GregW • July 13, 2011 7:04 AM
Kapersky’s comments reminded me… what’s the best anti-virus/security writeup on what actually happened in that August 2003 power outage?
I remember talk about a virus/worm connection at the time (to MS Blaster), but very few specifics on the technical details involved that would have led to that conclusion, and it seemed fairly up in the air whether viruses were involved or not. Do we know any more now than we did 8 years ago about that incident?
Searching anew, Bruce’s old writeup at http://www.schneier.com/crypto-gram-0312.html#1 is about as good as I’ve seen, but I wonder if there are updates since then. For example, the reports Bruce cites contain statements like “Further SWG analysis will test this finding [that no viruses/worms were involved].” Were those analyses ever released?
Chasmosaur • July 13, 2011 7:14 AM
Thanks for the link. I’ve read some other interviews with Kaspersky, and I find him interesting as well. I also loved the part at the end about his son – glad he came back okay, but I found it ironic the son of a security expert actually put his personal info on Facebook.
Hwood • July 13, 2011 7:58 AM
What does Bruce think of the ‘half of die hard 4 is realistic’ comment? Movie plot threat, literally?
I would think that the cyber threats in the movie are about as realistic as taking down a helicopter by jumping a car into it.
acorn • July 13, 2011 8:34 AM
Evgeny: How can consumers determine objectively which anti-virus software is the best apart from marketing hype and personal testimonials, and why does anti-virus software prohibit installation of more than one anti-virus software product at a time? I would like to run both Kaspersky and Mcafee but Kaspersky removes Mcafee upon install treating it as a virus.
GregW • July 13, 2011 9:02 AM
@Clive + @RSH + @NickP:
FYI, just posted a late comment/reply on 3-way voting on the hardware chip security thread: http://www.schneier.com/blog/archives/2011/07/research_in_sec.html#c561061
Michael Toecker • July 13, 2011 10:52 AM
Whoa. What about this:
FTA: “Kaspersky: Do you remember the total power outage in large parts of North America in August 2003? Today, I’m pretty sure that a virus triggered that catastrophe. And that was eight years ago.”
The idea that the 2003 Blackout was a cyber attack has been brought up many times, but the full investigation by the Blackout Commission was thorough and detailed. It was a confluence of events that included a race condition that stopped the primary and backup EMS alarm processor and state estimator.
Read for yourself at https://reports.energy.gov/.
GregW • July 13, 2011 12:45 PM
Thanks Michael. It does look like you linked to a final version of the report from April 2004 while Bruce’s post was in Dec 2003 on a draft of the report.
Personally, I am dubious whether the report really attempted to address specifically whether Blaster was involved. The report is ambiguous enough on this that I don’t find it compelling on this point.
First, the report says that SWG was put together to determine if there was a “malicious cyber event” defined as “for the purpose of deliberately disrupting the systems that control and support the generation and delivery of electric power.” (p132). Would the Blaster worm targetted at the general public count as malicious by that definition, if the power network was only a collateral target? No.
So the scope of the investigation done explicitly excluded investigation of whether a generic worm run amok contributed.
Secondarily to that, the description of the actual investigation done doesn’t seem particularly targetted at examining this possibility:
“After analyzing information already obtained from stakeholder interviews, telephone transcripts, law enforcement and intelligence information, and other ESWG working documents, the
SWG determined that it was not necessary to analyze other sources of data on the cyber operations of those such as log data from routers, intrusion detection systems, firewalls, EMS, change management logs, and physical security materials.” (p133)
Based on testimony and second-hand documentation, a forensic computer investigation wasn’t attempted for that report; do I have that right?
Third, the cyber team allegedly examined whether the networks were “maliciously used” (p133) to cause or contribute to the outage… but as per my first point, what if the usage was not malicious ie purposefully-driven as per the earlier definition? What if it was just a drive-by virus/worm inflicting collateral damage? Did they investigate that? Who knows? Not clear.
Fourth, and what sort of examination/analysis did the “Cyber Analysis” team actually do? It sounds like what is investigated is not raw data but some sort of report from DHS (?):
“Specifically, the SWG reviewed materials created on behalf of DHS’s National Communication System (NCS). These materials covered the analysis and conclusions of their Internet Protocol (IP) modeling correlation study of Blaster (a malicious Internet worm first noticed on August 11, 2003) and the power outage. This NCS analysis supports the SWG’s finding that viruses and worms prevalent across the Internet at the time of the outage did not have any significant impact on power generation and delivery systems. The team also conducted interviews with vendors to identify known system flaws and vulnerabilities.”
(Not only is that sort of research second hand at best, it is dependent on the assumptions behind the modeling and correlations, right? Are those any good? Maybe… who knows? I have no idea.)
Fifth, I also don’t see that the report addresses Bruce’s specific concerns raised in that link of his in December.
