Anonymous hacktivists fire ion cannons at Zimbabwe

Pro-WikiLeaks hacktivists have launched a denial of service attack against government websites in Zimbabwe.

Websites belonging to the Zimbabwe government and Robert Mugabe's ZANU-PF party were blitzed by junk traffic during the latest phase of the Operation Avenge Assange campaign by the anarchic Anonymous collective. The Finance Ministry in Zimbabwe was also defaced with a message from the fun-loving criminals of Anonymous (the defacement was purged by Friday afternoon but recorded for posterity in a blog entry by Sophos here). The attacks were mounted as reprisals against attempts by the Zimbabwe government to suppress the publication of politically embarrassing WikiLeaks-sourced material by local media.

Grace Mugabe, wife of Zimbabwe president Robert Mugabe and self-styled "mother of the nation", is suing local newspapers for millions over the publication of allegations that she feathered her nest with funds from illegal diamond trading. The accusations stem from leaked US diplomatic cables, published by WikiLeaks, that formed the basis of reports by the Standard newspaper.

Anonymous published a statement explaining its actions: "We are targeting Mugabe and his regime in the ZanuPF who have outlawed the free press and threaten to sue anyone publishing wikileaks."

The hacktivist collective has recently been involved in numerous online attacks against various organisations perceived to be hostile to Wikileaks and its spokesman Julian Assange. Most of these attacks have been DDoS efforts emanating largely from illegal botnets controlled by individual Anonymous members: however it has also been normal for a few hundred activists to voluntarily make use of such tools as the Low Orbit Ion Cannon software to bombard targeted websites with packets.

Mugabe has reduced his country to financial penury over decades of misrule, characterised by widespread corruption. However attacking Zimbabwe government websites is extremely unlikely to have any practical effect on the regime.

Honda US cops to vast data snaffle from marketing firm

Honda US has written to customers following a data breach that led to the exposure of million of customer records.

Hackers made off with a database containing names, email addresses, and Vehicle Identification Numbers (the unique ID for cars) of 2.2 million Honda customers following an attack on an unnamed third-party marketing outfit. The breach creates a mechanism for miscreants to distribute convincing phishing emails, perhaps posing as "special offers", and designed to hoodwink victims into disclosing more sensitive private information.

Honda has contacted affected customers to warn them of the risk, as well as publishing an FAQ on the breach. Criminal hackers also swiped a list containing email address records of 2.7 million drivers of Honda's luxury Acura car. Vehicle information was not attached to that list, a factor that means it only poses a lesser risk, mainly from the possibility of increased spamming against exposed email accounts.

Net security firm Sophos notes that the incident illustrates how the security reputation of household brands can be damaged by security faux-pas from its partners. "It may not be your company who is directly hacked, but it can still be your customers' data that ends up exposed, and your brand name that is tarnished," Sophos notes.

"You don't just need to ensure that you are taking enough care about the security and protection of the private customer data you store - you also need your partners and third-party vendors to follow equally stringent best practices."

Civil servants touted ID cards to friends, family as flop loomed

Civil servants were asked to encourage their family and friends to sign up for a now-defunct ID cards amid Whitehall fears the scheme would flop, confidential documents have revealed.

The documents, reported today by the Daily Telegraph following a Freedom of Information Act request, show how senior officials were urged to act as cheerleaders for ID cards by emailing personal contacts.

In the end, any such efforts were moot. Only 13,200 ID cards were issued before the coalition scrapped the scheme, which had cost 292m. Those that paid the 30 fee for a card have been told it will not be refunded.

The newly-released documents detail opposition to ID cards from workers at Manchester Airport, who the government used as guinea pigs for the scheme. A full-time "National Identity Card Administrator" was appointed to drum up demand, but only 15 per cent signed up.

The documents also highlight interference problems reported by card holders.

"One participant complained that the identity card interfered with other cards kept in the same wallet," a report said.

Shadow education secretary Andy Burnham, who was a Home Office minister when ID cards were under development, defended the scheme.

"The Tory-Lib Dem government are trying to make the cards a totem of what our government stood for - but I think they were a good idea and many people are still in favour of them," he said.

Chinese bot will slurp your Droid

A Trojan capable of stealing data from infected Android smartphones, and bundled with botnet-style functionality, has appeared in China.

The mobile malware, dubbed Geinimi, which usually poses as gaming applications, has been uploaded onto third-party Chinese Android app markets. If installed, the malware sends personal data from compromised devices (specifically device identifiers, location information and list of installed applications) to a remote server.

Geinimi is also capable of receiving commands from remote servers controlled by hackers, this botnet-style functionality together with the use of code obfuscation techniques leads mobile security firm Lookout to describe the malware as the most sophisticated to appear on Android devices to date. This botnet control functionality is yet to be applied so the precise purpose of the malware remains unclear.

The very small number of Android infecting malware strains detected to date have included a Trojan capable of sending SMS messages to premium-rate numbers from compromised devices. The Trojan, which affected an unknown number of users, appeared on Russian-language sites offering pornographic video clips.

Both the Russian and Chinese Android Trojans relied on exploiting user searches for warez. Each of the Android malware strains was regionally targeted, and posed no risk to users who only downloaded apps from recognised sources.

Lookout, a mobile malware specialist that recently secured $19.5m in additional funding, sells anti-virus software for Android devices, hence its understandable interest in drawing attention to the Chinese malware. Alternative Android anti-virus apps exist, including alternative commercial software packages from likes of Symantec and Kaspersky as well as DroidSecurity's ad-supported antivirus app for Android handsets.

Threat Report: No rest for the wicked

Sydney honeypots continue to attract botnet worms.

West Coast Labs' Sydney honeypots continued to attract high levels of malware this week, even as globally the total number of threats eased during the Christmas and New Year period.

The Sydney honeypots attracted a strand of the polymorphic Virut family of viruses, which as explained in our first Threat Report, infects files with encrypted code and spreads itself further whenever the files are executed.

West Coast Labs noted that it was precisely the same variant of Virut that attacked its German honeypots in May and Taiwanese honeypots in September - the former attack being launched from Japan and the latter from Romania.

The attack came from Romania on this occasion.

This revealed that the attackers either persisted with the same malware after achieving good results, or innocent end-users continue to be affected by the virus months after its initial release, spreading the threat further afield.

West Coast Labs noted that most IT security vendors now have a fix, even if it took some two months to introduce.

Further information on this piece of malware can be gained from:

• Sophos
• Trend Micro
• Securelist

Asia on the attack

Whilst the Virut variant was sourced to an address in Romania, West Coast Labs also noted that an unusually high number of malware detected by the Sydney honeypots came from addresses in Asia.

Of the 119 attacks detected this week (65 unique, 56 new to Sydney), 28 came from Japan, 18 from Taiwan and 7 from Hong Kong.

One new variant to the Sydney honeypots, detected in Europe as far back as 2008, has been detected in seven Asian countries - primarily sourced to Japan and Taiwan.

It was believed to be a Poly Cript-packed bot, and depending on which vendor you ask is named Ircbot, Mybot, Rbot, Sdbot or Spybot. Equally, it's described as a virus, worm, backdoor or Trojan, but its main aim is to infect the user's machine and add it to a botnet.

More info on this malware is available at:

• McAfee
• Symantec
• Panda

Copyright © iTnews.com.au . All rights reserved.

Transcending the Human, DIY Style

BERLIN, Germany Lepht Anonym wants everyone to know the door to transcending normal human capabilities is no farther away than your own kitchen. Its just going to hurt like a sonofabitch.

An articulate advocate for practical transhumanism.

Anonym is a biohacker, a woman who has spent the last several years learning how to extend her own senses by putting tiny magnets and other electronic devices under her own skin, allowing her to feel electromagnetic fields, or if her latest project works even magnetic north.

Since doctors wont help her, she does it in her own apartment, sterilizing her equipment (needles, scalpels, vegetable peelers) with vodka. Good anesthetic is largely impossible to buy, so she screams a little, and sometimes passes out. But its worth it, for what’s on the other side.

“Bodily health takes a big fuck-off second seat to curiosity,” she says. “Though it hasnt really changed my life, its just made me more curious.”

This is DIY transhumanism, the fringe of a movement that itself lies well outside the mainstream of philosophy, ethics, technology and science.

For decades, transhumanists have argued that science and technology are approaching (or have approached) the point at which humans can take evolution into their own hands, transcending limitations of sensation or movement or even lifespan that are purely the accident of evolution. Some thinkers focus strictly on the post-human physical body, while others write of evolved social systems as well.

Anonyms vision of the transhuman is rather different. Less visionary, possibly, but more realistic. What she does is “grinding,” with homemade cybernetics and an intimate familiarity with medical mistakes, driven by a consuming curiosity rather than a philosophical creed. She does her own surgery, with a scalpel and a spotter to catch her if she passes out, and an anatomy book to give her some confidence she isnt going to slice through a vein or the very nerves shes trying to enhance.

The existing transhumanist movement is lame. Its nano everything. Its just ideas, she says. Anyone can do this. This is kitchen stuff.

Visiting Berlin to speak at this weeks Chaos Computer Club Congress, Anonym proves to be witty and articulate, a slender woman with spiky black hair and dark makeup around her eyes. She has a way of moving as she talks that suggests thought is a kind of physical thing for her too, like the electromagnetic fields she can sense with her modified fingertips. She has tattoos and piercings on her face, but theres nothing obvious to indicate her practice even her fingers look smooth and unscarred, though the metal discs can be felt faintly under one pad.

The Aberdeen, Scotland native got her start about two years ago, experimenting first with RFID sensors under her skin that let her do things like lock a computer specifically to her signature. That was a decent start, but didnt scratch the itch entirely. (Anyway, she says now, RFID is crap as a personal security system, its really only a way to experiment with the implant techniques.)

She moved on to trying a transdermal (emerging through the skin) temperature sensor, which would show a variable level of brightness to indicate the temperature. It was a disaster, she says. Mostly she learned rather uncomfortably that waterproofing is not the same as bioproofing something. She gave up quickly on the transdermal idea, but not the broader project.

An American body-modification artist of a similar mindset has created small metal discs of neodymium metal, coated in gold and silicon, which give off mild electric current when in a electromagnetic field. When inserted under the fingertips, this current stimulates the fingers nerve endings, allowing the bearer to literally feel the shape and strength of electromagnetic fields around power cords or electronic devices.

Anonym had several of these implanted professionally, choking at the cost, and then learned it was possible to buy the metal herself in bulk, far more cheaply.

So she began experimenting with homebrewed sensors. The metal itself is extremely toxic, so she needed a coating to bioproof it, finding a solution ultimately in a silicon putty-like substance called Sugru. But hot-gun glue works fine too, she says. (I have lots of things in me coated in hot-gun glue, she says.)

The upshot was an affordable way to continue all ten fingertips for about 20 British pounds. She has one left to go.

Shes calling her next project the Southpaw. Its based on the Northpaw, a wearable device created by the Sensebridge group of wearable-electronics hackers, which is worn around the ankle and gives a constant gentle motor-derived vibration on whichever side is facing north.

Its not finished yet, but Anonym is trying to give something internal the same function a small compass chip, a power coil that can be charged externally, and output in the form of neural-grade electrodes, all to be implanted near her left knee. Its a much bigger project than her others, and probably riskier. She doesnt care.

She wants other people to share her DIY vision. Its not the full transhumanist idea, its not immortality or superpowers, but even living without the gentle sensation of feeling the invisible is a difficult thing to imagine, she says. One of the implants stopped functioning once, and she describes it as like going blind.

But it isnt for everybody, this cutting yourself up in your own kitchen. Shes the first to warn people that it hurts. A lot. Every time, you dont get used to it. Afterward people may not be inclined to understand, to put it mildly. (Avoid normal people, she warns. Theyre stupid.)

The medical consequences can be both severe and likely to elicit hostility from doctors. Shes put herself in the hospital several times. She nearly lost a fingertip the first time she tried to implant a neodymium disc herself. Various experiments with bioproofing have failed, with implants rusting under her skin, or her own self-surgeries turning septic.

But if that list of horrors isnt enough to scare someone off, shes also eager to help others avoid some of the mistakes shes made in learning.

You just have to get deep enough to open a hole and put something in, she says. Its that simple.

PlayStation 3 code signing cracked

Hardware hackers claim to have uncovered the private key used by Sony to authorise code to run on PlayStation 3 systems.

The hackers uncovered the hack in order to run Linux or PS3 consoles, irrespective on the version of firmware the games console was running. By knowing the private key used by Sony the hackers are able to sign code so that a console can boot directly into Linux. Previous approaches to running the open source OS on a games console were firmware specific and involved messing around with USB sticks.

The same code signing technique might also be used to run pirated or counterfeit games on a console. That isn't the intention of the hackers even though it might turn out to be the main practical effect of the hack.

The group, fail0verflow, who also run the Wii's Homebrew Channel, gave more information about the crack and a demo during the annual Chaos Communication Conference hacker congress in Berlin. Sony's weak implementation of cryptography was exploited by fail0verflow to pull off the hack, as explained in a video on enthusiast site PSGroove here.

More discussion on the console jailbreaking hack can be found on a PlayStation forum here.

Feds raid server farms in bid to root out PayPal DDoS perps

Federal investigators have seized servers allegedly abused to launch a denial of service attack against PayPal earlier this month.

An affidavit obtained by the Smoking Gun contains testimony by federal agents convinced that systems at Texan hosting firm Tailor Made Services are likely to contain clues in the hunt for hacktivists who launched an attack against PayPal in response to its decision to freeze an account used by WikiLeaks. The suspension of the account followed the release of US diplomatic cables by the whistle blowing site.

Volunteers were encouraged by members of the loosely bound Anonymous collective to download a tool to pepper the websites of financial firms who had turned their back on WikiLeaks - including MasterCard, Visa and Swiss bank PostFinance as well as PayPal - with junk traffic.

FBI investigators are proceeding on the assumption that some used botnets of compromised machines in order to launch a more potent distributed denial of service attack against PayPal, knocking its corporate blog offline for at least several hours.

PayPal supplied FBI agents with eight IP addresses of systems used to run IRC chat servers associated with planning the so-called Operation Avenge Assange attacks. Investigators reckon the same systems were also used as command and control hubs for botnets used the DDoS assault against PayPal et al.

The Texan systems were traced back via a compromised machine at Host Europe, Germany. Investors alleged that the command to launch an attack against PayApl was made via systems hosted by Tailor Made Services in Texas and relayed via the servers at Host Europe in a bid to disguise its origin. A pair of log entries on the compromised Host Europe machine contained the same message: "Good_night,_paypal_Sweet_dreams_from_AnonOPs." according to a sworn statement from FBI agent Allyn Lynd.

The affidavit was used to obtained a search warrant used on a raid on Tailor Made Services on 16 December. Agents copied two hard drives from the targeted server during this raid. A second IP address associated with the pro-WikiLeaks attacks was traced to a virtual server physically hosted by Hurricane Electric in California.

It's unclear whether or not a suspect has been identified through the FBI's investigation thus far.

Hacking the Hacker Stereotypes

BERLIN, Germany On the wall at the front of a basement room here, Agnes Meyder is explaining a complicated diagram depicting enzymes and cell walls, an example of a cancer database with which she is illustrating a talk on her field of bioinformatics.

Organizers of this year's CCC Haecksen meeting.

An hour later, and it is sentences that are being diagrammed, as Ccilia Zirn describes sentiment analysis is allowing computers to learn whether human writings in online reviews or Twitter posts, for example are positive or pissed-off.

These aren’t stereotypical subjects for hackers, but this is the Chaos Computer Club (CCC) Congress and Meyer and Stilz are hackers indeed, part of a loose 22-year-old group of women within the club called the Haecksen (a pun on the German word for witch).

There is no immediate agenda here, other than to meet each other, share coffee and ideas, and let other women know there are others like them. But its clear the women in this room have been forced to think about and perhaps defend — their identity as hackers more than many of the hundreds of men sitting in front of screens and keyboards in the conference outside.

“Its good support to get to know other people here, and to know youre not alone,” says Martina Bauer, a student and group organizer who works in IT support.

Much has been written about the relative scarcity of women in information technology professions, but in hard-core hacking and free-software circles, the gender divide is even starker. One of the guests at the CCC meeting, a Spanish documentary filmmaker called Spideralex (whose Donestech group, for the record, uses all free software), cited a 2006 EU study that found women making up just 2 percent of the population in free or open-source software development.

Women in the United States and other countries have formed many other groups similar to the Haecksen, sometimes aimed at pointing out what is often unconscious sexism in programming circles, and that much of the apparent gender differences come from different socialization and different experiences rather than native abilities. The same EU study showed that women had started using computers, and had owned their own first computer, on average several years later than had men in the community.

These statistics are part of what prompted the Spanish Donestech group to make a documentary on women in development and hacking circle, which they previewed at this at the Hcksen meeting here.

“The initial focus is always on women not being there,” Spideralex says. “But in our daily lives, we saw many women around us, and we wanted to understand their experience.”

The Haecksen group itself is loosely organized around a mailing list, with meetings primarily at the annual CCC congress and a handful of other events. There is no hierarchy, and none the four organizers of this years meeting said they have a clear idea of the current number of group members.

Like the Congress itself, the point is to talk to each other, to get ideas, to get support for each others projects and plans. Its about showing the men that there are women who can sling code with the best of them, and that this is normal. Its about making other women comfortable being interested in taking computers apart or being deeply geeky about complicated problems of logic or math.

But its also about ensuring that the definition of hacker and hackerdom doesnt fall into stereotype even within the computing community. Hacking and its hierarchies can too often be viewed within the narrow definitions of code-crunching or IT security, the women here say, while in fact the skills and curiosity of many in the scene take them ranging across a broad spectrum of technical and scientific interests.

The background of the four women organizing this years meeting show precisely this diversity.

Meyder, the bioinformatics student, says she got interested in the subject watching Ghost in the Shell (“I knew I wanted to be involved in that,” she laughs), was fascinated by biology, and was convinced early that her blend of biology and computer science and deeply complicated math was the future. Shes studying the development of new drugs at the University of Tbingen, where she says there are a fair number of other women in her program.

Bauer got involved with a group of male gamer friends, and learned early on that she loved taking computers apart and putting them back together. When she went to college, it seemed natural to pursue this path.

Melanie Stilz studied both anthropology and computer science in university, bouncing back and forth when she found one or the other respectively too fuzzy or too rigid. She now works with technology in developing countries, and recently spent time teaching in Afghanistan where, in Kabul, at least, she says that the gender balance in computer science classes was actually better than in the West.

Zirn found her focus in artificial intelligence by combining an interest in language with a fascination with computers, and is now pursuing the sentiment analysis field.

The women say their experiences growing up female and techie in Germany has shown a variety of experiences, many of which are not discriminatory per se, but illustrate the sometimes uncomfortable position of falling outside someone elses stereotype.

Zirn says that when meeting new male hacker acquaintances, an intense interview-style process often follows. “Its like they dont believe you, they have all these questions, they want to know what Linux distribution you use.”

Bauer notes that gender relations can be sometimes be counterintuitive. When she is the only women with a group of men, they treat her as a friend and fellow hacker, she says. But when another woman joins, even a skilled programmer, the atmosphere often switches to a more stereotypical male-female dynamic.

The four organizers say the number of women attending the Haecksen events, and the CCC as a whole, has risen in the last several years, although because the overall congress attendance figures have also gone up, its difficult to say whether the relative percentages have changed. They say more women now appear to be attending on their own, rather than in conjunction with a boyfriend or other male friends, for example.

Not all women within the CCC are part of the group, or even think it is necessary. But the women involved say it is important, to help both women and men understand that women are an important and growing part of the scene.

“The Congress helps everyone get over stereotypes,” says Stilz. “I think it definitely helps when people havent had much contact with female hackers before.”

