Tuesday, November 22, 2011

Hacked off

It's not only me.  The list of folks being hacked -- about which we all should be hacked off -- is depressingly long. And no, this post isn't about the latest sorry litany of identity thefts or compromises of credit-card databases (as maddening as those incidents are).

It's about matters far worse.

A major factor in my novel Fools' Experiments (2008) was a hostile entity -- in this case, an artificial intelligence -- wreaking havoc on the physical world via the Internet. Born to cyberspace, the AI didn't understand the physical world, but -- justifiably ticked off, for reasons I won't go into here -- it undertook to compromise networked resources that it found to be well-protected. Someone obviously valued them.

If only network-accessible resources were well protected ...

Fast-forward merely three years. From PC Magazine: "Illinois Water Utility Pump Destroyed After Hack." On the same incident, also see, from Physorg.com: "Foreign cyber attack hits US infrastructure: expert."

And the SCADA (Supervisory Control And Data Acquisition) interface that provided the hacker with access to the physical-world pump? SCADA devices are common things -- widely at risk, at least in principle, to more such meddling.

It's not only the US, of course, that's under attack. Consider (from Yahoo News) that "Norway hit by major data-theft attack." Modern economies run on energy. We're told that:
At least 10 different attacks, mostly aimed at the oil, gas, energy and defense industries, were discovered in the past year, but the agency said it has to assume the number is much higher because many victims have yet to realize that their computers have been hacked.
As modern warfare, at least as practiced by the US, switches to unmanned and computerized weapon platforms (not yet, quite, to robots), how worrisome is this CBS report that: "Virus infects Pentagon drones' computers"?
It's not clear whether the virus was deliberately aimed at the military computers or whether it got there through the general spread of infectious malware, but "the virus has resisted multiple efforts to remove it from Creech's computers," Wired reported, citing three unnamed sources. (Aside: that's Creech AFB in Nevada.)

Also unclear is whether the keylogger software has revealed any secure data. But it is running on classified computer networks, Wired said.
Not very reassuring, is that? Especially when:
Wired reported that the virus was discovered two weeks ago and that the virtual pilots continue to run missions from the Air Force base.
Last for today, but certainly not least, consider this lengthy report from The Wall Street Journal: "Document Trove Exposes Surveillance Methods." The WSJ's reporter visited a trade show for commercial systems with which governments and law enforcement agencies can hoover up and examine vast quantities of electronic communications.
At the Washington and Dubai trade conferences this year, which are generally closed to the public, Journal reporters were prevented by organizers from attending sessions or entering the exhibition halls. February's Dubai conference took place at a time of widespread unrest elsewhere in the region. Nearly 900 people showed up, down slightly because of the regional turmoil, according to an organizer.

Presentations in Dubai included how to intercept wireless Internet traffic, monitor social networks and track cellphone users. "All of the companies involved in lawful intercept are trying to sell to the Middle East," said Simone Benvenuti, of RCS SpA, an Italian company that sells monitoring centers and other "interception solutions," mostly to governments. He declined to identify any clients in the region.
The article sheds some light on how the exploits are done. Such as:
Among the most controversial technologies on display at the conference were essentially computer-hacking tools to enable government agents to break into people's computers and cellphones, log their keystrokes and access their data. Although hacking techniques are generally illegal in the U.S., law enforcement can use them with an appropriate warrant, said Orin Kerr, a professor at George Washington University Law School and former computer-crime attorney at the Justice Department.
Vupen, which gave a presentation at the conference on "exploiting computer and mobile vulnerabilities for electronic surveillance," said its tools take advantage of security holes in computers or cellphones that manufacturers aren't yet aware of. Vupen's marketing documents describe its researchers as "dedicated" to finding "unpatched vulnerabilities" in software created by Microsoft Corp., Apple Inc. and others. On its website, the company offered attendees a "free Vupen exploit sample" that relied on an already-patched security hole.
The documents for FinFisher, a Gamma product, say it works by "sending fake software updates for popular software." In one example, FinFisher says intelligence agents deployed its products "within the main Internet service provider of their country" and infected people's computers by "covertly injecting" FinFisher code on websites that people then visited.

The company also claims to have allowed an intelligence agency to trick users into downloading its software onto BlackBerry mobile phones "to monitor all communications, including [texts], email and BlackBerry Messenger." Its marketing documents say its programs enable spying using devices and software from Apple, Microsoft, and Google Inc., among others. FinFisher documents at the conference were offered in English, Arabic and other languages.
 Meanwhile, of course, the trend in popular software is to default to automatic updates (Microsoft Windows) or not even give users a choice of if/when to accept an update (the last time I checked, the popular Opera browser).

To bottom-line it, societal exposure to malware and networked malfeasance continues to grow. The occasional rogue AI will fit right in ...

(And with that cheery thought, I'll wish a Happy Thanksgiving to my US readers.


Edward M. Lerner said...

On the lighter side of the malicious destruction of vital infrastructure (sorry, but AFAIK Blogger doesn't support live links in comment fields), here's a related item from the Onion:


Mike H said...

As an engineer in the power industry, all I can say is yikes! Prohibiting remote control of unstaffed facilities just isn’t feasible today. Your only defenses against this are well trained operators who routinely monitor not only control screens, but also read/record local gages, a fairly standard procedure for PSM facilities, robust hardware safeties and disconnects, and isolated controllers for process critical functions.

Fortunately, I have never been to a plant that runs its DCS on a Windows OS.