You mentioned the race condition on the MISO state estimator (p48 of the report), and the following section describes a series of failures which, as far as I can tell from reading and contrary to your implication, are not in any way tied to the MISO failures and whose root/proximate cause is not addressed or determined: “FE’s control room operators lost the alarm function that provided audible and visual indications when a significant piece of equipment changed from an acceptable to a problematic condition. Shortly thereafter, the EMS system lost a number of its remote control consoles. Next it lost the primary server computer that was hosting the alarm function, and then the backup server such that all functions that were being supported on these servers were stopped at 14:54 EDT. However, for over an hour no one in FE’s control room grasped that their computer systems were not operating properly, even though FE’s Information Technology support staff knew of the problems and were working to solve them,…” (p51)
Those are the same issues Bruce raised in his earlier newsletter which I linked above and to my eyes they have not been addressed. If there is a page of the report that addresses them, please feel free to point out what I’m missing.
So those are the reasons why that 100+ page report in my view largely glosses over whether a virus/worm (non-malicious according to the appropriately crafted definition) caused or contributed towards the blackout.
The report is very vague where it needs to be very clear. To avoid outright lies (and the consequences of being caught in them), vagueness is often used to cloak what really happened– I’ve been on both sides of that, sad to say. Is this vagueness in this final official report incompetence or malice/coverup? I don’t know. (If it’s my stupidity, you’re welcome to tell me.) But it’s far from clear to me that Blaster wasn’t involved in that outage.
Hmm, I don’t really remember Estonian “banking system, trade, transportation” grinding to a halt after that Bronze Soldier incident. He3 also fails to mention that: (i) 99% of software is full of bug; and (ii) 95% of people are idiots.
As for KAV/KSS it is just to popular (in Russia) — virus writes tend to consider its weak points.
“(ii) 95% of people are idiots”
sheesh if that many are idiots then idiocy should be viewed as normal. Ergo the 95% would by definition contain all the normal people.
Speechless • July 13, 2011 3:46 PM
“Kaspersky: Half of the film is Hollywood fiction, but the other half is quite realistic. That really worries me.”
“Kaspersky: Do you remember the total power outage in large parts of North America in August 2003? Today, I’m pretty sure that a virus triggered that catastrophe. And that was eight years ago.”
This guy is definitely high, drunk and needing psychiatric help ASAP.
Also his own website got owned the last year(…) EPIC.
This “clown” can not be taken seriously
Nick P • July 13, 2011 4:30 PM
“I would think that the cyber threats in the movie are about as realistic as taking down a helicopter by jumping a car into it.”
I agree. Comments like these make me question Kaspersky’s credibility as far as opinions on public events. Very little of the movie was realistic at all. The only thing I got from it was subverting a PC to explode upon a certain key sequence. That requires the obvious: bomb and electronic detonator in the PC. I tried to make a design for the rest: a rootkit installed via physical or digital compromise; keyboard driver modified to send signal upon certain key sequence; signal contains a unique pattern to prevent accidents; detonator connected to PCI bus & receives the signal that way; possibly powered by the PC’s own power supply.
I also added detonate upon opening case for situations where the modifications led to a weird event that caused the user to look at the hardware. This also made me think it’s easier to just use opening the case for detonation & make the software send up bogus hardware errors to get the target to open the case. Much simpler than detecting certain keystrokes, interfacing to the PC, etc. Hardware errors could pop up as soon as screen lock password was entered. As for the rest of Die Hard 4, it was so dumb that it got the movie in a Cracked.com article:
5 things hollywood thinks computers can do
My favorite is their claim about Jeff Goldblum, in Independence Day, hacking the alient spaceships with a Mac.
“Why it’s ridiculous: This is difficult to wrap our minds around. The aliens in Independence Day were not only thousands of years ahead of us technologically, but also were an entirely different species. Therefore, Goldblum’s feat was the equivalent of colony of baboons in the Congo hacking into CitiBank using tree bark and clumps of their own feces.”
BF Skinner • July 13, 2011 5:23 PM
Offtopic “Rep. Jason Chaffetz, R-Utah …reprimanding the TSA for doing more to appear secure than actually be secure.
“A lot of what we have been participating in here, in my opinion, has been security theater,” Chaffetz said, “and has not truly done the job to secure the airports to the degree we need to.”
Should have Trademarked that phrase Bruce.
Daniel • July 13, 2011 6:39 PM
Speigel is not a technical journal; it’s an entertainment website (“newspaper”) so I don’t think it’s fair to blame Kapersky for comments suited to that particular market demographic.
I too found some of his comments a little far-fetched but I do think there is some validity to his insinuation that perhaps the Internet has caused human beings to clomp together too much too fast. That /could/ lead to a war zone. We shall see.
winter • July 13, 2011 7:52 PM
Would you think anyone would officially blame the outage on Windows?
Because, if it was caused by that worm, it shows you should not use Windows for critical infrastructure. Or for uranium enrichment plants.
What politician would like such an outcome?
Richard Steven Hack • July 13, 2011 10:08 PM
My favorite part of the interview:
“In the Soviet days, we used to joke that an optimist learns English because he is hoping that the country will open up, that a pessimist learns Chinese because he’s afraid that the Chinese will conquer us, and that the realist learns to use a Kalashnikov. These days, the optimist learns Chinese, the pessimist learns Arabic…
SPIEGEL: …and the realist?
Kaspersky: …keeps practicing with his Kalashnikov. Seriously.”
As for KAV itself, I had it installed on one of my client’s systems for about a year or so. It is one of the top detectors, of course. It’s management console for business is comprehensive but rather complicated to use.
The real problem is it consumes PC resources, especially on older PCs which my client has so the staff tended to turn it off when doing production work that needed more speed from the machines. Most of the machines this client has don’t go to the Internet at all or rarely, so I would just restart it whenever I noticed if off so it would continue updating itself. Only on one machine that did receive customer email did I constantly remind the staff not to turn it off because it was too dangerous – they didn’t always listen.
The second real problem was it’s abysmal ability to update itself. It constantly reported errors with its “blacklist” file (that contains lists of KAV serial numbers which are cracked) and frequently took fifteen minutes or more to update its signature files – which is just ridiculous and which slowed the machine badly. When I had Spyware Terminator antispyware on the client’s machines, the two together would lock the machine up totally for up to half an hour!
I eventually dumped it for Avast. Avast’s management client is less comprehensive, equally confusing but more or less adequate. The staff are less likely to turn it off as a result. And it’s a pretty good detector of both viruses and spyware. It’s not great, but it’s less of an annoyance than KAV.
Actually I do not think Kaspersky is that different from some people commenting here on this blog. He just has a lot of thoughts that Spiegel gave him a chance to air those out. Sort of like some people commenting a lot here (certainly not me, of course, but everyone else haha)
Or who knows he could well be someone commenting here on this blog;-P
Richard Steven Hack • July 13, 2011 10:20 PM
Acorn: “How can consumers determine objectively which anti-virus software is the best apart from marketing hype and personal testimonials”
First, you Google for the reviews. Secondly, you read the forums of the companies and see what sort of complaints are being made – and you’ll see plenty because ALL these products have issues. Third, for AV products there are independent testing organizations that test for the ability to detect malware, as well as usability. These tests aren’t the only measure of suitability but they’re the only ones we have to go by. Finally, you just have to test the best candidates out and discover by experience which ones fit your hardware and tolerance for screwups.
“why does anti-virus software prohibit installation of more than one anti-virus software product at a time”
These products bury themselves deep in the OS in order to protect the system. It’s just too hard to do that and take into account some other product doing the same thing. Also, of course there are competitive pressures not to tolerate any other AV product.
That said, there are products – mostly antispyware products – that advertise their ability to co-exist with the main AV products. Products like ThreatFire 3 which I usually install on a home user’s machine along with Avast and another on-demand antispyware like Superantispyware or Malwarebytes Antimalware. Most of the antispyware products tend to be capable of working with antivirus products but not always. I had major problems on one client with Spyware Terminator and Kaspersky interfering with each other enough to lock the machines up. Again, testing is the only way to be sure.
Generally, what I recommend to home users at this point is the three products I mention above, plus only using the Firefox browser with NoScript and AdBlock extensions installed.
If you then follow some common sense about what sites you visit and what you allow to run from those sites and what you click on, and keep Windows patched, you’re generally more or less as safe as you can be.
Which isn’t the same as actually being “safe”.
Richard Steven Hack • July 13, 2011 10:22 PM
Al: “if that many are idiots then idiocy should be viewed as normal. Ergo the 95% would by definition contain all the normal people.”
By George, I think he’s got it!
Richard Steven Hack • July 13, 2011 10:45 PM
Nick P: “The only thing I got from it was subverting a PC to explode upon a certain key sequence…”
“a rootkit installed via physical or digital compromise;”
Not hard – by definition since they stuck a load of C-4 (and enough to blow the whole building, not just the target) it would be physical compromise.
“keyboard driver modified to send signal upon certain key sequence”
Since they’ve physically compromised the building and the PC, presumably a keylogger was implanted inside the keyboard. That would be easy.
“signal contains a unique pattern to prevent accidents”
Ah, but remember the assassins sent a virus TO the machine from a laptop in their van just prior to detonation. This means it was really command detonated by the guys in the truck by the process of sending the virus to the machine. So there was little chance of accidents since presumably the virus had to be present for the keylogger to trigger the bomb.
A “binary bomb”, as it were, requiring both the keylogger and the virus. Or maybe the virus acted as the keylogger, interpreting any keystroke as the signal to trigger the bomb – but only when the virus was present.
It still makes no sense, of course. It made more sense when Farrell’s bomb didn’t go off that they just went up and tried to shoot him. I mean, once the plan was in effect, who cares if someone figured out which hackers were involved? They ALREADY killed off enough hackers to raise a red flag at FBI, so who cares how it was done? Just shoot the guy in his house. That would be better than blowing the place up since it might be some time before the body was found.
Really, the only guy of importance was Farrell anyway, because it was his algorithm that controlled access to the actual target of the plan, the funds repository at Woodlawn. The rest of it was just smoke and mirrors, so the other hackers involved in that part of it were irrelevant. They could have left all of them alive except Farrell. They could have killed Farrell quietly, hid his body and McClain would never have been involved at all. Then the whole Woodlawn scam would never have been discovered and the whole plan would have worked.
” detonator connected to PCI bus & receives the signal that way; possibly powered by the PC’s own power supply.” Easy enough.
“I also added detonate upon opening case for situations where the modifications led to a weird event that caused the user to look at the hardware.”