WordPess update tackles critical blogging bug

Bloggers who rely on WordPress would be well advised to take a break from seasonal festivities in order to plug a serious security flaw in the software.

WordPress 3.0.4 tackles a serious vulnerability which, left unfixed, creates a handy mechanism for malicious hackers to break into installations of the widely used blogging software. Specifically the vulnerability stems from flaws in the HTML sanitation library used by WordPress.

In the past vulnerable installations of WordPress have facilitated the spread or worms. The flaw might also lend itself towards site compromise or blog spam.

Even though attacks against the vulnerability are yet to appear sys admins would still be well advised to apply the update, described as critical by WordPress' developers.

Wiki-Style Mapping Heads to Sea

BERLIN, Germany Call it sailpunk, with a good dose of the open-source spirit.

Off the coast of England, online.

A group of nautical enthusiasts and amateur mappers are seeking to do for sea charts what the OpenStreetMap is doing for road maps and city streets, drawing on the efforts of GPS-carrying volunteers to create worldwide navigational charts accurate enough to use on the open water.

Its an effort that carries aspects of risk and a need for precision that goes for beyond that of a street map, where the height of a speed bump matters far less than the depth of a sand bar, for example. But advocates of the OpenSeaMap project are convinced they can do better than the myriad of maps emblazoned with the warning Do not use for navigation.”

“If you create a sea chart you can’t use to navigate, it really is useless,” said University of Applied Sciences assistant professor Bernhard Fischer, introducing the project at the Chaos Computer Club (CCC) Congress here. I say drop it, or make it high quality, so we can use it.”

Easy to say, but it turns out to be a sea-devil of a task.

Sea mapping is a vastly different discipline than is creating road maps, which can essentially be updated by volunteers on a bicycle.

To be useful, the charts need to contain information about lighthouses, water depth, harbors, invisible undersea objects such as sand bars or sunken ships, all mapped with extremely accurate navicational coordinates.

As with the OpenStreetMap project, some of this information can bootstrapped without having to gather it entirely from scratch. Fischer is currently working on translating a list of known lighthouses around the world into the database. But even this information must ultimately be checked by volunteers, as it is frequently no longer accurate, or was never quite correct in the first place.

Other aspects are much more difficult. Depth readings, for example, must be taken with reference to a specific reference sea level, since tides and weather ensure that the apparent sea level varies widely over time.

There are several ways of doing this, referring to levels such as the mean low water or the lowest astronomical tide. This requiring that volunteers either settle on a standard, or ensure they describe their depths relative to a known and specified level.

Even something as familiar as longitude and latitude coordinates can be deceptive. Various different countries map system use slightly different reference models of the shape of the earth to ground the familiar coordinate points most of us are used to hearing. The difference in these models mean that the same coordinate points might be a few hundred meters away from each other on different maps.

For most purposes this doesnt matter, Fischer said. But the roughly 370 meters of difference that separates the same coordinates in the model used by Croatia, and on a more widely used standard model developed in 1984, might mean the difference between a sailor hitting an undersea rock or navigating safely past.

The project is in its very early stages, with some work evident on the coastlines of Germany and the United Kingdom. Theyre still looking for sponsors, technical and mapping volunteers, and ideas.

Fischer himself said hes still uncomfortable with the OpenStreetMap wiki model, in which anybody can provide edits.

Thoughtless edits could harm people, he said. I think this is a problem.

But for sailors who have always imagined a bit of Magellan in themselves, its certainly a project to watch.

Unsmart Investments in Smart Cards

BERLIN, Germany — Let this be a lesson for companies implementing smart-card systems: If you dont want people creating money from nothing, pay attention to the security research before investing.

It wasn't supposed to be an ATM card. Photo credit: sjschen

Security consultant Harald Welte would be glad to say the same thing. Speaking at the annual Chaos Computer Club (CCC) Congress here today, he explained how he was able to break Taiwans smart-card-based transportation payment system, which was expanded this year to be a larger city-wide payment system, using a $40 smart-card reader and a few hours of time.

Using this in the year 2010 as a payment system is ignorant, clueless, and a sign of gross negligence, he told the audience here.

Taipeis EasyCard system has been in place since 2001, largely as a means of paying for the subway, bus, taxis and parking. It has also been widely known to use a smart card system called MIFARE Classic, produced by NXP Semiconductors, the security of which was publically demonstrated to be broken by CCC members at their annual congress three years ago.

This break is no secret. It was publicized at the time, is noted on Wikipedia, and the issue was noted by NXP itself on its Web site, which today says the MIFARE Classic offers basic levels of data security.

We are actively cooperating with various universities to learn and to improve our products, the companys statement reads. This fits into our mission to provide world class products that contribute to optimal security and privacy.

The problem, Welte said, was when the city government decided to adopt a broader card-based payment system for stores and other functions, and EasyCard stepped in with its old, now-broken technology.

According to Welte, researchers from the University of Taiwan wrote a letter protesting the decision, noting the security problems. But early in 2010, the EasyCard system was rolled out on a widespread basis, now upgraded to store the equivalent of nearly $350 in Taiwanese New Dollars, which was spendable at major department stores, 7-11s, Starbucks and other shops.

Thats where Welte, who had done work on RFID issues in the mid-2000s, and had worked often enough in Taiwan to be familiar with the system, got interested.

He knew the MIFARE system was weak. That isnt necessarily a problem — if, say, someone tries to hack a $50 dollar card to read $500, but there is a back-end server verification check that says this card is only supposed to have $50, the problem is more or less solved.

He decided to test the system. The cards are encrypted with a 48-bit proprietary cipher called CRYPTO1. Many security professionals dont think much of proprietary encryption, because it cant go through the acid test of public testing and indeed, this is part of what was broken several years ago.

With a $40 card reader and an open-source program designed to break the encryption, Welte extracted a test cards encryption keys in about 3 hours, he said. That allowed him to read the raw data in each sector of the card. This was initially incomprehensible, but after adding and spending money with the card, and watching what changed, he was able to understand how the card stored purchases, dates, points-of-sale, and other information.

So he ran it through its paces. He bought a Starbucks drink, looked at the changes on the card, and manipulated it to look as though the drink had cost more than it had. Inserting the card into the main machines showed that he had successfully subtracted money, and that the card still functioned.

That meant no back-end verification. A bad sign.

He tried creating money the same way, buying something and then reducing the purchase price, and boosting the stored value. Again, no problem with the official machine readers (he was careful to note that he afterward added real money to the card in the same amount, and then manipulated the value downward again, so that the correct amount of real money had actually been spent).

A few more tests convinced him. The cards were easily manipulable, susceptible to a hack that could create money that could be spent in relatively large amounts all over town.

The city government and EasyCard know about the problem, he said. Taiwanese researchers have tried to warn them, and the research is publically available online. The problem is companies trying to rely on security through obscurity using proprietary but unsafe encryption and trying to save money by not investing in solid security.

IT reminds me of 15 or 20 years ago, of manipulating saved game points on a PC, he said. Its really not that different in this case, aside from the three-hour key crack.

His advice to companies and other organizations investing in card technology in the future? Spend a bit more money, and use a stronger security algorithm. Implementverificationproceduresthat will prevent cards from being manipulated so simply. And when designing systems that are to last many years, build in room for software updates, once inevitable flaws have been found.

Otherwise there is risk of creating another accidental ATM card.

Cuckold computer tech faces ID theft charges over Gmail 'hack'

A husband accused of hacking into his wife's webmail account in order to discover evidence of an affair has been charged with identity theft.

Leon Walker, 33, from Rochester Hills, Michigan, suspected his wife Clara was having an affair with her former husband. Consumed with jealousy after his wife failed to return home one night, Leon broke into the Gmail account of his spouse from a shared family computer to uncover a series of emails confirming his wife's betrayal, The Daily Telegraph reports.

Twice married Clara had a son by his first husband and left her second spouse after he was arrested for beating her in front of the child. Leon Walker handed over the emails to Clara's first husband who used them as part of a custody battle for his son.

This unnamed man was obliged to disclose how he obtained this emails, provoking a counter-lawsuit by Clara over privacy violation and a divorce petition against Leon Walker, a computer technician by trade. Clara and Walker had a daughter together a year ago, a factor that further complicates an already fraught family situation.

Walker was initially arrested and questioned for offences against Michigan's anti-hacking laws before prosecutors decided to charge him with using his wife's password to log into the computer, a form of alleged identity theft. Walker denies the charges.

The outcome of the case (scheduled for trial in February) is destined to be carefully watched by the US's sizeable posse of divorce lawyers. Hi-tech evidence from text messages and social network sites often plays a part in such proceedings just as written letters used to play a significant role in the past.

4chan hit by DDoS assault

Controversial image board 4chan came under a denial of service attack on Tuesday.

A status message on 4chan's status boards (below) reported that the birthplace of anonymous and home of midget porn had joined the "ranks of MasterCard, Visa, PayPal" as victims of a denial of service attack.

Site is down due to DDoS. We now join the ranks of MasterCard, Visa, PayPal, et al.an exclusive club!

The Anonymous contingent of 4chan was behind the attacks on Mastercard et al over the refusal of many elements of the banking industry to do business with Wikileaks. In response, patriot hacktivists have launched denial of service attacks on 4chan IRC channels.

Whether the latest "attack" is a continuation of that dispute isn't entirely clear. 4chan's boards were reachable on Wednesday but full of "link spam" to porn sites. We'd hesitate to describe this as evidence of some sort of security attack/lapse on such a free-wheeling anything goes forum as 4chan.

Organisations such as Panda Security and Arbor Networks, both of which have done a good job tracking the Operation Avenge Assange attacks, couldn't be reached for immediate comment on the latest assaults.

Cambridge boffins rebuff banking industry take down request

Computer scientists from Cambridge University have rebuffed attempts by a banking association to persuade them to take down a thesis covering the shortcomings of Chip-and-PIN as a payment verification method.

Omar Choudary's masters thesis contains too much information about how it might be possible to fool a retailing terminal into thinking a PIN authorising a purchase had been entered, as far as the bankers are concerned. Noted cryptographer and banking security expert Professor Ross Anderson gives short shrift to the argument that publishing the research exceeds the bounds of responsible disclosure, politely but firmly telling the UK Cards Association that the research was already in the public domain and that Choudary's work would stay online.

