iran — November 1952-August 1953

The demise of Prime Minister Mossadegh in 1953 came as a result of a coup that was backed by the US CIA to protect British oil companies operating in Iran. The CIA not only convinced Iranians that the democratically elected leader was too dictatorial, but they managed to pressure Mossadegh into defending his ability to stay in power. The US paid “fake” mobs (both against and for a coup) to destabilize the country, stage terrorist activities and eventually arrest the prime minister. Was foreign money the only motivator of these mobs?

Even with the advantage of time past the tangled relationship between US and British intelligence and their roles, not to mention collaboration by internal groups and organizations, are still debated. Some say the coup was clearly a US operation but it can not be denied that there were many facets to the threat that Iran faced.

At this point it seems the word myrtle makes Stuxnet an Israeli operation as much as one swallow makes it spring.

Edited to add: Another reference to Israel has been cited by Threatpost in “Stuxnet Analysis Supports Iran-Israel Connections

Though most of the conversation about Stuxnet is still based on conjecture, [Symantec analyst Liam] O’Murchu said that Symantec’s analysis of Stuxnet’s code for manipulating PLCs on industrial control systems by Siems backs up both the speculation that Iran was the intended target and that Israel was the possible source of the virus. As for Iran, O Murch merely pointed to Symantec data that show the country was the source of the most Stuxnet infections. Iran has since blocked communications to Stuxnet’s command and control infrastructure, he said.

As for suggestions that Israeli intelligence may have authored the virus, O’Murchu noted that researchers had uncovered the reference to an obscure date in the worm’s code, May 9, 1979, which, he noted, was the date on which a prominent Iranian Jew, Habib Elghanian, who was executed by the new Islamic government shortly after the revolution.

Are you convinced? Attribution is virtually impossible on the network. This sounds more like wishful thinking than proof. Note the “shortly after the revolution” end to their analysis. That date could also be significant to Iranian insiders. Iranian Jews may not be Israeli, even if they have left Iran. Back to my point above, others were executed at the same time. Speaking of Time, an issue from May 21, 1979 makes my point rather darkly:

Last week’s execution of 38 men brought to 204 the number of those condemned to death before firing squads. Among the latest victims were two former Ministers of Information, the last speaker of the lower house of parliament under the Shah, and a number of members of the notorious antiterrorist committee of SAVAK, the disbanded secret police, including a physician charged with specializing in torture techniques.

The two businessmen, both multimillionaires, were Habib Elghanian, a plastics manufacturer and the first Jew to be condemned, and Rahim Ali Khorram, a Muslim who owned a string of gambling casinos and bordellos.

It could be a date significant to others; 204 men of different faiths, backgrounds, beliefs and families were executed at that time. This is not to downplay the importance of one man’s death, of course, but to try and paint a more realistic picture of who might want to now threaten Iran’s nuclear program (assuming Iran is the target).

It is not as easy as A versus B. My studies in International History, as well as travel, has pushed me towards threat models that are more like this:

Impressionable talent in country X, Y and Z end up in country B where they receive information and training from country C, which believes they must act upon information from country D, E and F, funded by countries D, G and H.

It is more like a social network effect, with hard and soft acquaintances, than the two sides of a boxing ring distinguished by their bright colors. The gray area has to remain in focus not only to keep a more accurate record of attribution but also to make it possible to understand the threats and hopefully detect or even prevent attack. It seems we like to think in polar terms because it brings comfort, but in reality we live in a complex world.

Or I could be totally wrong and the next thing revealed about the Stuxnet code is someone’s phone number and address in downtown Jerusalem, which is obviously located in (wait for it…) Arkansas, USA. Thought I was going to say Israel, didn’t you?

Edited again to add: F-Secure has a hilarious Q&A page on Stuxnet. Well worth reading for a balanced view from a security vendor. I suspect Stuxnet soon will be fodder for best joke of the year. Here is just a brief example:

Q: Is it true that there’s are biblical references inside Stuxnet?
A: There is a reference to Myrtus (myrtle plant). However, this is not “hidden” in the code. It’s an artifact left inside the program when it was compiled. Basically this tells us where the author stored the source code in his system. The specific path in Stuxnet is: \myrtus\src\objfre_w2k_x86\i386\guava.pdb. The authors probably did not want us to know they called their project “Myrtus”, but thanks to this artifact we do. We have seen such artifacts in other malware as well. The Operation Aurora attack against Google was named Aurora after this path was found inside one of the binaries: \Aurora_Src\AuroraVNC\Avc\Release\AVC.pdb.