This was the stupid part of the scenario. The virus they sent up caused the screen to flicker, which, for some utterly unknown reason was supposed to cause the victim to hit the delete key. What the hell was he trying to delete and since when does the delete key help with display driver problems?
Why even bother with that? Send the virus up and let it trigger the bomb!
“This also made me think it’s easier to just use opening the case for detonation & make the software send up bogus hardware errors to get the target to open the case.”
Since the target was a hacker, he might be motivated to open the case. But the average user wouldn’t.
“Hardware errors could pop up as soon as screen lock password was entered.”
Assuming the target had a screen lock password on. Better to just wait for any key press which appears to be what was done since as soon as they hit the keyboard after the virus was sent by the guys outside the screen flickered immediately.
Note: I just re-watched that movie the other day so everything is fresh in my mind.
The movie was great from an action standpoint (not to mention I love Maggie Q!) The only really serious problem was the notion that this one guy and a team of less than a half dozen hackers could penetrate EVERYWHERE in the US government AND US infrastructure in less than a decade or two of work. It takes real hackers days and weeks to hack into ONE mostly undefended corporate network. Even thousands of Chinese hackers haven’t penetrated the US to the degree shown in the movie for several years (as far as we know 🙂 ).
If the movie had been based on some Chinese cyberwar attack, it might have been more believable. One “superhacker” being able to do all this stuff wasn’t believable at all.
Richard Steven Hack • July 14, 2011 1:38 AM
Very off-topic but funny:
Hackers Issue Vermont Zombie Alert
Richard Steven Hack • July 14, 2011 1:41 AM
Off-topic: More fun with mobile phones:
Vodafone Hacked – Root Password published
Quote: ““It is disgusting to see that a major player like Vodafone chooses ‘newsys’ as the administrator password…”
Richard Steven Hack • July 14, 2011 2:39 AM
Off-topic, but seriously creepy:
WiFi-hacking neighbor from hell gets 18 years in prison
Nick P • July 14, 2011 9:46 AM
@ Richard Steven Hack
“Ah, but remember the assassins sent a virus TO the machine from a laptop in their van just prior to detonation. ”
I didn’t remember. My bad. That would seem like a bad idea because you have to physically be in the same place. Taking over the camera for visual confirmation would be better. But these hackers probably didn’t let anyone else use their “rig.” So, if they entered the password, then it was them. Boom. In my scheme anyway… (Movies just got to overcomplicate things to make it look cool to lay people, who still think hacking uses Swordfish-style GUI’s instead of terminals)
“I mean, once the plan was in effect, who cares if someone figured out which hackers were involved? They ALREADY killed off enough hackers to raise a red flag at FBI, so who cares how it was done? Just shoot the guy in his house. ”
It would be less entertaining on film. In real life, it would be more likely to happen as you said. They might even make it look like a robbery gone wrong if they want to try to reduce risk of fed’s discovering the scenario.
“This was the stupid part of the scenario. The virus they sent up caused the screen to flicker, which, for some utterly unknown reason was supposed to cause the victim to hit the delete key. ”
I know, right? I said “wtf?????” I keep thinking lay people write all these movies that feature hacking. But, they must have had help. A well-known hacker friend of mine froze the screen and did an analysis of the icons on the dude’s desktop. He said it was a bunch of hacking tools, malware, etc. All legit stuff. So, someone involved in that production knew stuff. Unfortunately, they weren’t calling the shots about the rest.
“Since the target was a hacker, he might be motivated to open the case. But the average user wouldn’t.”
That was the point. 😉
“Note: I just re-watched that movie the other day so everything is fresh in my mind.”
Glad you said that. I was startin to feel like my memory just totally sucked. Now I know that it may, but this is no evidence of it. 😉
“Even thousands of Chinese hackers haven’t penetrated the US to the degree shown in the movie for several years (as far as we know 🙂 ).”
Your best point. A similar Chinese-directed scenario might have been more believable. Don’t tell the US Govt though. Imagine how much better their “cyberwar” BS would work if the public saw the Chinese rip us a new one on Die Hard 4: The Art of [Cyber]War.
Nick P • July 14, 2011 9:59 AM
@ RSH on off-topic stuff
The road sign thing was funny. Reminded me of a local event where hackers hit up a construction site and changed the sign to say: “Speed limit 100MPH: Go, go, go!” Results were hilarious.
That other link you posted was really creepy. Like a depraved man who couldn’t join Anonymous on their lulz and decided to get off on torturing the neighbors. Even more disturbing, he had the right strategy. I’m glad he was so ineffective at executing it because the results might have been worse & his involvement never detected. Script kiddie tryin’ to play Dr. Chaos… FAIL
Btw, I forgot to add in my previous post that, unrealism aside, Jeffery Wright made an awesome villian & Maggie Q was sexy as usual. I just rewatched Mission Impossible 3 a few nights ago. She was the best looking thing in it. 🙂 (I’d say most memorable, but that goes to the film’s opening sequence: it’s one of the best, most intense openings in action movies.)
echowit • July 14, 2011 10:56 AM
@Al (and a nod to RSH): “… Ergo the 95% would by definition contain all the normal people.”