Anderson is one of Choudary's supervisors in the latter's research.

Choudary's research on so-called NO-PIN attacks builds on work by Steven Murdoch, Saar Drimer and Anderson that was disclosed to the banking industry last year and published back in February.

Chip-and-PIN is used throughout Europe and in Canada as a method to authorise credit and debit card payments. The attack unearthed by the Cambridge researchers creates a means to trick a card into thinking a chip-and-signature transaction is taking place while the terminal thinks its authorised by chip-and-PIN. The flaw creates a means to make transactions that are "Verified by PIN" using a stolen (uncancelled) card without knowing the PIN code. The ruse works by installing a wedge between the card and terminal.

The same approach cannot be applied to make ATM transactions.

In the months since the potential loophole was uncovered only Barclays Bank has responded by modifying its technology to block the potential scam, Anderson reports.

Choudary is one of the authors of an upcoming paper on Chip-and-PIN security, due to be unveiled at the Financial Cryptography 2011 conference in February.

Putting the Record Straight on the Lamo-Manning Chat Logs

Editor’s note: This is a two-part article, in which Wired.com editor-in-chief Evan Hansen and senior editor Kevin Poulsen respond separately to criticisms of the site’s Wikileaks coverage.

The Case for Privacy

Six months ago, Wired.com senior editor Kevin Poulsen came to me with a whiff of a story. A source he’d known for years claimed he was talking to the FBI about an enlisted soldier in Iraq who had bragged to him in an internet chat of passing hundreds of thousands of classified documents to the secret-spilling site Wikileaks.

It’s probably nothing, Poulsen said. The source in question, an ex-hacker named Adrian Lamo, often sees himself as at the center of important events in need of public attention. But sometimes, Poulsen added, he’s right.

Acknowledging the long shot, Poulsen wanted to drive up to Sacramento, California, to meet Lamo in person and try to get a copy of the alleged chats. I agreed.

What followed was a days-long negotiation of two steps forward, one step back, familiar to investigative reporters whose social networks and reporting skills sometimes put them in touch with skittish sources holding the keys to serious news. The result was our groundbreaking report in June confirming the arrest of Pfc. Bradley Manning on suspicion of passing classified material to Wikileaks, a central thread in what is arguably one of the most important news stories of the year.

Successfully winning trust from people with little to gain and much to lose, while vigorously verifying the facts at hand and maintaining the highest ethical standards, is a balancing act that few reporters ever master completely.

In the five years I’ve worked with Poulsen, I’ve seen him successfully balance these unpredictable forces not once or twice, but literally dozens of times.

He has revealed the inner workings of criminal hacking operations, uncovered sex predators on MySpace and won numerous awards for his dogged efforts. When I think of the what the word “journalism” embodies, I can find no better example.

It’s odd to find myself in the position of writing a defense of someone who should be held up as a model. But it is unfortunately necessary, thanks to the shameless and unjustified personal attacks he’s faced ever since he and Wired.com senior reporter Kim Zetter broke the news of Manning’s arrest.

Armchair critics, apparently unhappy that Manning was arrested, have eagerly second-guessed our motives, dreamed up imaginary conflicts and pounded the table for more information: Why would Manning open himself up to a complete stranger and discuss alleged crimes that could send him to prison for decades? How is it possible that Wired.com just happened to have a connection with the one random individual Manning picked out to confide in, only to send him down for it?

Not one single fact has been brought to light suggesting Wired.com did anything wrong in pursuit of this story. In lieu of that, our critics — notably Glenn Greenwald of Salon, an outspoken Wikileaks defender — have resorted to shocking personal attacks, based almost entirely on conjecture and riddled with errors. (See Poulsen’s separate rebuttal below.)

Tellingly, Greenwald never misses a chance to mention Poulsen’s history as a hacker, events that transpired nearly two decades ago and have absolutely no bearing on the current case. This is nothing more than a despicable smear campaign based on the oldest misdirection in the book: Shoot the messenger.

The bottom line is that Wired.com did not have anything to do with Manning’s arrest. We discovered it and reported it: faithfully, factually and with nuanced appreciation of the ethical issues involved.

Ironically, those ethics are now being pilloried, presumably because they have proven inconvenient for critics intent on discrediting Lamo.

At stake are the chat logs.

We have already published substantial excerpts from the logs, but critics continue to challenge us to reveal all, ostensibly to fact-check some statements that Lamo has made in the press summarizing portions of the logs from memory (his computer hard drive was confiscated, and he no longer has has a copy).

Our position has been and remains that the logs include sensitive personal information with no bearing on Wikileaks, and it would serve no purpose to publish them at this time.

That doesn’t mean we’ll never publish them, but before taking an irrevocable action that could harm an individual’s privacy, we have to weigh that person’s privacy interest against news value and relevance.

This is a standard journalistic balancing test — not one that we invented for Manning. Every experienced reporter of serious purpose recognizes this, and the principal is also embodied in the Society of Professional Journalists’ code of ethics:

Recognize that gathering and reporting information may cause harm or discomfort. Pursuit of the news is not a license for arrogance…. Only an overriding public need can justify intrusion into anyones privacy. Show good taste. Avoid pandering to lurid curiosity.

Even Greenwald believes this sometimes. When The New York Times ran an entirely appropriate and well reported profile of WikiLeaks founder Julian Assange — discussing his personality and his contentious leadership style — Greenwald railed against the newspaper, terming the reporters “Nixonian henchmen.”

Similarly, when Assange complained that journalists were violating his privacy by reporting the details of rape and molestation allegations against him in Sweden, Greenwald agreed, writing: “Simultaneously advocating government transparency and individual privacy isn’t hypocritical or inconsistent; it’s a key for basic liberty.”

With Manning, Greenwald adopts the polar opposite opinions. “Journalists should be about disclosing facts, not protecting anyone.” This dissonance in his views has only grown in the wake of reports that Manning might be offered a plea deal in exchange for testimony against Assange.

To be sure, there’s a legitimate argument to be made for publishing Manning’s chats. The key question (to us): At what point does everything Manning disclosed in confidence become fair game for reporting, no matter how unconnected to his leaking or the court-martial proceeding against him, and regardless of the harm he will suffer? That’s a debate we have had internally at Wired with every major development in the case.

It is not a question, however, that we’re inclined to put to popular referendum. And while we welcome the honest views of other journalists acting in good faith, we now doubt this describes Glenn Greenwald.

At his most reasonable, Greenwald impugns our motives, attacks the character of our staff and carefully selects his facts and sources to misrepresent the truth and generate outrage in his readership.

In his latest screed, “The Worsening Journalistic Disgrace at Wired,” he devotes 12 paragraphs to a misinformed argument centering on a Dec. 15 New York Times story about the possibility that the Justice Department might seek to charge Assange under federal conspiracy law.

The Times story quotes Lamo as saying that Manning described uploading his leaks to Assange via a dedicated file server, and that he communicated with Assange over encrypted chat. The story says those portions of the conversations aren’t included in the excerpts we published.

Based on that, Greenwald claims that Wired’s “concealment” of the chat logs “is actively blinding journalists and others who have been attempting to learn what Manning did and did not do.” (That’s one sentence. He goes on in that vein for quite a while.) But the Times story is incorrect, as we noted on Wired.com the day after it ran. The excerpts we published included passages referencing both the file server and the encrypted chat room.

Nonetheless, once the Times story — and our explanation — was over a week old, Greenwald sent Poulsen an e-mail inquiring about it, and giving him one day to respond to his questions. He sent that e-mail on Christmas Day.

When we didn’t meet the urgent Yuletide deadline he’d imposed on himself to publish a piece about a 10-day-old newspaper article, he wrote in his column that we “ignored the inquiries,” adding: “This is not the behavior of a journalist seeking to inform the public, but of someone eager, for whatever reasons, to hide the truth.”

Separately, the Times story repeated Lamo’s personal theory that Manning passed some information to WikiLeaks by physically handing off disks to friends at MIT. The paper does not claim that Lamo drew that conclusion from his chats with Manning. (Lamo says he got it from “a USG [U.S. government] source close to the case.”) We’ve heard and read that theory before, but have not reported it, for lack of evidence.

Though we didn’t report it ourselves, Greenwald argues that we have a duty to publicly refute the theory. In his world, our consideration, thus far, of Manning’s privacy leaves us with an obligation to chase down every story on Manning, correct any errors, and refute any reporting that we disagree with.

He is, again, wrong. Our obligation is to report the news accurately and fairly. We’re responsible only for what appears on Wired.com. And our record on WikiLeaks and Manning is unblemished.

–Evan Hansen, Editor-in-Chief

A Litany of Errors

On Monday, Salon.com columnist Glenn Greenwald unleashed a stunning attack on this publication, and me in particular, over our groundbreaking coverage of WikiLeaks and the ongoing prosecution of the man suspected of being the organization’s most important source. Greenwald’s piece is a breathtaking mix of sophistry, hypocrisy and journalistic laziness.

We took the high ground and ignored Greenwald and Salon the first time they pulled this nonsense. Now it’s time to set the record straight.

If you’re just tuning in, Wired.com was the first to report, last June, on the then-secret arrest of Pfc. Bradley Manning. I learned of the arrest from Adrian Lamo, a well-known former hacker on whom I reported extensively from 2000 to 2002. It was Lamo who turned Manning in to the Army and the FBI, after Manning — isolated and despondent — contacted him online and began confiding the most intimate details of his life, including, but by no means limited to, his relationship with WikiLeaks, and the vast databases he claimed to have provided them.

Co-writer Kim Zetter and I followed up the story four days later with a piece examining Manning’s motives. The Washington Post had just run a fine story about Manning’s state-of-mind: At the time of his discussions with Lamo, he’d been through a bad breakup and had other personal conflicts. But I felt — and still do feel — that it’s a mistake to automatically ascribe Manning’s actions to his feeling depressed. (For one thing, his breakup occurred after the leaking.) There’s an implicit political judgment in that conclusion: that leaking is an aberrant act, a symptom of a psychological disorder. Manning expressed clear and rational reasons for doing what he did, whether one agrees with those reasons or not.

