Eas­ily-pro­duced home­made cy­ber­weapon wor­ries feds

The Washington Times Weekly - - Geopolitics - BY SHAUN WATER­MAN

Two se­cu­rity re­searchers, work­ing at home in their spare time, have cre­ated a cy­ber­weapon sim­i­lar to the so­phis­ti­cated Stuxnet com­puter worm that was dis­cov­ered last year to have dis­rupted com­puter sys­tems run­ning Iran’s nu­clear pro­gram.

The pri­vate ef­forts by Dil­lon Beres­ford and Brian Meix­ell are rais­ing con­cerns among U.S. gov­ern­ment of­fi­cials that hack­ers will launch copy­cat cy­ber-at­tacks that could crip­ple com­puter con­trols at in­dus­trial sites such as re­finer­ies, dams and power plants.

Of­fi­cials at the Depart­ment of Home­land Se­cu­rity were so dis­tressed by the re­searchers’ find­ings that they asked the two men to can­cel a planned pre­sen­ta­tion at a com­puter se­cu­rity con­fer­ence in Dal­las two weeks ago called TakeDownCon.

“They re­quested that I not share the data, but it was ab­so­lutely my de­ci­sion to can­cel,” Mr. Beres­ford told The Wash­ing­ton Times. Home­land Se­cu­rity “in no way tried to cen­sor the pre­sen­ta­tion, and the con­fer­ence or­ga­niz­ers were very sup­port­ive. [. . . ] We did the right thing.”

Ini­tial anal­y­sis of the 2009 Stuxnet at­tack on Iran sug­gested that repli­cat­ing it would re­quire the re­sources of a nation-state or large or­ga­ni­za­tion and de­tailed in­for­ma­tion on how the tar­get com­puter sys­tem was set up. The ori­gin of Stuxnet has not been dis­cov­ered.

But Mr. Beres­ford said he de­vel­oped the cy­ber­weapon “in my bed­room, on my lap­top” in 2 1/2 months. The ma­li­cious soft­ware, or mal­ware, was tested on equip­ment made by Siemens, the Ger­man-based in­dus­trial gi­ant that makes the sys­tem that was at­tacked by the Stuxnet worm.

Siemens prod­ucts, known as in­dus­trial con­trol sys­tems, are used in thou­sands of power sta­tions, chem­i­cal plants and other in­dus­trial set­tings world­wide. Stuxnet was de­signed to make the ma­chin­ery con­trolled by an in­dus­trial con­trol sys­tem de­stroy it­self.

Once Siemens saw Mr. Beres­ford’s pre­sen­ta­tion, the com­pany re­newed lab­o­ra­tory work on soft­ware patches for con­trollers that were de­vel­oped af­ter Stuxnet, Mr. Beres­ford said. He said he worked two weeks ago with of­fi­cials from a spe­cial Home­land Se­cu­rity unit in charge of pro­tect­ing in­dus­trial com­puter pro­grams but was be­com­ing im­pa­tient with Siemens’ re­sponse.

“This is an­other egre­gious ex­am­ple of a ven­dor try­ing to min­i­mize the im­pact of mul­ti­ple se­cu­rity vul­ner­a­bil­i­ties in their prod­ucts and be­ing some­what eva­sive about the truth,” he said,

The dis­clo­sure that in­de­pen­dent re­searchers could repli­cate Stuxnet, which se­cu­rity spe­cial­ists said at the time likely re­quired a large de­sign team to pro­duce and an in­dus­trial plant for test­ing, will in­crease con­cerns about the pro­lif­er­a­tion of ad­vanced cy­ber­weapons that could cause large-scale death and de­struc­tion if un­leashed by ter­ror­ist groups, crim­i­nal gangs or for­eign gov­ern­ments.

not­ing that the com­pany tried to down­play concern in its pub­lic state­ments and had yet to pub­lish a fix for the flaws he had found.

“The clock is tick­ing, and time is of the essence. I ex­pect more from a com­pany worth $80 bil­lion, and so do [their] cus­tomers,” Mr. Beres­ford said.

Siemens spokesman Robert Bar­tels told The Times that the com­pany is test­ing fixes and ex­pects to re­lease them “within the next few weeks.”

Home­land Se­cu­rity Depart­ment of­fi­cials asked the re­searchers to de­lay their pre­sen­ta­tion un­til spe­cial re­pair mea­sures aimed at patch­ing se­cu­rity holes they iden­ti­fied are fully de­vel­oped. They praised the re­searchers for post­pon­ing pub­lic re­lease of data that hack­ers could use to at­tack com­put­ers that con­trol crit­i­cal in­fra­struc­ture around the world.

“Re­spon­si­ble dis­clo­sure [. . . ] does not en­cour­age the re­lease of sen­si­tive vul­ner­a­bil­ity in­for­ma­tion with­out also val­i­dat­ing and re­leas­ing a so­lu­tion,” a Home­land Se­cu­rity of­fi­cial said in an email.

The dis­clo­sure that in­de­pen­dent re­searchers could repli­cate Stuxnet, which se­cu­rity spe­cial­ists said at the time likely re­quired a large de­sign team to pro­duce and an in­dus­trial plant for test­ing, will in­crease con­cerns about the pro­lif­er­a­tion of ad­vanced cy­ber­weapons that could cause large-scale death and de­struc­tion if un­leashed by ter­ror­ist groups, crim­i­nal gangs or for­eign gov­ern­ments.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.