You do realize, then, that most of the posters on this site (and its founder, I guess) are, at best, stark, bleeping nuts?
Dilbert • July 14, 2011 12:13 PM
Interesting comments about the “realism” or lack thereof in “Live Free or Die Hard”. Actually many aspects of that movie are taken from real events.
- Security guy warns the gov’t that the nations infrastructure is at risk: Anyone remember Mudge and L0pht (now called AtStake) testifying before congress? Read here: http://en.wikipedia.org/wiki/L0pht
- How about hacking the gas company and blowing up the gas lines? Yep, we’ve done that (sort of). Read here:
Now everything in the movie is over the top, but hey… it’s Hollywood. But the possibility (however small) for what they presented in the movie is there, and has been born out to some degree historically.
Just my opinion, but I think it’s very cool 🙂
Nick P • July 14, 2011 12:40 PM
“Security guy warns the gov’t that the nations infrastructure is at risk”
Our national infrastructure is certainly at risk. There are real vulnerabilities and possibilities for sabotage. Many will require inside knowledge of the specific facility or inside help in enabling a remote attack. Others require quite a bit of sophistication. Others would fail entirely thanks to good setups. So, we have to add qualifiers to claims like Die Hard makes, even the more subtle version.
The hearing you’re referring to was mainly headed by Peter Neumman. His claims highlighted pervasive vulnerabilities and lack of security throughout our government and infrastructure. This is a real problem that’s led to the success of groups like Wikileaks and attacks like the defacement of the NSA’s web site. What was harder to believe was l0pht’s claim that they could make the “entire Internet unusable in 30 minutes”. That claim might have been true back then, but the Internet’s too complex now. The only attempt at a firesail that anyone made, back when the net was small enough, failed because a few of the critical nodes resisted attack. If anything, l0pht’s claim was hypothetical and failed the only test thrown at it.
Note that I do think there is a real way to pull this off to a degree: transoceanic cables. Destroying the cables between certain countries might very well be a practical way for certain governments or well-funded individuals to seriously disrupt internet access between countries. For some countries, they are connected by just one set of lines. That’s a single point of failure.
“How about hacking the gas company and blowing up the gas lines? Yep, we’ve done that (sort of). ”
The Siberian explosion doesn’t count in this. The reason is that was high class subversion that most of our infrastructure is unlikely to experience: top-notch security engineers designed a nearly undetectable backdoor; they obtained physical access to the systems; they integrated the backdoor with the systems; they sold them through a company the target would trust. It’s nearly impossible for a company to know their chips haven’t been subverted, making this one of the worst attacks. That’s much different than hackers firing IP packets off at systems.
However, you do make a good point. There have been real disasters and SCADA weaknesses. That there hasn’t been any deadly or financially devastating attacks recently says a lot when one considers how many skilled hackers would want to do it. Apparently, there’s plenty of weaknesses but exploiting them is hard. It would be a set of isolated instances spread out geographically & temporally. So far, it’s unlikely that a team of people could remotely take out things on demand, even knowing about SCADA security. Only the most vulnerable systems & Murphy’s law usually means that the would-be supervillian will run into the better ones.
Clive Robinson • July 14, 2011 12:50 PM
“You do realize, then, that most of the posters on this site (and its founder, I guess) are, at best stark, bleeping nuts”
And it has taken you how long to realise this 8)
In Yorkshire (UK) they have an expression the age of which is forgoton in the mists of time,
All the worlds mad sept thee and I, and thees not looking so good today!
So “it was ever thus”
Dilbert • July 14, 2011 1:00 PM
I wasn’t waying the threat L0pht made was legitimate (I understand the difficulties in making this happen). I was more alluding to the similarities between their testimony to congress, and the background of the “bad guy” in the movie. I picked that up immediately; I don’t know if that’s where they came up with the idea or not. I just liked the similarity.
As for the gas explosion, at the time it was a legitimate attack against their critical infrastructure via their SCADA systems. When I saw the movie I scoffed at the gas explosion. It was only recently that I heard about this actual event.
I think it’s reasonable to conclude that they drew on real-life events for some plot points in the movie. That’s all… I absolutely agree that these events would be incredibly difficult, if not impossible, to pull off today.
Clive Robinson • July 14, 2011 1:02 PM
You forgot to mention that there also was a way to blow up a computer with just one instruction back in the days before the IBM PC.
It was said that if you “poked” a specific address on a Comodor computer it would put a short on the power supply (never tried it myself).
Also there where one or two early parallel printer cards for IBM PC’s that if you accessed the registers in the wrong way would certainly fry the card (and some CGI cards as well).
So maybe not exactly explode “Hollywood style” but certainly go pop, if not catch fire 😉
Oh and do I dare mention the “read ring off death” to MS X-box owners?
Nick P • July 14, 2011 1:18 PM
@ Clive Robinson
“It was said that if you “poked” a specific address on a Comodor computer it would put a short on the power supply (never tried it myself).”