So we went into the logs of the chats Manning held with Lamo — which Lamo had provided Wired and The Washington Post — and pieced together a picture of why Manning took his historic actions, based on his own words (“Suspected Wikileaks Source Described Crisis of Conscience Leading to Leaks). As a sidebar to the article, we published excerpts from those chat logs.

We’ve had several more scoops since then, reporting new information on Manning’s history in the Army, and revealing the internal conflict his alleged disclosures triggered within WikiLeaks.

But those first stories in June either excerpted, quoted or reported on everything of consequence Manning had to say about his leaking. We’ve led the coverage on this story, and we would gain nothing by letting another scoop simmer unreported on our hard drives.

The debate, if it can be described as that, centers on the remainder of Manning’s conversations with Lamo. Greenwald argues that Wired.com has a journalistic obligation to publish the entirety of Manning’s communications. As with other things that Greenwald writes, the truth is the opposite. (See the statement above by Wired’s editor-in-chief.)

Greenwald’s incomplete understanding of basic journalistic standards was first displayed in his earlier piece on this subject, last June, titled “The Strange and Consequential Case of Bradley Manning, Adrian Lamo and WikiLeaks.” This is where he first claimed that Lamo and I have “long and strange history together.”

That “history” began in 2000, when, while reporting for the computer security news site SecurityFocus.com, I contacted Lamo to use him as an expert on security issues at AOL. I sought him out because he’d been quoted in a similar capacity in a Salon.com article the year before.

Later, Lamo began sharing with me the details of some of his hacking. Lamo was nearly unique among hackers of that period, in that he had no evident fear of discussing his unlawful access, regardless of the inevitable legal consequences. He cracked everyone from Microsoft to Yahoo, and from MCI to Excite@Home. And he freely discussed how he did it, and sometimes helped the victim companies close their security holes afterward.

This came at a time, prior to the passage of California’s SB1386, when companies had no legal obligation to reveal security breaches, and hackers, facing tough criminal sanctions, had a strong disincentive to reveal it themselves. Lamo’s transparency provided an invaluable window on the poor state of computer security.

Using little more than a web browser, he was able to gain sensitive information on critical infrastructure, and private data like Social Security numbers.He changed a news story on Yahoo — at the time the most-trafficked news source on the web — undetected. In the intrusion that finally resulted in his arrest, he cracked The New York Times intranet and added himself to the paper’s internal database of op-ed contributors.

Some people regarded him as a hacker hero — Kevin Spacey narrated a documentary about him. Others argued he was a villain. At his sentencing, Lamo’s prosecutors argued he was responsible for “a great deal of psychological injury” to his victims.

To Greenwald, all this makes Lamo “a low-level, inconsequential hacker.” This conclusion is critical to his thesis that Lamo and I have something more than a source-journalist relationship. Greenwald’s theory is that Lamo’s hacks were not newsworthy. But, this line of thought goes, in exchange for the chance to break the non-news of his intrusions, I reported them — getting Lamo attention among the readers of SecurityFocus.com.

What he fails to report is that those same breaches were also covered by the Associated Press, Reuters, Wired magazine (well before my tenure at Wired.com), cable news networks, every tech news outlet and several national newspapers, and that Lamo spoke freely to all of them.

So when he writes that I had “exclusive, inside information from Lamo,” he is wrong. And when he writes that Lamo had an “insatiable need for self-promotion and media attention, and for the past decade, it has been Poulsen who satisfies that need,” he’s ignoring the fact that my reporting for an obscure computer security news site constituted an almost inconceivably tiny portion of the coverage generated by Lamo’s hacks.

From that bit of sophistry, Greenwald descends into antics that shouldn’t pass muster at any serious news outlet. He bolsters his argument by quoting Jacob Appelbaum as an expert on Lamo. Appelbaum has “known Lamo for years,” he writes, and “Lamo’s ‘only concern’ has always been ‘getting publicity for Adrian.’”

Nowhere in the article does he disclose that Appelbaum — the only third-party source in the piece — is a key WikiLeaks activist: a man who’d shared hotel rooms with Julian Assange, and had already spoken publicly on behalf of the organization. Appelbaum’s key role in the organization has been a published fact since April.

After that glaring omission, Greenwald mischaracterizes my contacts with the companies Lamo hacked. In writing about Lamo’s New York Times hack, Greenwald claims: “When Lamo hacked into the NYT, it was Poulsen who notified the newspaper’s executives on Lamo’s behalf, and then wrote about it afterward.” In truth, I contacted a spokeswoman for the Times, notified her of the intrusion, gave her time to confirm it, and then quoted her in the article.

All of this — embellishment, failing to disclose his prime source’s true affiliation, selective reporting — would be enough to make Greenwald’s opinions on a matter of journalist ethics of little interest to Wired.com. In his new piece, he goes even further.

Nearly half of his article is devoted to a characteristically murky conspiracy theory involving a well-known cybercrime attorney and former Justice Department lawyer named Mark Rasch. Rasch is one of three people that Lamo sought for advice while looking to turn in Bradley Manning.

The blockbuster, stop-the-presses, “incontrovertibly true” disclosure with which Greenwald caps his piece? That Rasch once prosecuted me for hacking the phone company.

Based, apparently, on something he read on a website called GovSecInfo.com, Greenwald announces that “Rasch is also the person who prosecuted Kevin Poulsen back in the mid-1990s and put him in prison for more than three years.” (I served five, actually, and all but two months of it was in pretrial custody, held without bail.) He then attacks me for failing to report on this supposed link. “Just on journalistic grounds, this nondisclosure is extraordinary,” he claims.

“As Poulsen was writing about this Manning story all while working closely with Lamo as he served as FBI informant — and as Poulsen actively conceals the chat logs — wouldn’t you want to know that the person who played such a key role in Manning’s arrest was the same person who prosecuted Poulsen and regularly contributes to his magazine?”

The “regularly contributes to his magazine” part is apparently a reference to this single 2004 opinion piece in Wired magazine. As for the rest? Rasch, who worked for the Justice Department in Washington D.C., left government service in 1991. I had two prosecutors in my phone-hacking case: David Schindler in Los Angeles and Robert Crowe in San Jose, California.

Greenwald, a former law professor, could have learned this in a few seconds on Pacer, the federal court’s public records system. It would have set him back 16 cents, and his article would have been half as long.

There’s more to the conspiracy theory. Greenwald is troubled that, as he put it in his first article, “Despite being convicted of serious hacking felonies, Poulsen was allowed by the U.S. government to become a journalist covering the hacking world for Security Focus News.” He doesn’t cite what authority he believes the government should wield to strip convicted hackers of their First Amendment rights, but I suspect he wouldn’t want it used against Julian “Mendax” Assange, who pleaded guilty to 24 charges of hacking a year after my 1991 arrest.

I could go on — the daily, off-the-record conversations Greenwald had with Assange while penning at least one of his anti-Wired screeds; or the fact that he failed to disclose in the body of his first article that he was personally trying to secure a new attorney for Manning while writing the piece.

But by now it should be clear why we don’t seek Greenwald’s advice on a serious matter of journalistic ethics.

In any event, if you can’t make an argument without resorting to misstatements, attacking the motives of an experienced and dedicated team of reporters, name-calling, bizarre conspiracy theories and ad hominem attacks, then perhaps you don’t have an argument.

–Kevin Poulsen, Senior Editor

Breaking GSM With a $15 Phone (Plus Smarts)

BERLIN — Whatever assurances have been given about the security of GSM cellphone calls, forget about them now.

Use at your own risk.

Speaking at the Chaos Computer Club (CCC) Congress here today, a pair of researchers demonstrated a start-to-finish means of eavesdropping on encrypted GSM cellphone calls and text messages, using only four sub-$15 telephones as network sniffers, a laptop computer and a variety of open source software.

While such capabilities have long been available to law enforcement with the resources to buy a powerful network sniffing device for more than $50,000 (remember The Wire?), the pieced-together hack takes advantage of security flaws and short-cuts in the GSM network operators technology and operations to put the power in the reach of almost any motivated tech-savvy programmer.

GSM is insecure, the more so as more is known about GSM, said Security Research Labs researcher Karsten Nohl. Its pretty much like computers on the Net in the 1990s, when people didnt understand security well.

Several of the individual pieces of this GSM hack have been displayed before. The ability to decrypt GSMs 64-bit A5/1 encryption was demonstrated last year at this same event, for instance. However, network operators then responded that the difficulty of finding a specific phone, and of picking the correct encrypted radio signal out of the air, made the theoretical decryption danger minimal at best.

Naturally this sounded like a challenge.

Working the audience through each process step, Nohl and OsmocomBB project programmer Sylvain Munaut demonstrated how the way in which GSM networks exchange subscriber location data, in order to correctly route phone calls and SMSs, allow anyone to determine a subscribers current location with a simple Internet query, to the level of city or general rural area.

Once a phone is narrowed down to a specific city, a potential attacker can drive through the area, sending the target phone silent or broken SMS messages that do not show up on the phone. By sniffing to each bay stations traffic, listening for the delivery of the message and the response of the target phone at the correct time, the location of the target phone can be more precisely identified.

To create a network sniffer, the researchers replaced the firmware of a simple Motorola GSM phone with their own alternative, which allowed them to retain the raw data received from the cell network, examine more of the cellphone network space than a single phone ordinarily monitors. Upgrading the USB connection allowed this information to be sent in real time to a computer.

By sniffing the network while sending a target phone an SMS, they were able to determine precisely which random network ID number belonged to the target. This gave them the ability to identify which the myriad streams of information they wanted to record from the network.

All that was left was decrypting the information. Not a trivial problem, but made possible by the way operator networks exchange system information with their phones.

As part of this background communication, GSM networks send out strings of identifying information, as well as essentially empty Are you there? messages. Empty space in these messages is filled with buffer bytes. Although a new GSM standard was put in place several years ago to turn these buffers into random bytes, they in fact remain largely identical today, under a much older standard.

