What are Flame and Stux-net and why should I care?

1 Comment

There has been much discussion in the popular press of late about something called Flame and something called Stux-net, especially with regard to national security. However, many people do not understand what they are and why they are so troubling. Basically both of these are “computer worms” which, like viruses, attempt to perform malicious acts to your computer. The difference between a “worm” and a “virus” really has to do with how they are propagated. Computer viruses are a type of malware that generally deletes or changes files. They must be permitted to execute code and write to memory, and so generally attach themselves to some program; when the user runs the program, he or she also runs the virus (unintentionally). A worm, on the other hand, can self-replicate and move through a network (like the Internet). Generally worms are designed not only to spread, but also to make specific changes to the computer, including taking control of all or part of the computer. The key to understand is that the worm can cause damage to the system.

First, let’s talk about Stux-net. You may have heard about this one in 2010 when it was reported that there had been a cyberattack on Iranian uranium-enrichment centrifuges. This worm had been introduced into the Iranian nuclear processing facility (people in the know think it was introduced on a thumb drive), and it took control of the control system. A control system manages and regulates the machinery under its control, so that humans (often quite far away) can read sensors and information about they system and make adjustments. In this case, facility being monitored was Iran’s nuclear processing facility. The control system sent messages to uranium-enriching centrifuges to spin at speeds well beyond their tolerances. Obviously then the centrifuges were damaged.

You might ask how the worm could have caused that problem. Well, the programmers of the worm found vulnerabilities in the computer programs that run the control system. It is the same process of programmers exploiting bad programming the operating system so our computers can get viruses.

The worm caused so much damage to the facility that it has set back the nuclear program in Iran. At the time, there was discussion at the time that it might have originated in the United States and Israel, but there was no evidence to back up that claim.

It is beyond the scope of this blog to discuss who was behind it and their motives. However, it is important to note that malware can get into a physical facility, such as power plants, water treatment facilities and other public utilities. These are things we have taken for granted as protected and safe. However, The Washington Post, reported that:

A recent examination of major control systems by six hacker-researchers working with the security firm Digital Bond found that six of seven devices in the study were riddled with hardware and software flaws. Some included back doors that enabled the hackers to download passwords or sidestep security completely.

In fact, according to The Washington Post,

Uncounted numbers of industrial control computers, the systems that automate such things as water plants and power grids, were linked in, and in some cases they were wide open to exploitation by even moderately talented hackers.

Further, they note,

A researcher at Cambridge University, Eireann Leverett, used Shodan to identify more than 10,000 control computers linked to the Internet, many of them with known vulnerabilities. Leverett concluded that many operators had no idea how exposed they were — or even realized that their machines were online.

Last week the press identified a new worm deployed in Iran called Flame. This seems to be primarily surveillance malware that allows someone to turn on microphones, look at data, track what people are doing on a computer, and perhaps even listen to nearby cell phone conversations. This worm was deployed to the Iranian oil industry and was attaching itself to control systems for the rigs and other equipment. It was detected and the Iranian government has unplugged those facilities from accessing the Internet. It has also created its own task force to combat these attacks and claims it intends to build its own Internet. This same worm has been found in the Palestinian territories, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.

While the worms seem different, experts are not sure. They both move in the same fashion. In addition, computer experts say that the style of programming is similar between the two. Yes, it is true that there are styles of programming just as there are styles of writing. An expert can tell the reasons Emily Dickenson works are not confused with those of James Joyce. A computer expert can tell similarities in programming by how things are named, how they flow, and how different parts of the programs are hooked together. Worse yet, these experts claim to have found code that was apparently taken directly from Stux-net and put in Flame. All of those suggest similar authors.

What is the take-away for us? All of this mischief has put a spotlight on the fact that we, as a society, depend on computers for much beyond the business and pleasure applications we generally discuss. Everything from the car you drive to the utilities use computers to control them. And, where there are computers, there are people contemplating ways of breaking them. Most of these controllers were not visible to the average user, so they did not get attention from hackers. However, that also meant that their manufacturers often got lazy in building in the security to protect them. Now that they have the attention of the hackers, companies are scrambling to protect their controllers. Otherwise, we may be in for some rough times ahead at malicious or inadvertent attacks on our infrastrucutre.

Advertisements

Google’s Knowledge Graph

2 Comments

Last week Google announced that it had created a new kind of search called a “knowledge graph.”   Lifehacker‘s article said it would “bring[s] smarter semantic results” because it “connects your search query to Google’s knowledgebase of over 500 million people, things, and places to show you relevant info in a sidebar along your search results.”

So, what does that mean to you?  It means Google just got more useful (and it was already pretty useful!)  Google searches should bring you more information of different types.  Let me give you an example and then explain the jargon that is being thrown around to explain this idea.

Suppose you were interested in “roses.”  You would most likely go to Google and search on “roses.”  In the past, Google would bring back webpages where the letters “roses” appeared (in that order) or which had descriptions that it had something to do with “roses.”  That might mean poems with roses,  the War of the Roses, the musical group Guns and Roses,  the flower roses, or people who have first names of Roses (probably in error), or other places where the letters “roses” appeared.  The term “roses” did not mean anything to Google;  the search engine just found places where the letters were used.

Now when you type in “roses,” the new and improved Google “understands” that those letters in that order refer to something, a flower.  So, in addition to the searches that you might have gotten elsewhere, you will now get a side panel that defines what roses are and how they are classified.  You might also get a list of places at which to purchase roses (because that’s what one does to obtain them).  It also takes advantage of what other databases Google has that mention roses and what other users have found useful when searching for roses.

Why didn’t they just say that Google got better?  This is one of those examples where computer people did just say that Google got better, but they did it with a lot of jargon.  “Semantic” refers to understood meaning; in this case that the search engine behaves as if it understands the meaning of the string of letters “roses” and its relationship with other things (like stores and gardens and bouquets).   It is no longer just finding that word, but is now looking for information about the flower, roses.  It is as if you had a librarian there helping you with your search.

So, what is all this about the graph?  There is no graph on the search page.  Again, it is jargon.  To computer people, the “graph” refers to relationships among things.  So it refers to the way that Google is now connecting its databases and its relationships among pages.  It is making those connections to make the searchers more meaningful.

In Google’s announcement, they provided the search example “da Vinci.”  This provides a nice example of the new search results.  The screen you see is shown below.

As you can see from the screen shot above, the left side of the screen provides the typical Google search results.  It provides not only information about the artist, but also information about syrups, wedding dresses and surgical procedures that share the name.  The part that is different is the information on the right.  Since most people who search for da Vinci are looking for the artist, they provide information about him, taken from a variety of databases, for easy access.

How well this better informed search will work for you depends on a few things.  First, of course, it depends on how similar your searches are to those of other users.  The closer you are to “typical” searchers, the more likely you will get this enhanced information.  Second, it depends on how well you scope your search.  If you are very good and tend to give Google a precise set of search terms, you most likely get to the information very quickly and this will not help much.  If, instead, you are terribly general in your search terms, you may or may not get this information.  However, if your terms generally provide some boundary, and you are searching for items for which Google has a good network, you will probably find this enhanced search is useful for you.

As an example, earlier this evening, I conducted a search on “Paul Gray,” who is a long standing colleague and friend who recently passed away.  This search generated the enhanced results, but apparently there is a musician named Paul Gray and there was much information about him.  Most people who search on Google probably want information about him.  However, Google was smart enough to know there was another Paul Gray that might be of interest to a subset of searchers.  So, at the bottom there was another box with information:

Google can understand that “Paul Gray” is a person’s name and there are two of them.  That’s pretty cool!

Privacy Legislation

4 Comments

There is good news for those of us who use email, smart phones and social networking sites!  Legislation was introduced in both houses of the (U.S.) Congress today that would prohibit employers or prospective employers from forcing employees or prospective employees to divulge passwords.  The good news is that both houses think this is a problem and are acting to do something about it.  The bad news is that the bills differ.  The Senate’s version is called the Password Protection Act and is sponsored by Sen. Richard Blumenthal, D-Conn also includes smart phones, private email accounts, photo sharing sites, and any personal information that resides on computers owned by the workers.  Rep. Ed Perlmutter, D-Colorado introduced similar legislation in the House.  However, last month, Rep. Eliot Engel, D-N. Y. introduced the Social Networking Online Protection Act (SNOPA) that extended the protections to elementary, high school and college students.  The ACLU supports this inclusion of students because they are a target of much of the social media monitoring.

Rep Engel was quoted by ABC News  as saying:

There have been a number of reports about employers requiring new applicants to give their username and password as part of the hiring process. The same has occurred at some schools and universities,” Engel said in a statement. “Passwords are the gateway to many avenues containing personal and sensitive content — including email accounts, bank accounts and other information, he added.

Of course, the legislation also protects employers in that it prevents them from accidentally learning information about a candidate that is not allowed to be considered in a hiring decision.

These are positive steps to protect our civil liberties.