One of the hackers that got me started once claimed he fried a chip with a virus. I think he said it used the BIOS. I never really looked into it past thinking “that’s a cool idea” and “stay on his good side.” I mean, we already were capable of bricking a BIOS & deleting the HD data. Why bother going through all that trouble with a CPU when we’ve already got a sure-fire way to make the system unusable? 🙂
Just for kicks I Googled it. Turns out it was a valid attack on older AMD chips and might be possible on new boards if “the failsafe” is “bypassed by disabling the thermal-emergency shutdown procedure in the BIOS.” BIOS attack. Thermal effect. Yep, that sounds like what my friend did. (That was around 1999.)
“Can a virus melt the CPU?”
Nick P • July 14, 2011 1:30 PM
@ Clive Robinson
Oh yeah, I just remembered an even better one. Remember that PDF Bruce posted a while back that cataloged all the old custom computers the NSA made over time? Remember that one that used mercury in its operation? MJ posted on the blog that software errors became more interesting:
“One of my college professors had spent several months programming a computer with mercury acoustic memory. He once had a bug which caused an infinite loop, and the repetitive loop created a vibration in the memory system which physically smashed the glass tubes, spilling the mercury onto the floor! ”
So, depending on how the computer functions, a well-conceived piece of malware might do more than merely fry a CPU: it might kill the operators too. There should be a “Lessons Learned” paper about this somewhere. “Make sure the computer doesn’t operate with mercury. Check!”
Richard Steven Hack • July 14, 2011 8:14 PM
Echowit: “You do realize, then, that most of the posters on this site (and its founder, I guess) are, at best, stark, bleeping nuts?”
Well, I am, can’t speak for anyone else here… 🙂
Nick P: As to the transoceanic cables, recall that incident a couple years ago where SEVERAL cables were cut, allegedly by accident, at the same time. No one believed that was by accident, however, because the primary victim was Iran because the cables were in the Mediterranean near Egypt – and thus near Israel. Allegedly the ships involved were identified at some point and it was declared purely accidental, but the whole thing stunk to high hell.
As for physically damaging PCs via software, it was alleged that Tsutomu Shimomura, the guy that helped take down Kevin Mitnick, had software that could do that. I took that with a salt shaker full of salt, along with the line that he “allowed” hackers into his system so he could track them (since said hackers spread his stuff all over the place.)
Allegedly one of the ways was to make a hard drive pound its heads into the platters repeatedly or maybe it was into the stops, I forget which. Nowadays, that probably wouldn’t work since drives are so much more robust and have more protective electronics.
It might be interesting to see if one could utilize some of the BIOS manufacturer-provided utilities for overclocking to overclock a CPU to the point where it was damaged. While CPUs have throttling mechanisms to prevent damage via overheating, it is definitely possible to damage a CPU via overclocking. If you could write a virus that somehow overclocked the CPU without the user knowing, that would be interesting.
It probably would be very difficult since it’s hard enough to overclock a system without adjusting several other BIOS settings and get it to do more than just crash. Usually it takes a number of trial and error tests and rebooting to do a good overclock that doesn’t crash. I suppose a virus could be written a la Stuxnet to select for a specific CPU and motherboard and then apply the one set of settings that would result in damage, though.
Richard Steven Hack • July 14, 2011 9:51 PM
Nick P: By coincidence, I read this today:
S African develops free submarine cables map
Here it is: http://www.cablemap.info/
Nick P • July 15, 2011 1:07 PM
@ Richard Steven Hack
“as for physically damaging PCs via software, it was alleged that Tsutomu Shimomura, the guy that helped take down Kevin Mitnick, had software that could do that. I took that with a salt shaker full of salt, along with the line that he “allowed” hackers into his system so he could track them (since said hackers spread his stuff all over the place.)”
Yeah, he seems a tad unreliable. I think it’s safe to say it’s been done when I look at these two facts: my old buddy claimed to do it in 1999 by subverting a BIOS to overheat the chip; the recent paper says you can theoretically subvert a BIOS to burn the chip & old AMD chips didn’t have failsafes. This might be a coincidence, but I’m inclined to think he at least tried it on a system he owned & it worked. He had tons of old & recent PC’s in his closet that he used for spare parts & testing virii on.
“It might be interesting to see if one could utilize some of the BIOS manufacturer-provided utilities for overclocking to overclock a CPU to the point where it was damaged.”
That would be interesting. They’re stuffing so much functionality into BIOS’s these days, especially the EFI or whatever it’s called. There might be something in there.
“I suppose a virus could be written a la Stuxnet to select for a specific CPU and motherboard and then apply the one set of settings that would result in damage, though.”
Yes, that’s most likely because it has to be a targeted attack. However, it might also be easier to generalize & retarget thanks to the fact that there are few major BIOS vendors for general purpose systems.
“S African develops free submarine cables map”
Thanks for the link! After our Die Hard conversation, I had been working out a prototype fire sail scheme that was aimed at crippling global internet access to and from the US, just to see what might work. My main plan would require infiltration and sabotage of the Tier 1 providers (the “backbone”), along with destruction of all transoceanic cables (at least high bandwidth ones). This scheme wouldn’t be ease, but it appears to make a firesail a possibility.
The good news is that this map you posted shows a LOT of underwater cables. It might be hard to take them all out. Best bet would be to have several teams spend a few weeks planting charges on the major cables, along with a reliable set of timers. The availability of submarines would make the job easier so long as US subs weren’t tracking them. The bombs explode or incinerate (e.g. thermite) the cables upon the majority of timers saying the time has been reached. Any attacks on the network backbones would have already been planned & in the making, simply executed at the time the cables are cut.