This allows the researchers to predict with a high degree of probability the plaintext content of these encrypted system messages. This, combined with a two-terabyte table of precomputed encryption keys (a so-called rainbow table), allows a cracking program to discover the secret key to the sessions encryption in about 20 seconds.

This is particularly useful, the researchers said, because many if not most GSM operators reuse these session keys for several successive communications, allowing a key extracted from a test SMS to be used again to record the next telephone call.

There is one key used for communication between the operators and the SIM card that is very well protected, because that protects their monetary interest, Nohl said. The other key is less well protected, because it only protects your private data.

The researchers demonstrated this process, using their software to sniff the headers being used by a phone, extract and crack a session encryption key, and then use this to decrypt and record a live GSM call between two phones in no more than a few minutes.

Much of this vulnerability could be relatively easily addressed, Nohl said. Operators could make sure that their network routing information was not so simply available through the Internet. They could implement the randomization of padding bytes in the system information exchange, making the encryption harder to break. They could certainly avoid recycling encryption keys between successive calls and SMSs.

Nor is it enough to imagine that modern phones, using 3G networks, are shielded from these problems. Many operators reserve much of their 3G bandwidth for Internet traffic, while shunting voice and SMS off to the older GSM network.

Nohl elicited a laugh from the audience of hackers when he called the reprogrammed network-sniffing phones GSM debugging devices. But he was serious, he said.

This is all a 20 year old infrastructure, with lots of private data and not a lot of security, he said. We want you to help phones go through the same kind of evolutionary steps that computers did in the 1990s.

Simplest Phones Open to SMS of Death

BERLIN, Germany — It’s a scene from an as-yet-unmade thriller across a country, tens of thousands of cell phones all blink white at the same, and turn themselves off. Calls are lost, phones are rendered useless, and the affected mobile operator is forced to pay a ransom or lose customers.

Once phones, now glowing bits of plastic.

It hasn’t happened yet. But speaking at the Chaos Computer Club Congress here, German researchers showed how vulnerabilities in some the simplest, but most common phones in the world could conceivably lead to just such a scenario.

Mobile phone security has been a growing concern due to the increasing popularity of smart phones, whose Web-browsing and app-running capabilities offer attackers similar to those offered by computers. Yet more than 85 percent of the worlds cell phones remain so-called feature phones simple devices with the ability to play MP3s or browse the Web, but without the power of the iPhone or Android-based handsets.

Vulnerabilities have been found in this type of phone before, but new open-source tools allowing individuals to set up their own private GSM networks have allowed researchers to find a host of bugs ranging from pesky to serious in many of the worlds most common handsets.

With the openness in the GSM on the network side, we can look at the closed stuff now,” said Collin Mulliner, a researcher at Berlins Technical University. “And if we’re able to look at closed stuff, it usually breaks.”

Mulliner and colleague Nico Golde set up their own GSM network in their lab, allowing them to freely test the effects of sending SMS messages containing a variety of potentially damaging payloads.

The result was bugs, and plenty of them. Popular models of phones from Nokia (the S40 and related models, except for the very newest release), Sony Ericsson (w800 and several related models), LG (LG 320), Samsung (S5230 Star and S3250) Motorola (the RAZR, ROKR, and SVLR L7) and India’s Micromax (X114) all proved susceptible to what researchers termed an “SMS of death.”

The exact results differed for each phone. In the worst cases, including the Nokia and Sony Ericsson, the message would disconnect the phone and force it to reboot, without registering the fact of the message’s receipt in most cases forcing the operator’s network to continue sending the message and triggering the shut-down cycle again. Fixing the problem required putting the SIM card into a new, unsusceptible phone.

In the other cases, the payload-laden messages forced the phones’ interfaces to shut down, and disconnected the devices from the network. The researchers stressed that other phones likely had similar problems, but their research had focused on these common models.

At first glance, these problems appear to be relatively minor compared to the botnet or trojan susceptibilities of smartphones. But these simple attacks could cause serious problems, potentially for a single well-chosen target, or more disturbingly if launched on a large scale.

This could be relatively easily done, Mulliner said. In Germany, for example, mobile phone number prefixes are associated with specific operators, allowing large-scale attacks to be mounted on a single operator’s customer base relatively easily. Bulk SMS messages tailored to attack specific common phones by the thousands could be sent using commercial SMS spam services, by activating botnets hiding on mobile phones, or even by an insider at a telephone company.

This kind of large-scale attack potential raises the possibility that a telco itself could be held hostage by an outsider threatening to flood its customers with reboots or even broken phones, researchers said.

Alternately, some police forces around the world rely on cell phones to communicate in areas where their two-way radios function poorly. An attack on a common model used by a police force could disrupt communications at a critical time.

The problem is these problems aren’t easy to fix. Inexpensive “feature phones” rarely if ever receive firmware updates today. But the potential for abuse of bugs that are becoming easier to find means this practice might have to change, the researchers said.

Manufacturers need to find a way to do firmware updates, and make sure to advertise them, Mulliner said.

Mozilla exposes 44,000 passwords

Mozilla inadvertently exposed the passwords of 44,000 inactive addons.mozilla.org accounts, but says there's nothing to worry about.

"On December 17th, Mozilla was notified by a security researcher that a partial database of addons.mozilla.org user accounts was mistakenly left on a Mozilla public server," Mozilla's director of infrastructure security Chris Lyon wrote in a posting on the Mozilla Security Blog late Monday night.

Although that exposure may seem a wee bit scary, Lyons notes that all the passwords were for inactive accounts, that Mozilla was able to account for every download of the database, and that the password hashes were of the "older md5-based" variety, and that they all have now been deleted, effectively disabling those accounts.

"All current addons.mozilla.org accounts use a more secure SHA-512 password hash with per-user salts" since April 9, 2009, Lyons said. "It is important to note that current addons.mozilla.org users and accounts are not at risk."

Mozilla informed all affected users of the slip-up by email, prompting one Larry Seltzer to add a comment to Lyon's post, saying: "I got the e-mail a while before this blog post or anything else about the matter was on the web. The e-mail looked legit, but..."

Ah, Mr. Seltzer, we know the feeling.

Apple slapped with iOS privacy lawsuit

Apple has been named in a class-action lawsuit alleging that the company allows iOS applications to provide advertisers with sensitive and supposedly private user information, according to Bloomberg Businessweek, which broke the story on Tuesday.

"Apple claims to review each application before offering it to users, purports to have implemented app privacy standards, and claims to have created 'strong privacy protections' for its customers," the complaint states. "However, Plaintiffs have discovered that some of these apps have been transmitting their personal, identifying information ('PII') to advertising networks without obtaining their consent."

The complaint goes on to allege that iOS devices' Unique Device Identifiers (UDIDs) are "being used by ad networks to track Plaintiff and the Class including what apps they download, how frequently they use the apps, and for how long."

In addition, the complaint alleges that "Some apps are also selling additional information to ad networks, including users' location, age, gender, income, ethnicity, sexual orientation and political views."

The suit was filed in the US District Court of the Northern Disctrict of California, San Jos Division, by Jonathan Lalo of Los Angeles County. In addition to Apple, it names Backflip (publisher of Paper Toss, named in the suit), Dictionary.Com, Pandora, and The Weather Channel as codefendants.

The complaint cites Pandora Radio as a privacy-violating app, saying that it "sends age, gender, location, and UDIDs to a variety of third-party ad networks," all "without the prior consent of users, in violation of Apple's app rules, and a variety of state and federal laws."

To bolster its case, the complaint specifically mentions a recent Wall Street Journal investigation, which fingered Pandora and others as UDID abusers.

As The Reg reported in October, the WSJ is not alone in pointing out iOS UDID flaws: vulnerabilities were also identified in a research paper by Eric Smith of Bucknell University in Pennsylvania, which compared the iOS UDID vulnerability to the Pentium 3's Processor Serial Number system that embarrassed Intel in 1999.

The WSJ investigation, however, appears to have provided a substantial impetus to Lalo's complaint, noting as it does that: "Both the Android and iPhone versions of Pandora, a popular music app, sent age, gender, location and phone identifiers to various ad networks. iPhone and Android versions of a game called Paper Toss players try to throw paper wads into a trash can each sent the phone's ID number to at least five ad companies."

According to the complaint, the laws violated by UDID abuse include the US Computer Fraud and Abuse Act and Electronic Communications Privacy Act, plus California's Unfair Competition Law and Consumer Legal Renedies Act,

Apple did not respond to our email and phone requests for comment, but it should be noted that the company's App Store Review Guidelines state that "Apps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used."

Apple's iPhone Developer Program License Agreement is similarly stringent, instructing developers that:

You and the Application must comply with all applicable privacy and data collection laws and regulations with respect to any collection, transmission, maintenance, processing, use, etc. of the user's location data or personal information by the Application. In addition, the use of any personal information should be limited solely as necessary to provide services or functionality for Your Application (e.g., the use of collected personal information for telemarketing purposes is prohibited (unless expressly consented to by the user)). You and the Application must also take appropriate steps to protect any such location data or personal information from unauthorized disclosure or access.

From where we sit, it appears that either the WSJ investigation was wrong, Apple has been remiss in vetting apps from Pandora and others, or that there's a bit of sub rosa hanky-panky going on between Apple and some iOS developers when it comes to users' privacy.

One thing, however, is certain: The Reg will keep a close eye on case number 5:10-cv-05878-PSG, Lalo v. Apple, Inc et al. This dust-up is sure to become even more interesting.

Flaws Spotlighted in Tor Anonymity Network

BERLIN, Germany — The quest for true digital anonymity is as old as the Internet, but seems to remain as elusive as a spam-free world.

A popular CCC image protesting the German government's Net monitoring proposals.

At the Chaos Computer Club Congress here today, researchers from the University of Regensburg delivered a new warning about the Tor anonymizer network, a system aimed at hiding details of a computer user’s online activity from spying eyes.