Meanwhile the New York Courts have asked Twitter to release data pertaining to a user involved with the Occupy Wall Street movement.  According to CNN,

Twitter, however, countered that the court would need a search warrant to get that information. It pointed to a recent Supreme Court decision which found that attaching a GPS device is considered a search under the Fourth Amendment, which prevents unreasonable searches and seizures.

“If the Fourth Amendment’s warrant requirement applies merely to surveillance of one’s location in public areas for 28 days, it also applies to the District Attorney’s effort to force Twitter to produce over three months worth of a citizen’s substantive communications, regardless of whether the government alleges those communications are public or private,” wrote Twitter in its motion.

Twitter also suggested that Harris owns his own tweets and could therefore file a motion to quash on his own, despite the prosecution’s assertion of the opposite.

The ACLU is calling Twitter’s move a ‘big deal.’

The fourth amendment should protect us from arbitrary search and seizure of our own information.  Just because it is easy to access (because it is electronic) does not make it right to do so.

Individual Privacy: Is 1984 finally here?

Leave a comment

When I was in high school, everyone was required to read the book entitled 1984 by George Orwell.  According to Amazon’s description of the book, “In 1984, London is a grim city where Big Brother is always watching you and the Thought Police can practically read your mind.”  I recall there being much discussion of how horrible that would be and how it would never happen.

Yesterday I read an article on BBC.com that states, “The government will be able to monitor the calls, emails, texts and website visits of everyone in the UK under new legislation set to be announced soon.”  That sounds to me like 1984 may have arrived.  Of course, those proposing the new law state that it is critical to have access to information about terrorists and their contacts in order to protect the country.  The difference between this proposal and one that failed a few years earlier is that police will not be able to access the data without a warrant.  But, the article goes on to say that the law would “enable intelligence officers to identify who an individual or group is in contact with, how often and for how long. They would also be able to see which websites someone had visited.”

Most law-abiding citizens have no difficulty with the concept that terrorists or criminals would have their information recorded.  However, the law does not limit data collection to known criminals or terrorists, or even those under suspicion — it opens the door to collecting this information about everyone.  Once collected, will the government be able to help itself in doing more with the data than intended?  What is the difference then between the British government and that in China or Iran in modern times, or Nazi Germany and Communist Russia in more distant times?  Will the government not face the risk of taking action because of some communications that when put together look alarming?  How long will it take for the government to try to mine the data to find other “terrorists” or “criminals” who are so identified simply because they have similar surfing or communications patterns?

In addition, how will all of these data be protected from hackers?  We have recently seen hackers breech the security of Scotland Yard meetings, military data, corporate data, and, of course, credit cards.  In that same article, the author notes, “The Sunday Times quoted an industry official who warned it would be “expensive, intrusive [and] a nightmare to run legally.”  Most professionals respond to that quote as “to say the least!”

Police have always wanted this kind of information, but society has said that individual freedom is more important.  Just because it is (relatively) easy to get and keep such data now that it is electronic, does that make it right?   It is almost impossible to get privacy back once it is lost … shouldn’t we ponder this a bit more before we risk the loss of privacy forever?

WiFi Tricks and Threats

Leave a comment

Last week the Huffington Post commented on how to avoid hackers, especially for celebrities.  It was an article full of useful information, but only if you know how to use it.  The fourth of these was to avoid WiFi networks.  Well, that’s nice, but what is it and how does one avoid it?

One can define WiFi as the technology that allows an electronic device, such as your smart phone, laptop or iPad, to connect to the Internet wirelessly (using radio waves).  In order to connect, you must be able to send information to a hotspot (or access point).  Such hotspots are limited inside because walls, furniture and other physical objects can block the signals, but have a greater range outside.  Wi-Fi allows cheaper deployment of local area networks, and  in spaces where cables cannot be run, such as outdoor areas and historical buildings.

You may well have used WiFi at your local Panera (or St. Louis Bread Company as it is known here) while eating.  Bookstores, restaurants and lobbies of hotels also generally provide WiFi coverage to their customers.  Most devices attach easily to WiFi, and may attach automatically (with no obvious signal to the user).  It is a convenient way to access your email, social networking, or web searches from your portable device.

But, it is also an easy way for others to access your email, social networking or web searches.  Most public WiFi networks have no security associated with them (as indicated by the fact that you have no password or other requirements to join the network).  Since there is no security on the network, anyone can attach any device to the network and do on it what they want.  Some people, then,  attach devices that can read any non-encrypted transmission over the network.  That includes your passwords, credit card numbers, confidential corporate information or your surfing history.  This is comparable to the person eavesdropping, except it is with the computer.   They may also be able to masquerade as another device and send requests for information (such as data or pictures) to your computer (which your computer thinks it should honor).  As I have said before, sometimes people do this for fun, or to learn what they can do.  Others engage in such behavior to find information that might be sold to magazines or used to blackmail people.  Still others engage in the behavior to steal confidential information (such as credit card numbers) that they use to steal money.

So, what do you do?  Of course, the normal precautions of having your security software up to date will prevent someone from unleashing a virus or malware on your computer.  But in addition, many security experts suggest you avoid such networks.  Or, if you do use them, set up a virtual private network (or VPN).  You may already be familiar with a VPN because you may use that to login to your company’s computer.   VPNs typically require remote users of the network to be authenticated, and often secure data with encryption technologies to prevent disclosure of private information to unauthorized parties.  This software prevents sniffing of the material sent over the network, ensures that communications come from the place they say and that information is not intercepted inappropriately.

A Mobile VPN gives a user the same level of security when using public WiFi networks.  Instead of requiring a stable location on a network like the traditional VPN, a mobile VPN maintains a virtual connection to the application instead.  It allows the computer to move among WiFi networks which changes the “address” of a computer, and handles the changes of the addresses transparently.  This kind of security has been used by police officers as they move among cell towers, and by hospital personnel as devices move with patients.  Both applications require absolute security.  Using a mVPN may involve additional hardware and will involve additional software provided by a third party.

It is, of course, an extra step.  But, if you do not want the world to know the data you process, then perhaps the extra step is necessary.

 

How Private are your Facebook Posts?

Leave a comment

There were  two disturbing stories in the press today, both of which involve Facebook and how others use your data.  The first was in Forbes, and asks What Employers Are Thinking When They Look At Your Facebook Page.  Many people who looked at that story were amazed to learn that employers were looking at their Facebook pages at all, and even more amazed to learn they use the information in hiring decisions.  Potential employers are looking at your Facebook page to decide what type of person you are and whether you would fit into the culture of their organization.  According to the article, potential employers will look at the page, including photos, posts, status updates, conversations, causes and games and rate individuals on their levels of extroversion, agreeableness, conscientiousness, neuroticism, and openness to new experiences.   As I look at postings, I ask what potential employers learn when someone posts every time he or she has a spat with a significant other, says unpleasant things about sports teams, spends significant time playing games, spells poorly, uses bad grammar or slang, and/or has many negative conversations.  If you look at your postings, are you the type of person with whom you would like to work?

I agree that you can learn many things about a person by reading their Facebook page and it might just provide insights into whether the person will be successful at certain companies.  However, what I fear is all that information taken out of context.  I remember when I first started teaching students how to design web pages and one of my students provided a link to “Bare Naked Ladies.”  I was taken aback until I realized that it was a band.   Today I frequently am confused with posts that refer to music I have never heard or television shows I do not watch.  I have committed more than a few faux pas commenting when I thought I understood the context, but was totally wrong.  While I try hard to think about context, I have found myself misunderstanding the meaning of posts by good friends and even my son.  The key here is that Itry to think about context before making an opinion …. what are the odds that overworked HR staff will cut the applicants the same slack?

This article was troubling enough until I read Govt. agencies, colleges demand applicants’ Facebook passwords.  Yes, you read that correctly, demand passwords, and access to all of the postings on one’s Facebook page.  Thanks to the ACLU, they do not get the passwords, but now expect people to log in and allow the interviewer to watch as they click on every link, photo, conversation, etc.  Campus athletes too must provide administrators access to their social networking sites  and allow them to monitor what is said to ensure the athletes are not saying negative things about the program.  What is next?  Will the bank administrator demand to see what I tweet and post before deciding on giving me a mortgage?  Will the government decide whether or not I am an undesirable by looking at my Facebook posts?

For the record here, I will note that personally I leave most of my posts open on Facebook because I post items that I want people to share, such as about this article. Hence I am not bringing this to your attention because I am concerned about what people will think of me.  Instead, I am bringing it to your attention for two reasons.  First, everyone needs to take responsibility for what is on his or her social networking sites and what is visible.  If you have things you do not want a prospective employer or college recruiter to see, then make sure your security settings prohibit them from seeing that material.   Put yourself in their place and see if the image you get is what you want them to have, and adjust your settings, friends and postings accordingly.

Second, I am posting this because I think we have lost the line between due diligence and invasion of privacy.  The post-9/11 world has brought increasing invasions of our privacy because we have let it happen.  If we are going to give up the right of privacy as a society, I think we should do it consciously.  The fact that information is in digital form does not make it any less private.  We need a dialog about what is happening and  the cultural implications of what is happening.  I am hoping we start it today.