What do you think of my Internet firesail strategy?
Richard Steven Hack • July 15, 2011 7:26 PM
Nick P: A “grammar Nazi” quibble: “fire sail” should be “fire sale”. Sorry, that’s the second time I saw that.
The problem with your strategy is that it damages the Internet internationally more than domestically. While you intend to take out the Internet backbone domestically, you realize how many ways around that exist, right? You need to take out microwave relays, and landline cable all over the place. Otherwise you’re just likely to make the Internet slow, not disabled. Unless of course you manage to take down the well protected DNS primary servers (and you have to KEEP them down, too – presumably they have backups that could be brought on line either on site or elsewhere within a matter of a couple days.)
Also, this doesn’t address how to take down systems that are not so much Internet controlled, such as transportation and energy.
Remember, Farrell laid out the strategy as follows: “…it’s a three-step systematic attack on the entire national infrastructure. Okay, step one: take out all the transportation. Step two: the financial base and telecoms. Step three: You get rid of all the utilities. Gas, water, electric, nuclear. Pretty much anything that’s run by computers which… which today is almost everything. So that’s why they call it a fire sale, because everything must go.”
Your strategy mostly addresses step two only. It’s not as much “everything must go.”
Where the movie glossed over the issues is about HOW to infiltrate and sabotage the main providers of each system, especially those systems with major security. In the movie, they did most of that by hiring black hat hackers and insider programmers for cash to provide them with the access to the systems. Then they spent the cash to have unlimited access to FBI uniforms and helicopters and mercenaries to enable them to break into places like Woodlawn and the energy grid centers.
They never explained where Gabriel got the cash, but presumably with his computer skills he managed to break into enough banks and money transfer systems to amass it. My guess is his operation cost at least several million dollars, probably more like five to ten million. He could have avoided some of the cost by manipulating systems to gain access to various resources, but the bodies had to be hired. He had at least a half dozen hackers probably being paid $50-100K or more each (although they ended up being shot so he saves some money there), plus the dozens of people he paid for access to systems at $50K per (some of them ended up dead, too, and presumably he reversed their payments), plus his mercenaries who probably were being paid $50K-100K each.
It’s unlikely, but not utterly impossible that an individual could do this. A nation state, however, would find this a trivial expense. A large, well-funded terrorist group might be able to do it from a financial standpoint at least, if not a technical one.
The other issue is time. I’m not sure how long an operation like this would take to plan and execute, but given how hard it is to get computers to do anything right, and how much research would need to be done, plus locating and hiring the right people, my guess is at least five years of steady work on it.
Of course, the payoff in this case was billions of dollars, so any amount of effort was worth it. It’s probably the most profitable investment one could make.
Nick P • July 16, 2011 12:00 AM
@ Richard Steven Hack
” a ‘grammar nazi’ quibble: ‘fire sail’ should be ‘fire sale'”
Well, I saw so many people spelling it that way, including Urban Dictionary, so I went with it. Looking at it again, the ‘everything must go’ tie-in makes plenty of sense. So, fire sale it is. 🙂
“You need to take out microwave relays, and landline cable all over the place.”
Actually I did think about that and you’re right in that my plan intends to bring it to a crawl, rather a total halt.
“this doesn’t address how to take down systems that are not so much Internet controlled, such as transportation and energy.”
My post was just focused on the Internet aspect. I mentioned that.
“Okay, step one: take out all the transportation. Step two: the financial base and telecoms. Step three: You get rid of all the utilities. Gas, water, electric, nuclear. Pretty much anything that’s run by computers which… which today is almost everything.”
I’ll be honest. There’s just too much shit to do all that. Unless… Unless, all refineries & reserves were blown and a series of crippling EMP’s were used all over the state. It could be atmospheric nuclear detonations, but that’s unlikely for a number of reasons. The alternative is to sack the powergrid and use non-nuclear EMP’s on many areas. Sacking the power grid is the easy part.
During my research on the supposed 2012 doomsday, I did find one realistic (albeit not world-ending) possibility: a solar version of the storm of the century. They are coincidentally expecting one somewhere from late 2012 to early 2013, with the median in mid 2012. That NASA funded a study on the effects of a Carrington event (look it up) on modern society makes me think they are taking it seriously.
The important part of the study for us is that national power distribution runs through about 365 large transformers, whose overloading would cause cascading failures all throughout the US. Many of these also take a heck of a long time to replace. A large series of flares could take it out. But it also seems manageable for a well-funded organization. I suspect it would still take months to years to pull off, even with many teams. But, it seems like taking out 365 static, poorly defended targets isn’t that difficult. They might not even have to do it all at once if they can cascade it right. What do you think? (So far, we have Internet to a crawl, transportation disruption due to $8-20/gal gas, & electric grid mostly unusable, with all those side effects.)
“A nation state, however, would find this a trivial expense. ”
My thoughts exactly. I could see Russia trying to pull some crap like this on us. I doubt China would want to as they make so much money off us and love how we produce all this valuable I.P. for them. 😉
“Of course, the payoff in this case was billions of dollars, so any amount of effort was worth it. It’s probably the most profitable investment one could make.”