The attack doesn’t quite make a surfer’s activity an open book, but offers the ability for someone on the same local network — a Wi-Fi network provider, or an ISP working at law enforcement (or a regime’s) request, for example — to gain a potentially good idea of sites an anonymous surfer is viewing.

“Developers have to be aware of this kind of attack, and develop countermeasures,” said Dominik Herrmann, a Regensburg Ph.D student studying profiling and fingerprinting attacks. “But that proves to be very difficult.”

The research, performed by a variety of collaborators in Germany working on anonymity measures, represents a warning for privacy-conscious users wary of spying eyes, whether behind Net-unfriendly borders or simply corporate firewalls.

Tor is essentially an online mask, rather than a tool that hides the fact or content of communication itself. The project’s developers are addressing the problem of traffic analysis — essentially the threat that an attacker or observer might be able to tease out a person’s identity, location, profession, social network or other information about the message content by analyzing a message’s unencrypted headers.

To hide this information, the Tor system routes messages around a winding path of volunteer servers across the Net, with each relay point knowing only the address of the previous and next step in the pathway.

Once this circuit has been established, neither an eavesdropper nor a compromised relay will theoretically have the ability to determine both the source and destination of a given pieces of communication. According to the Tor project’s latest metrics, the network has drawn between 100,000 and 300,000 users per day over the last several months.

Herrmann and his fellow researchers say there’s a partial flaw in this arrangement, however. A potential eavesdropper on the end user’s own network still has the ability to analyze the patterns of data being returned, and in many cases will be able to develop a reasonable guess about the source of the communication.

An attacker — perhaps an ISP instructed by law enforcement or a government to engage in such surveillance — would first have to develop a list of potential sites that the target might be visiting, or that it was interested in monitoring. It would then run the Tor system itself, testing the way these sites appeared when accessed through Tor, developing a database of “fingerprints” associated with the sites of interest.

Once the target of the surveillance went online, the eavesdropper would capture the packet stream as it crossed the local network, and compare the source data with its fingerprint database with the help of pattern recognition software. Any match would be only statistical, giving somewhere between 55 percent and 60 percent certainty, Herrmann said — not enough to provide hard evidence in court, but likely more certainty than many people seeking privacy might be comfortable with.

Different online destinations will carry different susceptibility to fingerprinting, of course. Unusual sites, with characteristics such as very heavy or large graphic use, can be more easily identified, Herrmann said. By the same token, the easiest way for a Web site to fool such an eavesdropper would be to make its site look as closely as possible like another popular site — mimicking the look of the Google site, for example, one of the most commonly accessed pages on the Web.

Users themselves can guard against this type of fingerprint-based eavesdropping relatively easily, Herrmann noted. Downloading or requesting more than one site at a time through the network will muddy the pattern enough that certainty will be very difficult for the eavesdropper to establish.

The research many not dissuade many from using Tor, which remains one of the most promising approaches for individuals seeking to hide aspects of their identity or online activity. But it may well make them work harder.

A Four-Day Dive Into Stuxnets Heart

Bruce Dang, the software engineer who led Microsoft's analysis of the Stuxnet worm.

BERLIN, Germany — It is a mark of the extreme oddity of the Stuxnet computer worm that Microsoft’s Windows vulnerability team learned of it first from an obscure Belarusian security company that even they had never heard of.

The sophisticated worm, which many computer experts believe was created as an attempt to specifically sabotage Iran’s nuclear power plant centrifuges, has written a new chapter in the history of computer security. Written to affect specific Siemens components used at Iran’s facilities, some analysts have even speculated it may have been the work of a state, rather then of traditional underground virus-writers.

Much of the attention has focused on the worm’s origin and ultimate effects. But in a standing-room session at the Chaos Computer Club (CC) Congress here today, Microsoft’s lead vulnerability analyst on the Stuxnet project offered a blow-by-blow account of the software company’s response and analysis to the software’s multipronged attack on Windows vulnerabilities.

Much of the technical side which flaws were attacked, and how they were fixed are now well known. But the story offered unusual insight into the software company’s race to stay ahead of the security firms seeking themselves to peel back the worm’s layers of attacks, and the intense pressure put on the team of analysts.

“We knew a lot of other people were looking, and it’s important to us to know the details before other companies,” said Bruce Dang, the security software engineer in Microsoft’s Security Response Center who led the analysis. “(Management) is smart, they know it takes time, but they want results.”

The public Stuxnet story began when Belarusian firm VirusBlokAda first identified the Stuxnet code in June, and contacted Microsoft with a PDF showing the screenshot of the effects. Dang said his team was initially tempted to dismiss the report, thinking it a common and known problem, but a case was opened, and once a team began looking at the code, they realized it was something new.

The code that had been provided to the team was large close to 1 MB of information, Dang said. A team of 20 to 30 people with expertise in various components of the Windows system was assembled and began quickly exchanging emails.

They traced the apparent problem to code that came from an infected USB stick. By exploiting a vulnerability in the Windows icon shortcut feature, or .LNK files, the worm gained the ability to execute commands on the infected computer, but only with the current user’s level of access.

Several fixes were proposed, and others in the company turned down those that would have contradicted messages already provided to outside developers. Dang said the urgency was nevertheless high, because the company was getting reports of considerable numbers of infection, and the vulnerability turned out to be extremely simple to use.

“A seven-year-old could exploit this. It’s bad news,” Dang said. “Of course it turned out that this vulnerability had been known for several years by some people, but no one told me.”

Case closed. They thought they were finished. But as Dang and another colleague began doing a bit of further analysis, they noticed that extra drivers were being installed on their test computers, both in Windows XP and Windows 7 environments. This was definitely not good, they thought.

Closer investigation showed that scheduled tasks were being added, and XML-based task files were being created and rewritten. Working with a colleague overseas, Dang discovered that the way Windows Vista and later operating systems stored and verified scheduled tasks contained a vulnerability that would give the attacking worm which had already gained the ability to drop code with user-based access privileges the ability to give itself far broader, and thus more dangerous, privileges on the infected computer.

In short, the two flaws working together allowed the worm to gain code execution privileges, and then to deepen those privileges to install a rootkit.

The team thought again about how to fix the problem, and settled on changing the way the Vista and Windows 7 task scheduler uses hash values to verify files. Once implemented, this would block the dangerous privilege escalation.

Finished, then? Not yet. Dang’s colleague noted that a particular DLL, or system file, was being loaded in a suspicious way. They looked harder, and saw it was happening differently in XP and Windows 7 system. But they couldn’t figure this one out immediately.

Dang started going over the binary code line by line, but with over 1000 lines, he realized this tactic simply wasn’t going to be fast enough. Management was putting severe pressure on the team to get results, and they had no answers.

He took this one home. He stayed up brainstorming until the small hours of the night, but all his ideas came to nothing. He even tried just letting the exploit run, on the theory that most virus code isn’t perfect, and will ultimately cause a blue-screen system crash, exposing the problem in the crash logs. But no dice this one ran perfectly 10 times in a row.

“I knew we were getting close,” he said. “I knew it was searching for something, but exactly what wasn’t clear to me.”

The next day, an old kernel debugger analysis trick finally paid off. The team identified a flaw in the way Windows XP systems are allowed to switch user keyboard layouts from an English keyboard to a German configuration, for example. Once again, this allowed the worm to gain elevated privileges on the infected computer.

Smart almost chillingly so, Dang said. The task scheduling attack previously identified worked only on Vista and later systems. The keyboard layout attack worked only on XP. Somebody somewhere had set their sights very broadly.

“We felt pretty good at that point,” he said. “How could there be more?”

But there was more. The team got word from the Kaspersky Lab security company that there was strange “remote procedure call” traffic being sent over a network a kind of communication that allows one computer to trigger activity on another, such as printing from a remote device.

Dang and his team set up a mini-VPN, infected one computer, and went away. They came back to find their entire mini-network had been infected.

“I said, what the f***, this is really weird,” Dang said.

They brought Microsoft’s printer team in, and this time the problem proved simple to uncover. In five minutes they had traced the source a print spooler flaw that allowed remote guest accounts to write executable files directly to disk. A terrible flaw, but luckily fixed quickly.

The flaw gave more insight into the attacker’s intentions the configuration vulnerable to this flaw was very uncommon in normal corporations, but allowed widespread infection within a network that was configured in this way, Dang said.

From the perspective of Microsoft’s vulnerability team, the story essentially ends there. But Stuxnet has been in the wild for a year, and revelations continue as to the breadth of the infection, and the sophistication of its apparent attack on Iran’s nuclear centrifuges.

Dang says several things are clear from his reading of the code. It was written by at least several people, with the different components bearing the fingerprints of different authors. And the creators were careful to make sure that it ran perfectly, with high impact and 100 percent reliability, he said a goal even commercial software developers often fail to meet.

The total time taken from discovery to the final fix was between three and four days, or about 40 Microsoft person-hours. But the effects of this sophisticated exploitation of unknown or “zero-day” Windows vulnerabilities will surely continue to resonate for months or even years to come.

Hackers Watch a World Collapsing Into Chaos

Flags wave outside the bcc Congress center, built in the early 1960s by one of socialist East Berlins leading architects.

BERLIN, Germany The world is falling slowly apart, and the hackers here want people to pay attention.

For the next four days through Thursday of this week the 27th annual Chaos Computer Club (CCC) Congress will be held in the frozen center of this city. An annual event designed to showcase members’ coding skills and creativity, it has traditionally been a focus for a political activism centered on privacy and transparency of government information. This year is no different, but carries perhaps a growing sense of urgency and even responsibility.

With economies weakening and politicians sounding increasingly populist tones, with WikiLeaks revelations prompting defensive reactions from governments around the world, the organization is looking practically at how its community can survive, thrive, and even mitigate some of the problems of the coming years.

“It’s going to be a mess for a while,” said Dutch hacker Rop Gonggrijp, giving the event’s opening keynote speech to a standing-room crowd. “We are not called the Chaos Computer Club because we cause chaos. If anything much of our work has prevented chaos.”

Founded in 1981, the CCC is one of the largest and oldest groups of hackers in Europe, drawing its inspiration not from the popular vision of the computer underground but from the creative, semi-anarchic hacker ethic originally popularized in Steven Levy’s book Hackers.

As outlined on the group’s Web site and put into practice at events like this week’s congress this ethic’s commands are both simple and sweeping: All information should be free. Mistrust authority. Computers can be used to create art, beauty and help transform life for the better. Access to computers, and to information that shows how the world functions, should be limitless and complete.

Yet while issues of government transparency and data privacy have long been concerns of the CCC and its annual gathering, this years meeting takes place against a background of unusual international attention to the topics, thanks to WikiLeaks startlingly broad revelations of U.S. military and diplomatic secrets.

Indeed, WikiLeaks and the CCC have seen their paths wind closely together in recent years, although the two organizations are not formally affiliated. WikiLeaks founder Julian Assange spoke at the conference in late 2007, introducing the concept of his organization to attendees. According to recent published accounts, WikiLeaks former German spokesman Daniel Domscheit-Berg (known until recently under the pseudonym Daniel Schmitt) met Assange at that time, joining the organization shortly afterward as a public face second in prominence only to Assange himself.

The pair appeared again at the CCC conferences in 2008 and 2009, but by mid-2010, as public attention to WikiLeaks was being galvanized by the release of classified U.S. government documents, Domscheit-Berg resigned from the group over concerns with Assanges leadership style. He is currently helping to create a separate organization called Openleaks, also concerned with helping whistleblowers publicize information, but built on a different organizational model.

Gonggrijp, this year’s keynote speaker, helped WikiLeaks earlier this year in releasing the video footage of the 2007 airstrike in Baghdad. The Wau Holland Foundation, a charitable foundation named after the CCC’s founder that according to its Web site is loosely connected with the Chaos Computer Club, has served as one of the primary conduits for donations to the WikiLeaks organization.

The WikiLeaks work has been a high point for many hackers, and may in future years be seen as a victory in a “new generation of struggle,” Gonggrijp said. But it will have less positive consequences for the hacking and privacy communities too.

“Whatever we think of it, the present anger will probably increase the pressure to curb Net freedoms,” he said.

Yet it would be a mistake to see the club solely through the lens of today’s WikiLeaks headlines. Over its near-30-year history, the CCC has played a steady role in Germany and across Europe in identifying security flaws in public or corporate computer services, and as a rallying point for privacy advocates and others concerned over growing levels of official information-gathering and control.

Two years ago, the group published what it alleged were the German interior ministers fingerprints in the club’s Die Datenschleuder magazine, allegedly retrieved from a water glass used by the politician at a speaking event. The fingerprints were printed on a transparent film that could be used to fool fingerprint readers, in protest of the increasing use of biometric data associated with documents such as passports.

The club was also a leading voice in the opposition to the use of unverifiable computerized voting machines in German elections, which were ultimately ruled unconstitutional by the country’s constitutional court. Members have played a leading role criticizing voting machines in other nations.

The 2010 congress lecture schedule draws broadly from this palette of interests. Speakers from around the world will address issues such as government surveillance, weaknesses in Internet anonymizing services, attacking mobile phones (smart or otherwise),the lunar X-prize, cryptography, privacy, creating open sea charts and marine mapping, using robotics to draw high-school students into hacking and engineering careers, and much more.

But at the event’s core, Gonggrijp said, are the efforts to solidify a community that has proven mature and responsible, to bring new people in, and ensure that the world doesn’t thoughtlessly give up its civil liberties in difficult times.

“We understand a small part of how chaos works,” Gonggrijp said. “As the world becomes more chaotic, we can help.”

Report Strengthens Suspicions That Stuxnet Sabotaged Irans Nuclear Plant

A new report appears to add fuel to suspicions that the Stuxnet superworm was responsible for sabotaging centrifuges at a uranium-enrichment plant in Iran.

The report, released Thursday by the Institute for Science and International Security, or ISIS, indicates that commands in the Stuxnet code intended to increase the frequency of devices targeted by the malware exactly match several frequencies at which rotors in centrifuges at Iran’s Natanz enrichment plant are designed to operate optimally or are at risk of breaking down and flying apart.

The frequencies of the Natanz rotors were apparently not a secret and were disclosed to ISIS in mid-2008 — the earliest samples of Stuxnet code found so far date back to June 2009, a year after ISIS learned about the frequencies. They were disclosed to ISIS by “an official from a government that closely tracks Irans centrifuge program.”

The unnamed government official told ISIS that the nominal frequency for the IR-1 centrifuges at Natanz was 1,064 Hz, but that Iran kept the actual frequency of the centrifuges lower to reduce breakage. According to another source, Iran often ran its centrifuges at 1,007 Hz.

The information would have been gold to someone looking to sabotage the centrifuges since, as ISIS notes, it provided both confirmation that Irans centrifuges were prone to an unusual amount of breakage and that they were subject to breakage at a specific frequency of rotation.

Stuxnet was discovered last June by a Belarus security firm, which found samples of the code on computers belonging to an unnamed client in Iran. The sophisticated code was designed to sabotage specific components used with an industrial control system made by the German firm Siemens, but only if these components were installed in a particular configuration. The unique configuration Stuxnet seeks is believed to exist at Natanz and possibly other unknown nuclear facilities in Iran.

After German researcher Ralph Langner first posited that Stuxnet’s target was Iran’s nuclear power plant at Bushehr, Iranian President Mahmoud Ahmadinejad acknowledged that Stuxnet affected personal computers belonging to workers at the plant, but he maintained that the plant’s operations were not affected by the malware. However, Ahmadinejad announced in November that unspecified malicious software sent by western enemies had affected Irans centrifuges at its Natanz plant and “succeeded in creating problems for a limited number of our centrifuges.” He did not mention Stuxnet by name.

It’s known that Iran decommissioned and replaced about a thousand IR-1 centrifuges at its Natanz plant between November 2009 and February 2010. It’s not known if this was due to Stuxnet or due to a manufacturing defect or some other cause, but the ISIS report increases plausibility that Stuxnet could have played a role in their demise.

According to an examination of Stuxnet by security firm Symantec, once the code infects a system, it searches for the presence of two kinds of frequency converters made by the Iranian firm Fararo Paya and the Finnish company Vacon, making it clear that the code has a precise target in its sights. Once it finds itself on the targeted system, depending on how many frequency converters from each company are present on that system, Stuxnet undertakes two courses of action to alter the speed of rotors being controlled by the converters. In one of these courses of action, Stuxnet begins with a nominal frequency of 1,064 Hz — which matches the known nominal frequency at Natanz but is above the 1,007 Hz at which Natanz is said to operate — then reduces the frequency for a short while before returning it back to 1,064 Hz.

In another attack sequence, Stuxnet instructs the speed to increase to 1,410 Hz, which is “very close to the maximum speed the spinning aluminum IR-1 rotor can withstand mechanically,” according to the ISIS report, which was written by ISIS president David Albright and colleagues.

“The rotor tube of the IR-1 centrifuge is made from high-strength aluminum and has a maximum tangential speed of about 440-450 meters per second, or 1,400-1,432 Hz, respectively,” according to ISIS. “As a result, if the frequency of the rotor increased to 1,410 Hz, the rotor would likely fly apart when the tangential speed of the rotor reached that level.”

ISIS doesn’t say how long the frequency needs to be at 1,410 Hz before the rotor reaches the tangential speed at which it would break apart, but within 15 minutes after instructing the frequency to increase, Stuxnet returns the frequency to its nominal 1,064 Hz level. Nothing else happens for 27 days, at which point a second attack sequence kicks in that reduces the frequency to 2 Hz, which lasts for 50 minutes before the frequency is restored to 1,064 Hz. Another 27 days pass, and the first attack sequence launches again, increasing the frequency to 1,410 Hz, followed 27 days later by a reduction to 2 Hz.

Stuxnet disguises all of this activity by sending commands to shut off warning and safety controls that would normally alert plant operators to the frequency changes.

ISIS notes that the Stuxnet commands don’t guarantee destruction of centrifuges. The length of the frequency changes may be designed simply to disrupt operations at the plant without breaking rotors outright, and the plant could conceivably have secondary control systems in place to protect centrifuges and that are not affected by Stuxnet’s malicious commands.

There are still a lot of unanswered questions about both Stuxnet and the Natanz facility.

ISIS notes that it could not confirm the brand of frequency converters used at Natanz in order to determine if they are the ones that Stuxnet targets. Iran is known to have obtained frequency converters from a variety of suppliers, including ones in Germany and in Turkey. The New York Times reported in January that a foreign intelligence operation had aimed at sabotaging individual power units that Iran bought in Turkey for its centrifuge program. The ISIS authors say these “power units” are believed to have been frequency converters Iran obtained from Turkey.

If Stuxnet was indeed aimed at Natanz, and if its goal was to quickly destroy all of the centrifuges at Natanz, ISIS notes that it failed at this task.

“But if the goal was to destroy a more-limited number of centrifuges and set back Irans progress in operating the FEP, while making detection difficult, it may have succeeded, at least temporarily,” according to the report.

The authors close their report with a warning to governments that using tools like Stuxnet “could open the door to future national security risks or adversely and unintentionally affect U.S. allies.”

“Countries hostile to the United States may feel justified in launching their own attacks against U.S. facilities, perhaps even using a modified Stuxnet code,” they write. “Such an attack could shut down large portions of national power grids or other critical infrastructure using malware designed to target critical components inside a major system, causing a national emergency.”

Photo: A security man stands next to an anti-aircraft gun as he scans Iran’s nuclear enrichment facility in Natanz, 300 kilometers [186 miles] south of Tehran, Iran, in April 2007.
Hasan Sarbakhshian/AP

See also:

• Iran: Computer Malware Sabotaged Uranium Centrifuges
• Clues Suggest Stuxnet Virus Was Built for Subtle Nuclear Sabotage
• Blockbuster Worm Aimed for Infrastructure, But No Proof Iran Nukes Were Target
• SCADA System’s Hard-Coded Password Circulated Online for Years