Platt Perspective on Business and Technology

From stuxnet to heartbleed – the operational side of national cybersecurity and its issues 3

Posted in business and convergent technologies, in the News by Timothy Platt on October 6, 2014

This is my 18th installment in an occasional series on international cyber-security and the changing nature of threats faced and responses offered to them (see Ubiquitous Computing and Communications, postings 58 and loosely following for Parts 1-15 and Ubiquitous Computing and Communications – everywhere all the time 2, posting 296 and following for Parts 16 and 17.)

More specifically this posting is a direct continuation of the above cited Part 16 and Part 17, where I began to focus on the operational side to cyber-security in the United States’ War on Terror. See my series: Learnable Lessons from Manning, Snowden and Inevitable Others, as can be found at Ubiquitous Computing and Communications – everywhere all the time 2, postings 227 and following for its Parts 1-27 for a fuller discussion of the surveillance and cybersecurity programs that are being pursued as core elements of this war, and of overall strategy and doctrine that drive them.

My focus here and in this series, and certainly as it connects with that larger-scale discussion is more tactical and operational. And as an organizing outline for what I would at least begin discussing here, I listed four points towards the top of Part 17:

• “I am going to discuss the issues of sources and methods, and why it is so important to safeguard them.
• “And then I will discuss the use of zero-day attack vulnerabilities as closely held national intelligence secrets.
• “And in that, I will discuss both stuxnet with its four until then publically unknown zero-day attack vulnerabilities, and heartbleed as a newly publicized zero-day vulnerability.
• “And in this collective context, I will explicitly discuss the impact that the surveillance programs outed by Edward Snowden have had on telecommunications companies and on online businesses in general for their being publically disclosed.”

I have already at least preliminarily discussed the first of those points in Part 17, and turn to the second of them here, and how the United States National Security Agency (NSA) and other elements of their Department of Homeland Security, and I add other national intelligence gathering agencies collect and use information regarding zero-day attack vulnerabilities. And I begin that with a working example, now publically known to have been developed and launched through multinational participation, by a NSA-led program known as Operation Olympic Games: stuxnet. (See Stuxnet – a more detailed analysis of its code and update on this still unfolding story for a brief discussion of its underlying programming code, and for background material specifically relevant to this discussion.)

Stuxnet was developed and launched with an explicit goal of slowing down and at least temporarily stopping Iran’s then still embryonic but growing nuclear weapons development programs. This computer worm was built quite specifically to infiltrate and catastrophically disrupt the supervisory control and data acquisition (SCADA) system in place for operating the arrays of uranium enrichment centrifuges that the Iranian government was running in its quest for bomb-grade fissile material.

A great deal was already known about precisely what types of uranium enrichment centrifuges the Iranians had purchased and final-assembled. They were of a standard design that a great deal was immediately known about as to their operational parameters, and for details such as how rapidly they could spin during safe normative operation. And just as importantly, a great deal was known as to what types of Honeywell manufactured SCADA computers were in use and what their operating systems and critical software builds consisted of at their code levels. And as a special if ironic acknowledgment for all of that, I have to note that many of the key details there were at least verified by Iran’s then president, Mahmoud Ahmadinejad when he personally led a group of reporters and photographers through his main enrichment facility and let them take pictures of all of the equipment and publish them. But that is another story. The key point here is that anyone who would seek to block or disrupt this program had access to information on precisely where it might be vulnerable, and certainly through cyber-attack on the industrial control systems that regulated the functioning of those centerfuges.

The SCADA system computer networks that were targeted were protected by standard anti-malware software but more importantly they were protected by what was up to then considered a fundamentally impervious form of firewall barrier – their network was self-contained and physically disconnected from the internet as a whole with an air gap between its points of possible outside network connection and any other computers or systems that might be connected to. And this specifically brings me to the second bullet point from the Part 17 list that I would address here:

• “And then I will discuss the use of zero-day attack vulnerabilities as closely held national intelligence secrets.”