It definitely had a good ROI. I’ve honestly wondered why the Powerball wasn’t rigged yet. There’s few human targets to control, very little technology & some easy cheating protocols (with subverted workers). Considering the huge payoff & proportionally small cost of subversion, I can’t understand why the mob hasn’t tried. But, far as “most profitable investment,”
I think that goes to the banks behind the Federal Reserve who create money out of thin air, loan it to us, and then… charge interest. They aren’t really investing anything & don’t care if they get it back, but they do make over $100 billion a year in interest on this phantom money that only exists in computers. Got anything that tops that? I mean, the defence department at least does some useful stuff like employing tons of people and blowing shit up, but what have those banks done that’s worth trillions? Answer: the best con of all time. 😉
Richard Steven Hack • July 16, 2011 10:54 AM
Nick P: Yup, best way to rob a bank is to own one.
As for EMPs, remember Ocean’s Eleven (the one with Clooney)? They blew Las Vegas for a few minutes with a “pinch”. Be interesting to see how effective one of those could be at a reasonable size blown near the main telecom centers, not to mention the Internet backbone providers.
Probably would take out those main energy transformers, too, depending on the size needed. Using regular explosives on those transformers might or might not work, since they’re pretty big facilities. But an EMP probably would fry them. How much damage done would depend on the size of the surge.
We probably should stop this before we get visited by the FBI and charged with “material support to terrorists”. 🙂
Nick P • July 16, 2011 1:39 PM
@ Richard Steven Hack
“Probably would take out those main energy transformers, too, depending on the size needed. Using regular explosives on those transformers might or might not work, since they’re pretty big facilities. But an EMP probably would fry them. How much damage done would depend on the size of the surge.”
Indeed. And the biggest ones have shown that they could probably do the job. The one that most people saw on Future Weapons is nothing compared to those the DOE publicly gave the performance of. The power levels and range were incredible. It could have been transported in large trucks, perhaps.
“We probably should stop this before we get visited by the FBI and charged with “material support to terrorists”. :-)”
lmao. I was starting to get anxiety before submitting the last one. So it’s probably a good idea to stop here. Been fun being one of the only guys with a practical fire sale. 😉
Clive Robnson • July 16, 2011 3:17 PM
@ RSH, Nick P,
“The important part of the study for us is that national power distribution runs through about 365 large transformers, whose overloading would cause cascading failures all throughout the US.”
You are not quite thinking it through, all you realy need is an electric drill…
These 365 large transformers are very very efficient but still need to be cooled so simply removing the coolant would be enough to ensure their demise.
However they are all in restricted areas so getting at them would be much harder than getting at the power cables that go into and out of them.
Very high power cables are very complex and fragile things and like the transformers need to be cooled. The cables advantage for a terrorist is knowing just where to dig a hole in the ground, effectivly out of sight of those who would care (until you poped a couple of ounces of shaped cutting charge). So you could start now and put timers on the charges and in a years time you would probably have got most of them mined.
It’s the sort of scenario power engineers talk about over a beer, go home and offer up a silent prayer that it will not happen on their watch.
Because they know they have a major problem how do you watch let alone inspect a few thousand miles of underground high power cable for a device that would fit comfortably inside a plastic carrier bag…
Back in the 1980’s in the UK at the hight of the IRA Mainland Bombings this thought crossed the minds of the powers that be and they decided they had to take action.
The action they chose was to weld shut the man hole covers (not sure what you call them in the US) on the access points.
However the only people with sufficient skill that where easily available in the numbers required for such a large task where Irishmen laid off from the shipbuilders in Belfast etc, who were mainly laid off due to the actions of the UK Government…
It does not matter what engineering field you work in, when you become sufficiently adept at repair / design of it you naturaly see the ways it can be destroyed by just a handfull of explosive etc. It’s like shop workers knowing how to fiddle stock or till etc, it’s just part and parcel of the job.
If the FBI and other LEA’s in the US don’t know this reality of life then they realy should not be drawing wages.
Richard Steven Hack • July 17, 2011 7:35 AM
I read in one Clancy’s cyber-spy novels where a group intended to bust up a cable not just in one place but in several places. So the repair crew goes out and fixes one – then when they start up again, it’s still down. Have to go find the rest of the breaks and get them all fixed. Really frustrating.
Speaking of frustrating, and on topic for Kaspersky, I was working on a client Friday night and discovered our previous Kaspersky AV – which we dumped due to its crappy updating and replaced with Avast – had left nearly a GByte of update files when it was removed. Seems it never cleans up after itself… Discovered that when it hung up SyncBack as I was trying to set up a backup schedule – because one of the files buried in the middle of that GB of crap was corrupted. Only took me over an hour to fix that since I had to run CHKDSK after wasting time trying to fix what I thought was an overlong file path – also courtesy of KAV.
I seriously hate the idiots who designed the NTFS file system – it fragments and it corrupts if you breath on it.
Eirik • July 20, 2011 9:52 AM
“My guess is his operation cost at least several million dollars, probably more like five to ten million.”
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Leave a comment