Hein (fub) wrote,

  • Mood:
  • Music:

Defeating security measures

We work with a lot of financial service providers: banks, mortgage brokers, insurance companies. Of course they have strict protocols in place on what can and can't be done in their production environments: you don't want anybody messing up your operation. Obviously, strict anti-virus policies are in place.
But when I need to get something to their engineers (either an updated version of some software, a document template, whatever), their mail scrubbers block my zip-file. And there's always a solution along the lines of "OK, just sent it to my gmail account!" Sometimes, a colleague puts something on his own private server so they can download it.
And this is the way that strict security measures get circumvented: by the very people who are supposed to care about these things. And sure, I know that the things I send are clean (everybody has a virus scanner on their laptop), but they don't.

Of course, control systems for (nuclear) power plants and other crucial infrastructure is not connected to the internet, just like the production environments of our financial customers. But sooner or later, there will be data taken from a testing environment through somebody's desktop -- and it will end up in the production environment. Sure, you can put firewalls and what not in between those (we like to describe those firewalls as "deep trenches with hungry crocodiles in them"), but the people who just want to get their job done will actively circumvent those security measures. Because they can't get their job done otherwise.

And this offers opportunities for the enterprising hacker. Today, it was confirmed that one such ploy succeeded.

The Stuxnet worm has a very specific target: programmable controllers in frequency motor drives within a relatively narrow range of speeds. Since the worm was first discovered in Iran, it is probable that it was designed to hinder the enrichment of uranium in the Iranian plant. But of course the control mechanisms for the centrifuges are not connected to the internet in any way.
As Stuxnet has shown, you don't need to design anything for that: if you make sure your worm spreads far enough, sooner or later it will hit a desktop that will be used to bring test data to a production environment. That's when you strike!
I find it very impressive that the ploy worked. It's very, very subtle sabotage -- very targeted, very high-tech. Wired has more on the case.

I wonder if it would be possible to target the systems of a bank like this. You'd need very detailed inside information, but I see no reason why it couldn't work in exactly the same way. And there's not much you can do to prevent it -- because your own security measures will be circumvented by your own people.
Tags: technology

  • (no subject)

    EA is instating strict DRM regulations for Spore. The result: a 1-star review on Amazon. The consumers have already woken up to the idea that DRM…

  • Who would have thought!?

    Attention RIAA and MPAA, here follows some very important news! (Everyone already knows this, but it's news to you...) Treating your customers…

  • EMI goes DRM-less

    Now this is interesting. EMI, the record company, is in pretty dire straits -- their revenue is dropping faster than you can say "holy shareholder…

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded