2600 Magazine_ The Hacker Quarterly - Digital Edition - Summer 2011 - 2600 Magazine [57]
As we erode the air gap between critical infrastructure and the great unwashed Internet, we expose the infrastructure to greater and greater risk. The first shots have already been fired - Obviously, we can’t ignore Stuxnet, but that’s hardly the first case of extremely advanced attacks against infrastructure systems.
For example, in 2005, the voice switches for Vodaphone Greece were trojaned with an advanced, run-time patched piece of code, which tapped into the wiretap functionality to snoop on over a hundred government officials, company executives, embassy officials, and military officers. The perpetrators were never found: State actors? Organized crime groups? Suddenly, we’re well beyond the purview of pranksters. (For an excellent complete chronology of the Greek phone hack, go read http://spectrum.ieee.org/telecom/security/the-athens-affair . We’ll be here when you get back.) I don’t know if this is the first publicly disclosed network attack against critical governmental services, but it’s a very interesting data point.
Of course Stuxnet is still making news, a year after it was discovered, analyzed, debated, debated, fingers pointed, headlines made, debated further. Shockingly complex, specifically targeted, and subtly disruptive of a very specific piece of equipment, which just happens to be the heart of a hostile nation’s nuclear program?
Iran blames the U.S. and Israel. The U.S. winks and says it’s sure unfortunate for Iran, and isn’t it such a shame. Israel is accused of building duplicates of the facilities in Iran for testing just such an attack.
No one is officially accepting ownership of Stuxnet. No one wants to be the ones to fire the first shot in a real, proper, “cyber attack.” The real question left to me is: are we any more secure? I highly doubt it. Factories, power plants, even the “smart grid” being pushed by regional power companies use similar control systems, systems which were not necessarily designed to be hardened from external attacks. Some control systems likely predate the Internet and networks as we know them.
Changing software is fairly easy. Changing hardware is significantly less so. It’s easy (for some relative definition of easy) to roll out a Windows patch on a Tuesday to close a hole, but when there are a thousand control systems over acres of a facility or hundreds of thousands of customers’ homes, sharing a network where someone just brought a laptop back from the coffee shop, the next generation of specifically crafted worms may have a field day, and there’s no simple way to change all those devices.
Siemens recently announced a group of vulnerabilities in its SCADA control systems which would not be publicly disclosed for reasons of national security; I have to wonder how similar they were to the same vulnerabilities Stuxnet was taking advantage of.
* * *
A Brief Guide to Black Edition XP
by Oddacon T Ripper | 1462 words
If you don't remember, 9x was a term referring to the early versions of the Windows operating systems... 3.1, 95, 98... they were all 9x. It was called 9x because all of Microsoft's operating systems prior to it were eight bit operating systems. In the 1980s, most all computers ran eight bit OSes. MS-DOS, Apple II, GEOS, CP/M. were all popular back then. But when Microsoft released Windows 95, they designed it to support 32 bit! They would leave the processor at 16 bit for the sake of backwards compatibility, but Microsoft didn’t change all of their code to 32 bit. This began to impact the operating system's efficiency and stability. Hence, the famous blue screen of death.
Microsoft has come a long way since 9x, though. With NT, XP, Vista, and Windows 7, they have overcome a lot of compatibility/networking issues. Can you sense the sarcasm? I remember when XP was first released on the market back at the turn of the millennium. It might as well have been called Swiss Cheese OS because there