Black Code: Inside the Battle for Cyberspace
Page 29
3 the kinds of manoeuvres that could exploit holes: The Siemens and Idaho National Lab 2008 presentation of the PCS7’S vulnerabilities to cyber attacks is available at Marty Edwards and Todd Stauffer, “Control System Security Assessments,” Presentation prepared for the 2008 Siemens Automation Summit, http://graphics8.nytimes.com/packages/pdf/science/NSTB.pdf.
4 code behind Stuxnet was far larger than a typical worm: Symantec reversed engineered Stuxnet and documented its findings in Nicolas Falliere, Liam Ó Murchú, and Eric Chien, “W32. Stuxnet Dossier Version 1.4,” Symantec, February 2011, http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf.
5 an obscure date in the worm’s code: The clues of Israeli involvement in Stuxnet’s code have been reported by Michael Joseph Gross in “A Declaration of Cyberwar,” Vanity Fair, April 2011, http://www.vanityfair.com/culture/features/2011/04/stuxnet-201104, 4; Paul Roberts, “Stuxnet Analysis Supports Iran-Israel Connections,” Threat Post, September 30, 2010, http://threatpost.com/en_us/blogs/stuxnet-analysis-supports-iran-israel-connections-093010; John Markoff and David E. Sanger, “In a Computer Worm, a Possible Biblical Clue,” New York Times, September 29, 2010, http://www.nytimes.com/2010/09/30/world/middleeast/30worm.html?pagewanted=all&_r=0; and William J. Broad and David E. Sanger, “Worm Was Perfect for Sabotaging Centrifuges,” New York Times, November 18, 2010, http://www.nytimes.com/2010/11/19/world/middleeast/19stuxnet.html.
6 an Iranian double agent working for Israel: Richard Sale reported on how Iranian control systems were infected by Stuxnet in, “Stuxnet Loaded by Iran Double Agents,” Industrial Safety and Security Source, April 11, 2012, http://www.isssource.com/stuxnet-loaded-by-iran-double-agents. See also Dorothy E. Denning, “Stuxnet: What Has Changed,” Future Internet 4, no.3 (2012): 672–687.
7 high-tech means of fighting clean wars: James Der Derian writes about “virtuous war” in Virtuous War: Mapping the Military-Industrial-Media-Entertainment Network (New York: Routledge, 2009). See also Jennifer Leonard, “James Der Derian on Imagining Peace,” Renegade Media, http://www.renegademedia.info/books/james-derderian.html.
8 Writing in the Bulletin of the Atomic Scientists: R. Scott Kemp analyzes the implications of developing offensive cyber capabilities in “Cyberweapons: Bold Steps in a Digital Darkness?,” Bulletin of the Atomic Scientists, June 7, 2012, http://www.thebulletin.org/web-edition/op-eds/cyberweapons-bold-steps-digital-darkness.
9 thirty-three states included cyber warfare in their military planning: James A. Lewis and Katrina Timlin review the policies and organizations of 133 states to determine how they are organized to deal with cyber security in “Cybersecurity and Cyberwarfare,” Center for Strategic and International Studies, 2011; available at: http://www.unidir.org/pdf/ouvrages/pdf-1-92–9045–011-J-en.pdf
10 Some, like India, boast about developing offensive cyber attack capabilities: On June 11, 2012, the Times of India reported on India’s National Security Council’s plan to allow the Defence Intelligence Agency and National Technical Research Organization to carry out cyber offensives against other countries if necessary, in Josy Joseph, “India to Add Muscle to its Cyber Arsenal,” http://articles.timesofindia.indiatimes.com/2012–06–11/india/32174336_1_cyber-attacks-offensive-cyber-government-networks.
11 1,800 cases of fake electronic components: The case of counterfeit chips in the flight computer of an F-15 fighter jet at Robins Air Force Base was reported on by Brian Burnsed, Cliff Edwards, Brian Grow, and Chi-Chu Tschang, in “Dangerous Fakes,” Business Week, October 2, 2008, http://www.businessweek.com/magazine/content/08_41/b4103034193886.htm.
12 via the SHODAN search tool anyone could discover MAC addresses: According to its website, the SHODAN search engine (developed by John Matherly) is “a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters. Some have also described it as a public port scan directory or a search engine of banners.” In “Cyber Search Engine Shodan Exposes Industrial Control Systems to New Risks,” Washington Post, June 3, 2012, http://www.washingtonpost.com/investigations/cyber-search-engine-exposes-vulnerabilities/2012/06/03/gJQAIK9KCV_story.html, journalist Robert O’Harrow Jr. wrote: “Matherly and other Shodan users quickly realized they were revealing an astonishing fact: Uncounted numbers of industrial control computers, the systems that automate such things as water plants and power grids, were linked in, and in some cases they were wide open to exploitation by even moderately talented hackers.”
13 “I was walking down the street …”: Kim Zetter reported on the RuggedCom vulnerability in “Equipment Maker Caught Installing Backdoor Account in Control System Code,” Wired, April 25, 2012, http://www.wired.com/threatlevel/2012/04/ruggedcom-backdoor.
14 we are building a digital edifice for the entire planet, which sits above us like a house of cards: Supply-chain vulnerabilities have been documented in Committee on Armed Services United States Senate, “Inquiry into Counterfeit Electronic Parts in the Department of Defence Supply Chain, Report 112–167,” May 21, 2012, available at: http://armed-services.senate.gov/Publications/Counterfeit%20Electronic%20Parts.pdf; Marcus H. Sachs, “Can We Secure the Information Technology Supply Chain in the Age of Globalization?” Verizon, http://crissp.poly.edu/media/sachs_slides.pdf; and Dana Gardner, “Corporate Data, Supply Chains Remain Vulnerable to Cyber Crime Attacks, says Open Group Conference Speaker,” ZDNet, June 5, 2012, http://www.zdnet.com/blog/gardner/corporate-data-supply-chains-remain-vulnerable-to-cyber-crime-attacks-says-open-group-conference-speaker/4644.
The Russian vendor Positive Technologies found alarming statistics about SCADA system vulnerabilities based on an analysis of vulnerabilities in databases like ICS-CERT, Siemens’ Product CERT, exploit-db, and vendor advisories. They found “the number of security flaws found within ten months is far bigger than the number of flaws found during the whole previous period starting from 2005.” Positive Technologies documented its findings in Yury Goltsev et al., SCADA Safety in Numbers, Positive Technologies, 2012, available at: www.ptsecurity.com/download/SCADA_analytics_english.pdf.
15 “Cyberwar is very different from nuclear war …”: Fred Kaplan, “Why the United States Can’t Win a Cyberwar,” Slate, June 8, 2012, http://www.slate.com/articles/news_and_politics/war_stories/2012/06/obama_s_cyber_attacks_on_iran_were_carefully_considered_but_the_nuclear_arms_race_offers_important_lessons_.html.
12: THE INTERNET IS OFFICIALLY DEAD
1 The June 2011 RSA breach hit the American security: “Breachfest 2011” is documented in Matt Liebowitz, “2011 Set to Be Worst Year Ever for Security Breaches,” Tech News Daily, June 10, 2011, http://www.technewsdaily.com/2710–2011-worst-year-ever-security-breaches.html.
2 I first read about Narus’s technology: Narus’s 2007 press release is available at “Narus Expands Traffic Intelligence Solution to Webmail Targeting,” Narus, December 10, 2007, http://www.narus.com/index.php/overview/narus-press-releases/press-releases-2007/274-narus-expands-traffic-intelligence-solution-to-webmail-targeting.
3 its sales to Telecom Egypt: Timothy Karr discusses the use of Narus in Egypt in “One U.S. Corporation’s Role in Egypt’s Brutal Crackdown,” Huffington Post, January 28, 2011, http://www.huffington-post.com/timothy-karr/one-us-corporations-role-_b_815281.html.
4 After thirty-three years of active service: In The Shock Doctrine, Naomi Klein argues that Kenneth Minihan is responsible for implementing the “disaster capitalism complex,” defined as “a fully fledged new economy in homeland security, privatised war and disaster reconstruction tasked with nothing less than building and running a privatised security state, both at home and abroad.” Similarly, in his book Spies for Hire, investigative journalist Tim Shorrock traces the subservience of public to private interests in the intelligence-contracting industry, an industry that specifically “serves the needs of government and its intelligence apparatus.” Shorrock writes, “In the past, Minihan said, contractors ‘used to support military operat
ions; now we participate [in them]. We’re inextricably tied to the success of their operations.’ ” Naomi Klein, The Shock Doctrine: The Rise of Disaster Capitalism (New York: Henry Holt and Company, 2007); and Tim Shorrock, Spies for Hire: The Secret World of Intelligence Outsourcing (New York: Simon & Schuster, 2008).
13: A ZERO DAY NO MORE
1 In the aftermath of the 2011 revolution: The chaos that followed the collapse of regimes in Egypt and Libya helped pry open secretive security apparatuses, revealing the extent of their international linkages. See Steve Ragan, “Report: U.K. Firm Offered IT Intrusion Tools to Egyptian Government,” Tech Herald, April 27, 2011, http://www.thetechherald.com/articles/Report-U-K-firm-offered-IT-intrusion-tools-to-Egyptian-government; Karen McVeigh, “British Firm Offered Spying Software to Egyptian Regime – Documents,” Guardian, April 28, 2011, http://www.guardian.co.uk/technology/2011/apr/28/egypt-spying-software-gamma-finfisher; Matt Bradley, Paul Sonne, and Steve Stecklow, “Mideast Uses Western Tools to Battle the Skype Rebellion,” Wall Street Journal, June 1, 2011, http://online.wsj.com/article/SB10001424052702304520804576345970862420038.html; and Mikko Hyppönen, “Egypt, FinFisher Intrusion Tools and Ethics,” F-Secure, March 8, 2011,https://www.f-secure.com/weblog/archives/00002114.html. See also John Scott-Railton, Revolutionary Risks: Cyber Technology and Threats in the 2011 Libyan Revolution, CIWAG Case Studies Series, forthcoming, 2013.
2 Among the brochures in the “Spy Files”: The “Spy Files” can be accessed at “The Spy Files,” WikiLeaks, http://wikileaks.org/the-spyfiles.html. See Ronald Deibert, “Big Data Meets Big Brother,” Privacy International, November 30, 2011, https://www.privacyinternational.org/opinion-pieces/big-data-meets-big-brother.
3 a glimpse into a vast labyrinth and arms race in cyberspace: The Citizen Lab, led by Morgan Marquis-Boire, has found a growing commercial market for offensive computer network intrusion capabilities developed by companies in Western democratic countries. See “Backdoors are Forever: Hacking Team and the Targeting of Dissent?,” October 10, 2010, https://citizenlab.org/2012/10/backdoors-are-forever-hacking-team-and-the-targeting-of-dissent/; “The SmartPhone Who Loved Me: FinFisher Goes Mobile?,” August 29, 2012, https://citizenlab.org/2012/08/the-smartphone-who-loved-me-finfisher-goes-mobile/; and “From Bahrain With Love: FinFisher’s Spy Kit Exposed?,” July 25, 2012, https://citizenlab.org/2012/07/from-bahrain-with-love-finfishers-spy-kit-exposed/. FinFisher’s FinSpy brochure is available at FinSpy: “Remote Monitoring and Infection Solutions,” http://wikileaks.org/spyfiles/docs/gamma/289_remote-monitoring-and-infection-solutions-finspy.html.
4 “The cyber domain of computers and related electronic activities …”: Nye describes the characteristics of cyberspace that lend the domain to arms racing in Joseph S. Nye, “Cyber War and Peace,” Al-Jazeera, April 21, 2012, http://www.aljazeera.com/indepth/opinion/2012/04/201241510242769575.html.
5 In 2011, the German hacker collective, Chaos Computer Club: The Chaos Computer Club’s discovery of the “State Trojan” has been documented in “Chaos Computer Club Analyzes Government Malware,” Chaos Computer Club, October 8, 2010, http://www.ccc.de/en/updates/2011/staatstrojaner; Elinor Mills, “Trojan Opened Door to Skype Spying,” CBS News, October 10, 2011, http://www.cbsnews.com/2100–205_162–20118260.html; Bob Sullivan, “German Officials Admit Using Spyware on Citizens, As Big Brother Scandal Grows,” NBC News, October 11, 2011, http://redtape.nbcnews.com/_news/2011/10/11/8274668-german-officials-admit-using-spyware-on-citizens-as-big-brother-scandal-grows?lite; and Bob Sullivan, “Chaos Computer Club: German Gov’t Software Can Spy on Citizens,” NBC News, October 8, 2011, http://redtape.nbcnews.com/_news/2011/10/08/8228095-chaos-computer-club-german-govt-software-can-spy-on-citizens?lite.
6 a Bangkok middleman: Andy Greenberg profiled “The Grugq” and the exploits market in “Shopping For Zero-Days: A Price List For Hackers’ Secret Software Exploits,” Forbes, March 23, 2012, http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/.
7 One of the few companies not afraid to speak out: For more information on VUPEN, see Andy Greenberg, “Meet the Hackers Who Sell Spies the Tools to Crack Your PC (And Get Paid Six-Figure Fees),” Forbes, March 21, http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-who-sell-spies-thetools-to-crack-your-pc-and-get-paid-six-figure-fees/. See also Greenberg’s, “New Grad Looking For a Job? Pentagon Contractors Post Openings For Black-Hat Hackers,” Forbes, June 15, 2012, http://www.forbes.com/sites/andygreenberg/2012/06/15/new-grad-looking-for-a-job-pentagon-contractors-post-openings-for-black-hat-hackers-2.
8 a service offered by one U.S. company, Endgame: Endgame is extensively profiled in Michael Riley and Ashlee Vance, “Cyber Weapons: The New Arms Race,” Business Week, July 20, 2011, http://www.businessweek.com/magazine/cyber-weapons-the-new-arms-race-07212011.html.
9 Hacking Team: The use of Hacking Team products is detailed in Vernon Silver, “Spyware Leaves Trail to Beaten Activist Through Microsoft Flaw,” Bloomberg News, October 10, 2012, http://www.bloomberg.com/news/2012–10–10/spyware-leaves-trail-to-beaten-activist-through-microsoft-flaw.html; and Nicole Perlroth, “Ahead of Spyware Conference, More Evidence of Abuse,” New York Times, October 10, 2012, http://bits.blogs.nytimes.com/2012/10/10/ahead-of-spyware-conference-more-evidence-of-abuse/.
10 the NSA partners with “cleared” universities to train students: The phenomenon of cyber-ops courses in universities in the United States is profiled in “Exclusive: Spy Agency Seeks Cyber-ops Curriculum,” Reuters, May 22, 2012, http://ca.reuters.com/article/technologyNews/idCABRE84L12T20120522?pageNumber=1&virtualB randChannel=0.
11 Privacy International has identified at least thirty British companies: See Jamie Doward and Rebecca Lewis, “UK Exporting Surveillance Technology to Repressive Nations,” Guardian, April 7, 2012, http://www.guardian.co.uk/world/2012/apr/07/surveillance-technology-repressive-regimes.
12 In August 2011 a French company, Amesys: See Margaret Coker and Paul Sonne, “Firms Aided Libyan Spies,” Wall Street Journal, August 30, 2011, http://online.wsj.com/article/SB10001424053111904199404576538721260166388.html.
13 In July 2011, the Washington Post reported on a U.S. Air Force contract solicitation: Detailed in Walter Pincus, “U.S. Plans to Provide Iraq with Wiretapping System,” Washington Post, July 30, 2011, http://www.washingtonpost.com/world/national-security/us-plans-to-provide-iraq-with-wiretapping-system/2011/07/26/gIQAGexvjI_story.html.
14 Swedish television producers uncovered a huge surveillance market: In May 2012, the Swedish news show Uppdrag Granskning uncovered the links between TeliaSonera and Central Asian governments. See Eva Galperin, “Swedish Telcom Giant Teliasonera Caught Helping Authoritarian Regimes Spy on Their Citizens,” Electronic Frontier Foundation, May 18, 2012, https://www.eff.org/deeplinks/2012/05/swedish-telcom-giant-teliasonera-caught-helping-authoritarian-regimes-spy-its.
15 Bloomberg concluded that the technology: Ben Elgin, Alan Katz, and Vernon Silver reported that Ericsson, Creativity Software, and AdaptiveMobile had been providing surveillance equipment to the government of Iran in, “Iranian Police Seizing Dissidents Get Aid of Western Companies,” Bloomberg News, October 30, 2011, http://www.bloomberg.com/news/2011–10–31/iranian-police-seizing-dissidents-get-aid-of-western-companies.html.
16 Nokia Siemens Networks faced an international: In August 2011, it was reported that Bahraini dissidents arrested by authorities were presented with transcripts of their own text messages during interrogations, and the capacity to intercept the text messages was acquired through equipment from Nokia Siemens Networks, based in Finland, and trovicor, a German company. See Ben Elgin and Vernon Silver, “Torture In Bahrain Becomes Routine With Help From Nokia Siemens,” Bloomberg News, August 22, 2011, http://www.bloomberg.com/news/2011–08–22/torture-in-bahrain-becomes-routine-with-help-from-nokia-siemens-networking.html.
17 “… information technology, unlike bombs or tanks, is fundamentally multi-purpose in
nature …”: The issue of how to control the digital arms trade is contentious. For differing views, see Milton Mueller, “Technology As Symbol: Is Resistance to Surveillance Technology Being Misdirected?” Internet Governance Project, December 20, 2011, http://www.internetgovernance.org/2011/12/20/technology-as-symbol-is-resistance-to-surveillance-technology-being-misdirected; and Member of the European Parliament Marietje Schaake’s proposal, detailed in “European Parliament Endorses Stricter European Export Control of Digital Arms,” October 23, 2012, http://www.marietjeschaake.eu/2012/10/ep-steunt-d66-initiatief-controle-europese-export-digitale-wapens. In November 2012, the United States Department of State issued a guidance document that attempted to clarify under what conditions companies might violate restrictions on the export of “sensitive technologies” to countries like Iran and Syria, which can be found at: https://www.federalregister.gov/articles/2012/11/13/2012–27642/department-of-state-state-department-sanctions-information-and-guidance#h-10. See also Ben Wagner, Exporting Censorship and Surveillance Technology (The Hague: Hivos, 2012).
14: ANONYMOUS : EXPECT US
1 Epigraph: Lewis Mumford, The Pentagon of Power: The Myth of the Machine, Vol. II (New York: Harcourt Brace Jovanovich, 1974). Mumford’s Pentagon of Power is a major influence on my thinking about political resistance and technology. I assigned it as the standard text to my graduate seminar on the Politics of Planetary Surveillance, taught at the University of Toronto from 1997 to 2004.