Security Blog

Your source for information security news and views.
Tags >> stuxnet

Throwing Stones in a Glass Infrastructure

Posted by: Patrick Snyder

Tagged in: stuxnet , News , Egypt , cyber warfare


We must all understand that the net is fragile and it can be taken down. We have seen this 'kill switch' in action recently in Egypt. Libya is also taking its cue from Egypt and in spite of social unrest its government has also began shutting down network access. Things are slipping out of hand very quickly but Americans can breath a sigh of relief, or can we?

It seems our government is getting ahead of this situation before we meet a similar issue. Senators Joseph Lieberman and Susan Collins reintroduced legislation that prohibits this type of 'Internet Kill Switch' from being initiated by the president. A right to bear arms and a right to assemble lead into our right to the net.

One issue still remains, now that this type of mass Internet blackout technique has surfaced we must not only be concerned with the authorities doing it but everyone else who can now see that this capability does indeed exist.

Taking down the Internet is easier then you may think. The net has two fundamental services. First being a name and address service, this is handled through the Domain Name Service infrastructure and without it we don't have email, VoIP, web traffic or any web 2.0 technologies, including the growing Cloud infrastructure. The second service is routing. IP routers run software and can be attacked through a wide range of exploits. Last week, researchers at the University of Minnesota described a targeted DDoS attack that could knock out these services.

Another aspect the Egyptian outage showed us is that nation-states either already have or are aggressively building the tools to disrupt the internet. Think back to the Stuxnet attacks, Iran acknowledges that a joint effort between the United States and the Israelis caused serious damage to the Iranian power infrastructure by damaging centrifuges in their nuclear power plant. If we can attack their infrastructure and get away with it, why would we think they won't attack ours. Mass terrorism could very well go cyber sooner than we know it. Last week, the head of the National Security Agency said that the United States should expect to be attacked. Thats right, EXPECT it.

I think the message is clear, for Cloud computing and for general business continuity, resiliency and back up systems are not luxuries, they're mandatory!




Imagine a war where your enemy is given a prefect replica of each weapon you use. If you shoot a machine gun, they instantly get one. If you use an RPG, they get one. The more you think about it, the more untenable it becomes. That’s what our cyberwarfare looks like. Code is code, good and bad. But take our example one step farther and realize that every evil piece of code resides in the wild and can be aggregated with techniques and practices to develop ever-more sophisticated attacks.


Security is changing. We see it everywhere. It’s becoming INSTITUTIONALIZED. That scares me. Too often we begin to embed practices prematurely. A great example – we’ve institutionalized strong passwords. It will take decades to get rid of them. They’re an oxymoron. If passwords are something an individual knows that we want to use for authentication, strong passwords are a security violation because they’re something the user DOESN’T KNOW! They have to be written down somewhere. They’re tokens. But today’s compliance software tests and makes sure every user has a password they have to write down.


Now we confront STUXNET and the A/V vendors say it’s a new world of Advance Persistent Threats where signatures have little value but we’ve institutionalized them and they eat up our budgets, create a false illusion of security and can’t do anything at all when we send encrypted traffic.


I hope you’ll find time to join us at a Strategy to Reality workshop soon. Five years ago we addressed SCADA training, seven years ago we talked about the failure of strong passwords and last year we covered the covert channels we’ve created by introducing VoIP and leaving it out of the classical security architecture.



It’s a start ….


No matter what level you’re at, you need to stay aware of how technology transitions are creating new exposures. You need to be thinking about all the elements of your enterprise exposed to the net. You need to understand that there are serious scientists working for bad guys.