Tuesday, June 26, 2012

Counterfeit parts... admin admin... Code name: "Olympic Games"... Stuxnet, Duku & Flame -- oh my!


Dear Readers,

If you think your computer MIGHT be vulnerable to hackers.... you're probably right.

Almost every week these days, I get an email from someone's infected computer, asking me to open an attachment. It was a local reporter's system last week. Maybe it will be yours next. Maybe it will be mine.

Major corporations are hacked with frightening regularity. Passwords and identities are stolen, credit card numbers are distributed. Lives are disrupted. It happens all the time.

Computer security software is notoriously difficult to install and maintain.

The #1 vulnerability?

Users who never even change the default passwords! (Usually username: admin, password: admin)

Vulnerable PCs and careless users transmitted the Stuxnet centrifuge controller virus from computer to computer until it quietly found its mark: The uranium processing facility in Natanz, Iran.

Once there, Stuxnet masked the damage it was doing by first intercepting the safety control signals prior to doing any damage, and then mimicking those signals as it tore the place apart, operating on multiple centrifuges at once. Stuxnet was able to destroy about 10% of Iran's enrichment facilities before anyone realized there was a software problem.

Last Sunday, Stuxnet reportedly shut itself down, following pre-programmed code. How nice. But don't rest too easy: Support programs to Stuxnet, known as "Duku" and "Flame" are still out there... and tomorrow there will be more... and counter attacks are surely coming, as well. Our troubles have just begun...

Stuxnet, launched in 2010, is currently considered the "state of the art" in computer virus programs, even called "rocket science" by the experts who analyzed it and figured out what it was designed to attack. Stuxnet's origins remain unknown, but all roads lead to... home. My country. The U.S.A..

Stuxnet and its delivery systems appear to be the "Manhattan Project" of the past decade, the result of a project inappropriately code-named "Olympic Games" (inappropriate, because the Olympic Committee tries very hard not to lose its trademarks and copyrights).

The equivalent of the Manhattan Project's "Smyth Report" (published in late August, 1945), the public revealing of the Olympic Games project, has not happened yet -- presumably because the "games" have only just begun. In fact, we're still in the qualifying events, and no one has qualified. Stuxnet was only of limited success.

So maybe, just maybe, your computer has been violated? Millions of conscientious, hard-working, diligent computer user's systems have been infected at one time or another. But even if your computer system has never been hacked, there's still a very good chance that many of the parts in it are substandard: In fact, chances are nearly 100% that SOMETHING in your computer is counterfeit.

Counterfeit parts account for an estimated $7.5 billion dollars in annual lost revenue in America, representing 11,000 jobs. Bogus transistors, diodes, capacitors, resistors, power supplies, relays, and other parts have turned up in U.S. military systems despite being accompanied by all the required "Certificates of Compliance" and all the other paperwork being in order -- including the labels on the actual parts!

A recent Senate Committee report concluded that the Department of Defense doesn't even know how large the problem is, but it surely involves millions of counterfeit parts that are now in service in the U. S. military. An accidental nuclear war is made more likely by this problem.

But they are not alone. Aerospace has also been targeted by the counterfeiters, specifically because, like "mil spec" parts, aerospace parts cost much more than normal parts do. No one wants a 5 cent resister ruining a $100 million dollar rocket launch, so a 2 dollar resister is used instead. But it might really be a 5 cent piece of junk!

Slap on a stolen hologram sticker, and it becomes very hard to tell where a part really came from.

But that's not all. "Diligent" manufacturers go astray, too. Deadlines cause line managers to order workers to skip "required" tests, for instance. This has been documented at "reputable" corporations.

And how about our nuclear reactors?

They buy the same sorts of parts our military and aerospace industries purchase.

Their computer systems and controllers are just as vulnerable to a "Stuxnet" type of virus attack as anyone else's, because those computers and their security systems are operated by humans, and humans make mistakes.

Not only are our nuclear reactors vulnerable to attack, but so are our transmission systems -- and the "smarter" the grid gets -- that is, the more computerized its controls become so they can switch between energy sources and keep the lights on -- the MORE vulnerable it will be to a sophisticated hack attack.

We have only seen the very first salvos in the coming Internet-Based Global War. It's no game, though. The stakes are very high and the players are very good at it already.

It's hard to be perfect, we're only human -- but we're battling against relentless, automated attackers. Wish us luck.

Oh and, we might lose to Mother Nature anyway. One well-aimed solar flare in our direction can do more damage than a billion Stuxnets.


Ace Hoffman
Carlsbad, CA

The author has more than 30 years' experience as a computer programmer, including writing assembly language control software for concert-sized laser servos and x-y plotters. His award-winning educational software has been run on computers in thousands of universities all over the globe. His programs have also been used for military training, as well as by numerous industries. He has lectured to grant recipients of the National Science Foundation on the use of interactive computer animation in schools, and to over 100 computer user groups. Previous employment includes working as a computer programmer for banks, Fortune 500s and small start-ups.


Ace Hoffman
Author, The Code Killers:
An Expose of the Nuclear Industry
Free download: acehoffman.org
Blog: acehoffman.blogspot.com
YouTube: youtube.com/user/AceHoffman
Carlsbad, CA
Email: ace [at] acehoffman.org


No comments:

Post a Comment

Comments should be in good taste and include the commentator's full name and affiliation.