Q: So how exactly is “Myrtle” a biblical reference?
A: Uhh…we don’t know, really.

Q: How does Stuxnet know it has already infected a machine?
A: It sets a Registry key with a value “19790509” as an infection marker.

Q: What’s the signifigance of “19790509”?
A: It’s a date. 9th of May, 1979.

Q: What happened on 9th of May, 1979?
A: Maybe it’s the birthday of the author? Then again, on that date a Jewish-Iranian businessman called Habib Elghanian was executed in Iran. He was accused to be spying for Israel.

Q: Oh.
A: Yeah.

Guava? What about 5th of September, 1979? Grateful Dead concert, dude, in Madison Square Garden! It also is the date that the Iranian army occupied Piranshahr on the border with Iraq. That seems more like an “infection marker” if you know what I mean.

Funny stuff.

Ok, so now I wonder how best to dress like Stuxnet for Halloween.

Security

Zeus Crime Ring Busted

Leave a comment

The US Attorney’s Office announced they were able to shut down an international crime ring that used the Zeus malware to steal money from US bank accounts.

…charges against 37 defendants, in 21 separate cases, for their roles in global bank fraud schemes that allegedly used hundreds of false-name bank accounts to steal over $3 million from dozens of U.S. accounts that were compromised by malware attacks. […] The defendants charged in Manhattan federal court include managers of and recruiters for the money mule organization, an individual who obtained the false foreign passports for the mules, and money mules.

CNN calls it Trojan malware blamed for $3 million bank fraud

I am not a fan of calling things Trojan horse malware because the horse is so often removed, leaving just Trojan malware. That doesn’t sound right. Anyway, back to CNN:

According to complaints unsealed in Manhattan federal court, defendants used the Zeus Trojan program to surreptitiously obtain personal information and then hack into victims’ bank accounts.

The hackers then allegedly made unauthorized transfers of “thousands of dollars” to the bank accounts belonging to co-conspirators. Prosecutors said the malware was typically sent as an “apparently-benign e-mail” that embedded itself in the victims’ computers once it was opened.

The program, officials said, recorded keystrokes and allowed hackers to steal private account information, passwords and other “vital security codes.”

The alleged cybercriminals, based in Eastern Europe, used “money mules” to transport the stolen money overseas. Some of the mules had entered the United States on student visas or by using fake passports, according to the federal complaint. The FBI has already arrested 10 alleged money mules and 17 remain at large.

The attack path, in other words, starts with an email message that has malware attached. The email message is not filtered as spam and the Zeus malware is not filtered as, er, malware.

There are security control failures on many levels. The underlying story here, however, is one familiar in the physical security space — more secure banks means attacks shift towards more vulnerable users.

Thus, online banking security is good enough that attackers find it much easier to get passwords from users and then they use impersonation to get past bank security. Two-factor authentication, imperfect like the other security controls in question here, was the last standing defense that should have stopped this attack path.

Details of the cases are on the New York FBI site:

  • United States v. Artem Tsygankov, et al.
  • United States v. Artem Semenov, et al.
  • United States v. Maxim Miroshnichenko, et al.
  • United States v. Marina Oprea, et al.
  • United States v. Kristina Svechinskaya, et al.
  • United States v. Ilya Karasev
  • United States v. Marina Misyura
  • United States v. Dorin Codreanu
  • United States v. Victoria Opinca, et al.
  • United States v. Alexander Kireev
  • United States v. Kasum Adigyuzelov
  • United States v. Sabina Rafikova
  • United States v. Konstantin Akobirov
  • United States v. Adel Gataullin
  • United States v. Ruslan Kovtanyuk
  • United States v. Yulia Klepikova, et al.
  • United States v. Alexandr Sorokin
  • United States v. Alexander Fedorov
  • United States v. Anton Yuferitsyn
  • United States v. Jamal Beyrouti, et al.

The DoJ said 21 cases, but I see only 20. Perhaps one is still being prepared.

The wanted poster for the remaining fugitives is also online.

Ask me about how to better protect against this breach, or just attend my presentation on the Top Ten Breaches, October 13th at the RSA Conference in London.