It is unusual to find one completely new, up to then unknown vulnerability in use in a piece of malware – one zero-day attack vulnerability. They generally arise and become known a small number of times per year, and certainly for significant new points of vulnerability. The vast majority of malware simply seeks out systems that have not been updated to protect themselves from already known vulnerabilities and even from vulnerabilities of rich and long historical record. Single new vulnerability malware packages do show up though and are not necessarily seen as remarkable for that as so many of the software systems they would target are so complex, it is essentially impossible to prevent the creation and release of at least some critical unknown vulnerabilities in them. Malware that identifies and capitalizes on two brand new zero-day attack vulnerabilities at once is almost unheard of for its rarity. Stuxnet had code that was designed to simultaneously exploit four of them at once. And to repeat a brief bullet point list from my above cited stuxnet code analysis posting, these in brief consisted of:

• One that helped it to specifically target computer networks that use shared printers,
• One that specifically facilitated its spread through their USB ports,
• One to escalate Stuxnet’s privileges, giving it greater networked computer access and control, and
• One more that allows it to take over any computer it was introduced into.

Much of stuxnet was in fact written specifically to exploit vulnerabilities in Honeywell SCADA systems, which this overall package did quite successfully. But to pick up on one of these four new vulnerabilities as a working case in point of some relevance here, the core security vulnerability exploited for compromising USB ports was of general and even essentially universal applicability for computers and computer networks everywhere.

NSA and their partners in this venture, both within the United States national intelligence system and in partner agencies from other governments knew of this critical systems vulnerability. They knew the range of vulnerability that individuals, businesses and even entire governments might face from it as others found it and began exploiting it for more overtly criminal use, as opposed to holding it aside for national defense purposes. And they remained silent. They did not for example confidentially warn computer software manufacturers or software security systems businesses or organizations.

And this of course brings me back to the issues that I raised and discussed in Part 17 of this series where I wrote of protecting methods and sources. NSA’s leadership and their governmental overseers saw more value in retaining this as confidential as a potential source of exploitable vulnerability for either covert surveillance, or in the case of stuxnet more direct action. And this approach works – until word gets out that a government was intentionally sitting on a known widespread computer security vulnerability and that individuals and businesses were damaged as others avoidably came to learn of and exploit it too. I am not pointing fingers here, simply acknowledging that arguments for real need can be made either way. But when a known vulnerability of potentially widespread impact is unearthed this way and it is found that a national government has helped to keep it a zero-day attack vulnerability and for a considerable period of time, that creates what at the very least could be seen as a public relations problem. And this brings me to the second such vulnerability issue that I name in the title of this posting: heartbleed.

Heartbleed is a critical systems vulnerability in one of the most commonly used secure online transaction protocols in use globally, and for business and other monetary transactions and for confidential transactions of all sorts. Heartbleed represents a massive security vulnerability in one of the key components of online security as a whole and certainly at the network connectivity level. NSA, it turns out, was very aware of this vulnerability for well over a year before it became publically known in April, 2014. Given the context that this fact became known in – the context of it becoming public knowledge in the midst of ongoing revelation of a host of ongoing, open-ended computer and telephone systems surveillance programs, this new revelation came out as a public relations nightmare, and as a fundamental violation of public trust.

Did keeping this vulnerability secret help to identify and break into otherwise secure terrorist or other threat-positive conversations and contribute to our overall national security? That is possible but it is also unlikely, if for no other reason than that of why an open-ended surveillance program like PRISM or XKeyscore is so unlikely to unearth specific terrorist threats. Any data of any real, time-sensitive here-and-now actionable value gleaned through it would arrive mixed in and hidden by a tidal wave of everything else brought in under similar surveillance measures. But protecting methods and sources – an argument might still be made for at least retaining confidential hold over this vulnerability for at least some well-considered period of time and with the boundaries of that timeframe kept under active discussion and review. None of that happened here.

I am going to continue this discussion in a next series installment, there turning to the last remaining bullet point of my Part 17 list, having already discussed point three here:

• “And in that, I will discuss both stuxnet with its four until then publically unknown zero-day attack vulnerabilities, and heartbleed as a newly publicized zero-day vulnerability.”

Point four, and the topic for Part 19 of this series will be:

• “And in this collective context, I will explicitly discuss the impact that the surveillance programs outed by Edward Snowden have had on telecommunications companies and on online businesses in general for their being publically disclosed.”

Meanwhile, you can find this posting and related at Ubiquitous Computing and Communications – everywhere all the time and at its Page 2 continuation.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: