What are Flame and Stux-net and why should I care?

1 Comment

There has been much discussion in the popular press of late about something called Flame and something called Stux-net, especially with regard to national security. However, many people do not understand what they are and why they are so troubling. Basically both of these are “computer worms” which, like viruses, attempt to perform malicious acts to your computer. The difference between a “worm” and a “virus” really has to do with how they are propagated. Computer viruses are a type of malware that generally deletes or changes files. They must be permitted to execute code and write to memory, and so generally attach themselves to some program; when the user runs the program, he or she also runs the virus (unintentionally). A worm, on the other hand, can self-replicate and move through a network (like the Internet). Generally worms are designed not only to spread, but also to make specific changes to the computer, including taking control of all or part of the computer. The key to understand is that the worm can cause damage to the system.

First, let’s talk about Stux-net. You may have heard about this one in 2010 when it was reported that there had been a cyberattack on Iranian uranium-enrichment centrifuges. This worm had been introduced into the Iranian nuclear processing facility (people in the know think it was introduced on a thumb drive), and it took control of the control system. A control system manages and regulates the machinery under its control, so that humans (often quite far away) can read sensors and information about they system and make adjustments. In this case, facility being monitored was Iran’s nuclear processing facility. The control system sent messages to uranium-enriching centrifuges to spin at speeds well beyond their tolerances. Obviously then the centrifuges were damaged.

You might ask how the worm could have caused that problem. Well, the programmers of the worm found vulnerabilities in the computer programs that run the control system. It is the same process of programmers exploiting bad programming the operating system so our computers can get viruses.

The worm caused so much damage to the facility that it has set back the nuclear program in Iran. At the time, there was discussion at the time that it might have originated in the United States and Israel, but there was no evidence to back up that claim.

It is beyond the scope of this blog to discuss who was behind it and their motives. However, it is important to note that malware can get into a physical facility, such as power plants, water treatment facilities and other public utilities. These are things we have taken for granted as protected and safe. However, The Washington Post, reported that:

A recent examination of major control systems by six hacker-researchers working with the security firm Digital Bond found that six of seven devices in the study were riddled with hardware and software flaws. Some included back doors that enabled the hackers to download passwords or sidestep security completely.

In fact, according to The Washington Post,

Uncounted numbers of industrial control computers, the systems that automate such things as water plants and power grids, were linked in, and in some cases they were wide open to exploitation by even moderately talented hackers.

Further, they note,

A researcher at Cambridge University, Eireann Leverett, used Shodan to identify more than 10,000 control computers linked to the Internet, many of them with known vulnerabilities. Leverett concluded that many operators had no idea how exposed they were — or even realized that their machines were online.

Last week the press identified a new worm deployed in Iran called Flame. This seems to be primarily surveillance malware that allows someone to turn on microphones, look at data, track what people are doing on a computer, and perhaps even listen to nearby cell phone conversations. This worm was deployed to the Iranian oil industry and was attaching itself to control systems for the rigs and other equipment. It was detected and the Iranian government has unplugged those facilities from accessing the Internet. It has also created its own task force to combat these attacks and claims it intends to build its own Internet. This same worm has been found in the Palestinian territories, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.

While the worms seem different, experts are not sure. They both move in the same fashion. In addition, computer experts say that the style of programming is similar between the two. Yes, it is true that there are styles of programming just as there are styles of writing. An expert can tell the reasons Emily Dickenson works are not confused with those of James Joyce. A computer expert can tell similarities in programming by how things are named, how they flow, and how different parts of the programs are hooked together. Worse yet, these experts claim to have found code that was apparently taken directly from Stux-net and put in Flame. All of those suggest similar authors.

What is the take-away for us? All of this mischief has put a spotlight on the fact that we, as a society, depend on computers for much beyond the business and pleasure applications we generally discuss. Everything from the car you drive to the utilities use computers to control them. And, where there are computers, there are people contemplating ways of breaking them. Most of these controllers were not visible to the average user, so they did not get attention from hackers. However, that also meant that their manufacturers often got lazy in building in the security to protect them. Now that they have the attention of the hackers, companies are scrambling to protect their controllers. Otherwise, we may be in for some rough times ahead at malicious or inadvertent attacks on our infrastrucutre.

To WiFi or Not to WiFi ….

Leave a comment

We have all entered our favorite Starbucks,  Panera, hotel or other public place and connected via the free WiFi network.  It is convenient, easy and free.  Why wouldn’t you connect?  There is always a risk with a public WiFi node that people can read your messages and track your searches.  Yes they can … there is technology that allows them to do it on a non-protected (read that free) network.  But, there is an additional concern this summer.  According to Private:  Your Online Privacy Source,

This month, the FBI’s Internet Crime Complaint Center issued a stark warning to travelers:  If you use hotel Wifi hotspots abroad, you could get burned.  The alert says cybercriminals are targeting travelers abroad using pop-up windows that appear while they are trying to connect to the Internet through hotel Wifi.  The pop-ups tell hotel guests that they need to update a widely used software product.  But when they click to install it, what they get instead is malware on their laptops.

So, what can you do? If we follow our normal security procedures, download all software updates before you travel, only download updates directly form a vendor (and never click on a link in an email to do it), you are better prepared. You should also block popups because that is how the criminals advertise the software they want you to download.

In addition, if you use free WiFi spots, it would be good to use a Virtual Private Network (Private VPN).  The VPN encrypts all of your data thereby making  it useless to the criminal who might intercept it.  Without the VPN, your data is sent without any protection and someone with the right tools and abilities could intercept it and then use it for whatever purpose.  The Private article recommends using PRIVATE WiFi™.

Don’t ruin your vacation because you neglected security!

Facebook Privacy — Vote Now

Leave a comment

Social networking sites pose a threat to the privacy of every individual.  We love the sites because they allow us to share information and photos easily with our friends and family.  Many people also learn to hate the sites because their information suddenly is used in ways that the individual did not know could happen.  I have written before about the need to lock down your privacy in social networking sites, especially in Facebook.

Facebook is about to change their privacy settings — and they are allowing users to help them decide what to do.  In May Facebook proposed privacy changes and included a statement,

Opportunity to comment and vote Unless we make a change for legal or administrative reasons, or to correct an inaccurate statement, we will give you seven (7) days to provide us with comments on the change. If we receive more than 7000 comments concerning a particular change, we will put the change up for a vote. The vote will be binding on us if more than 30% of all active registered users as of the date of the notice vote.

That 30% hurdle is pretty significant, but you should voice your opinion by voting on the referendum by June 8 at 9:00pm (PDT).  To do this, go to https://www.facebook.com/fbsitegovernance/app_130362963766777.  When you come upon that page, there are four documents to consider, the current Statement of Rights and Responsibilities (SRR), the current  Data Use Policy, the proposed Statement of Rights and Responsibilities (SRR), and the proposed Data Use Policy.   Clearly, the proposed documents do not tighten the scope with which they protect data.  Instead the documents outline how Facebook will increasingly use more of your data in ways you did not intend.

While it is not clear that voting will make a difference, I suggest you vote BEFORE June 8.  I voted to keep the current documents and hope you will too.

A Sobering View of the Absence of Privacy

3 Comments

It has been said that a picture is worth a thousand words, and so it is with a view of privacy.   There has been much discussion in the press of late about the change in Google’s privacy policy and how that will impact Google’s ability to track everything about us.  That all by itself is troubling.  But, it is not only Google who wants to know how you search — so too do other organizations with which you do business.  To learn just how much of my behavior is being recorded, I installed the new add-on to Firefox called Collusion.  The whole purpose  of Collusion is to help you track who is tracking you in real time.  According to their website,  Collusion “shows, in real time, how that data creates a spider-web of interaction between companies and other trackers.”

There are two handy tools they provide, wonderful visualizations (as we will discuss in a moment) and an audio clue whenever information is being shared about your surfing.  The audio clue is a clicking sound that resembles the sound of a typewriter key hitting the paper.  I recommend you turn it on for a while because it quickly helps you become very aware of just how much information is being shared.   The constant clicking when you select a link — and even clicking when you are not using your browser if you have a page open and it refreshes — helps to sensitize you to the amount of information being shared.  After a while, it gets annoying, so remember how to turn it off too!

Now for the visuals.  I downloaded the application and began to do some surfing.  The map of the information sharing is shown below.

The visualization is interesting.  The circles with the halos represent places that you have visited during your surfing, while the circles in gray are ones you have not visited.  An arrow from one to the other indicates that the first site has sent third party cookies to the other site.  I recognize some of the icons like Blogger, LinkedIn, Adobe, Facebook, MSNBC, and Northwestern University.  Others have no icons or they are not ones familiar to me.

If you hover over any of the circles, you will get the URL for the site (for example as I hover over the Facebook logo, I see facebook.com).  In addition, it will highlight all of the connections to and from that site.  So, I see that Facebook sent third party cookies to bit.ly, cbs.com, and reference.com.  I also see that cbs.com sent third party cookies to facebook.com.

I was surprised by the number of hits and the links between the hits because I am careful about not accepting cookies from sites that I do not know.  So, I decided to clean out all of my cookies  and surfed some more.  The number of hits reduced for a while as shown below.

Another View of Surfing Behavior with Collusion

Things were a little better, but notice how much information is being shared even without the cookies.  That is because the websites use third party applications to collect the data and share the data.

After a few hours of surfing by my husband or myself, the map looked like:

A Map of Surfing for a Few Hours using Collusion

And, after an entire weekend, the map looked like:

The Data Collection from A Weekend of Surfing with Collusion

If you did not think people were watching your behavior before, you certainly should be convinced with this image.  Further, the links between the sites, where they now have joint data begins to paint a picture of who you are and what they might do to get or keep your business, or how they can sell your data to others who want to market to you.

The creators of Collusion recognize that the tool is a work-in-progress.  The website says they are working on adding more features, such as the ability to click on any node in the graph and tell Firefox to block third-party cookies to that site, and visualizing other methods of tracking besides third-party cookies.

Using Collusion was an eye-opening experience.  I am looking forward to that add-on that allows us to block these third-party cookies.  What I do is private, right?

Whitney Houston and Rouge Browser Plugins

Leave a comment

The sad news of Whitney Houston’s untimely death has brought yet another scam to Facebook.    Some people take advantage of the public’s insatiable appetite for news about public figures and use it as a scam.

According to MSNBC,

Houston, 48, was found unconscious and submerged in a bathtub in her room at the Beverly Hills Hilton in Beverly Hills, Calif., Saturday afternoon. An autopsy was performed, but Los Angeles assistant chief coroner Ed Winter said on Monday that a cause of death will not be announced until the results of toxicology tests are received, which could take weeks.

Yet, today, there appeared


There are those who are curious, or want to be the first to know the news who will click on this.  That will, of course, cause the message to appear in their friends’ news feed as well.  In addition, the user will get a message that an update of the YouTube player needs to be installed.  Allowing this actually causes a rouge browser plugin to be installed.   It is not clear to me what this plugin does, but you can be sure it is not a good thing!

In the real world, this is comparable to letting strangers into your home.  Suppose a shady looking person knocks on your front door.  Although you are not expecting anyone, and the person does not have the identification of a legitimate organization, you let the person into your home because he or she says they can tell you information about a public figure.  Would you let them into your home?  Probably not.  So, why let them into your virtual home?

Although the temptation is there, do not click on messages such as this.   If you clicked on it, never ever install anything unless it comes from a known and reliable source.

Instead try checking your favorite news source;  they will not be far behind on getting a real story.  As I have said before, search on the topic (in this case Houston’s autopsy) and see if others have found out (the hard way) that this is a problem.  If you see it in your feed, go to the right where there is the downward facing arrow and hide the story so others cannot see it.  Or, you can report it as spam.

If you have made the mistake of clicking through, then clean your machine.  Update your virus and malware protections and run them.  Uninstall the new plugin in the browser.  And if a friend shares the story about the autopsy, be sure to comment back to them that it is not real.

We must all become more “street smart” about our use of the Internet.  Not everyone on the Internet has noble purposes.

Man-in-the-Browser and Financial Transactions Security

Leave a comment

Online banking makes paying bills and transferring money easy and fast.  But are you sure that you are protecting yourself and your money?  What would you do in the “real world”?  First, you would want to make sure you were really at the bank, and that it is open.  You  would want to hand your checks and money to an official teller and get receipts of all of your transactions.  In addition, you would probably get fairly suspicious if someone were looking over your shoulder or if you had to conduct your business through a third party (not someone who works for the bank).  You would be wise to ensure that your records were accurate and that no one was stealing your signature or banking documents.

If we are going to take advantage of the benefits of online banking, we need to translate those practices into the virtual world.  First, you should have a unique and strong  password for your banking account.  If you are not sure how to get a strong password, look at my previous post on the topic.  Second, you should avoid using a public computer for your online banking because it might have installed software to log your keystrokes or to remember your passwords without your permission.  Third, you should keep information about your account and password quite secret.  Fourth, of course, you should always be running up-to-date virus protection and malware protection to ensure that your computer is doing what you intend.  Your bank may have additional software and/or devices that provide additional security for your transaction.  Fifth, you must update your operating system and browser as recommended, especially if you use Windows and/or Internet Explorer.  Both products have features that are often

Even if you follow safe computing practices, you may still be at risk thanks to a new kind of trojan (similar to a virus) that might have infected your computer,  called a “Man-in-the-Browser” (or MitB) trojan.  The trojan is a piece of software that does not install itself on your computer, but rather installs itself as an add-on program within your browser, without your knowledge.  What happens is the MitB alters what the user and the bank see during the transaction.  So, for example, the bank does not get correct information about how much money to pay a vendor, and you do not see how much money was actually reported.  In fact, it might transfer money to another account and you might not be aware that it happened.

Your virus protection examines all of the software on your computer by comparing it to known problems or peculiar behavior.  Just as your police officers fingerprints and now DNA samples to compare to evidence at the scene of a crime, your virus protection compares strings of computer programs to those known to be viruses, malware and trojans.  If those do not identify the perpetrator of the crime, they look for people who are behaving strangely.  Likewise the virus protection examines programs for unusual activities, like replicating themselves,  growing quickly, or accessing a number of services on the computers. Generally these strategies work well.  However, MitB trojans are particularly difficult to detect since they change their appearance and behavior tens of thousands of times each day.   A particularly good (and easy to understand) description of this phenomenon was aired on BBC News.  Since they are hard to detect, it might take some time before your virus protection understands that there is a problem and by then it might be too late.

There are some warning signs for this kind of problem.

  • If it takes your computer longer to process requests
  • If your financial transactions take longer than normal
  • If you are asked for more information than normal during your financial transaction, especially if you are asked for passwords or sensitive information such as social security numbers.

What do you do if you experience one or more of those symptoms?  You should call your bank as soon as possible and give them the date and time of the transaction.  Do not email your bank because the same software that interferes with your financial transaction may interfere with the sending of the mail.  Your bank may have monitoring software that catches and disallows unusual transactions to protect you, so you may not have a problem.   If you do, you will need to rely upon your bank’s policy as to how much you are responsible.

Facebook Applications

Leave a comment

Did you know that no one reviews applications before they are made available on Facebook?  Most people think that if an application runs on Facebook that it was vetted somewhat or that it is, at least,  reliable.  That is not true, unfortunately.  Anyone can write an application with any mission in mind.  Once you give them access to your data, they unfortunately have your data and can do with it what they want.

Clearly there are multiple kinds of applications developed.  Some are developed by people who enjoy programming and want to develop something to show that they can program (many of these people are looking for jobs and putting it on their resumes).  Others have developed applications for themselves, and share it out of kindness.  These seem like harmless enough purposes, and they may well be.  However, if they are not good at programming they may inadvertently cause negative things to occur.    Then there are the people who just want to cause problems, or who want to collect information for nefarious purposes, or who are trying to scam users.

Does that mean you should never use Facebook Applications?  Certainly not.   Some of them are quite useful, or quite fun and should be used.  But, you need to protect yourself.  You could adopt what has been identified as “Sauter’s First Law of Computing” — never be the first to adopt new computing (hardware or software).  Let someone figure out how to solve the problems first!  (An associated lemma says not to adopt new computing alone … always have a friend who can help you solve unanticipated problems.)  Sometimes that is not possible, or sometimes you just don’t want to make your friends into guinea pigs.

You could first search Google for the name of the application and see what it says about the application.  Or, go to Facecrooks to see if they have a notice about problems with the application.  Or check the Facebook Security .  You can also go to the application’s Facebook page and look for information.  Click on the “information tag” … is there a description and does it tell you who developed it?  If so, check out the developers for their reputation.  Check the number of users — you do not get extra points for being the first.  Read the reviews of the application, to determine the experiences of other users.  Think about the information to which they want to give access — does it make sense, or are they looking at more than they should really need to see?  Think about the benefit of the application — is there enough advantage to make it seem reasonable?

As I have said before, use the same “common sense” in the Facebook world that you would use in real life.  Do not assume anyone else will protect you, but rather be a wise consumer of computing.

Older Entries