The world's most complex computer worm has been discovered - likely the work of America or Israel against Iran. The question is, is such cyber warfare acceptable? Is it "war"? What rules should govern the use of national cyber war? What are the potential dangers? Is this a glimpse of wars of the future and how would America (or the UK) respond to a similar attack on their own infrastructure?

Discuss :)

Details:

A cyber-attack that targeted Iran's oil ministry and main export terminal was caused by the most sophisticated computer worm yet developed, experts have warned.
The virus appears to have been directed primarily at a small number of organisations and individuals in Iran, the West Bank, Lebanon and the United Arab Emirates. This will inevitably raise suspicions that Israel or the US were involved in some way.
Analysts who have been decoding the computer worm, which is called W32.Flamer, have been unable to identify the source. But they say only a professional team working for several months could have been behind it.
The CrySys Laboratory, in Hungary, said: "The results of our technical analysis supports the hypothesis that [the worm] was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyberwarfare activities."It is certainly the most sophisticated malware we [have] encountered. Arguably, it is the most complex malware ever found."
Orla Cox, a senior analyst at Symantec, the international computer security firm, said: "I would say that this is the most sophisticated threat we have ever seen."
Symantec undertook a detailed analysis of the groundbreaking Stuxnet virus, which targeted Iran's nuclear enrichment facilities two years ago, sending some of their centrifuges spinning out of control. Cox said W32.Flamer appeared to be even more complex than Stuxnet, and that it was an incredibly clever, comprehensive "spying programme".
"It is a backdoor worm that goes looking for very specific information. It scrapes a mass of information from any infected machines and then sends it, without the user having any idea what is going on. The amount of information it can send is huge."http://m.guardian.co.uk/ms/p/gnm/op/syfsPS73NvN96ZDr3uX2b8Q/view.m?id=15&gid=world/2012/may/28/computer-worm-iran-oil-w32flamer&cat=world

I think the nature of the virus is inherent in the fact it didn't flash around the world in 28 minutes and destroy millions of computers in the process.

Cyber wars are old news - just another tool in the art of conflict - We will find out how other nations will react when they are successfully penetrated by such programs

I think the nature of the virus is inherent in the fact it didn't flash around the world in 28 minutes and destroy millions of computers in the process.

Cyber wars are old news - just another tool in the art of conflict - We will find out how other nations will react when they are successfully penetrated by such programs

I agree the idea of cyber warfare is "old news" - but it becomes an ever greater tool of war - which begs the question when cyber warfare stops and "real" warfare begins? Does it even make sense to make that distinction anymore? If you can attack and shut down critical infrastructure by computer attack is that tangibly different from attacking and shutting down critical infrastructure by conventional weapons? And if we can't make a distinction how should cyber warfare be covered in terms of current international treaties/regulations?

With the specific worm, I guess my question would be, now that the code is out there, how easy would it be for other agencies to replicate the core functions of this attack ("vacuuming up all nearby wifi communication from non-infected machines allows for a pretty spectacular security breach)...? And what would the response to a similar attack on the US (UK) be? Can we respond to a cyber attack as an act of war?

From the UN:

A United Nations agency says it is poised to issue its "most serious" cyber security warning about the risk of the Flame computer virus, which was recently discovered in Iran and other parts of the Middle East.

"This is the most serious warning we have ever put out," said Marco Obiso, cyber security coordinator for the UN's Geneva-based International Telecommunications Union (ITU), which is charged with helping member nations secure their national infrastructures.

The confidential warning will tell member nations that the Flame virus is a dangerous espionage tool that could potentially be used to attack critical infrastructure, Mr Obiso said.

"They should be on alert," he said.

"I think it is a much more serious threat than Stuxnet."

Facts:

One of the most sophisticated pieces of malicious software ever discovered, with about 20 times as much code as Stuxnet.
Built with some 20 modules, researchers still do not understand the full purpose of most of them.
Can record sounds, access Bluetooth communications, capture screenshots and log internet messaging conversations.
Creators of the virus used a network of some 80 servers across Asia, Europe and North America to remotely access infected machines.
It is the largest such Command and Control network identified to date.
An estimated 1,000 to 5,000 machines were infected worldwide. http://www.abc.net.au/news/2012-05-30/un-agency-plans-major-warning-on-flame-virus-risk/4041116

It is warfare and is suspect Iran will retaliate with their own cyber-attack.

If you can attack and shut down critical infrastructure by computer attack is that tangibly different from attacking and shutting down critical infrastructure by conventional weapons? I think it depends on the nature of the damage, and how bad it really is. Wars have been fought over attacks that cause great economic and strategic harm. I think there is a difference right now at least. Pop out your hard drives replace them and your back in gear. Take your critical systems offline to prevent others from accessing it and your safe vs having to relocate and rebuild the entire installation after an airstrike. So the difference so far IMHO is one of scale of harm. It seems unworthy of a conventional response. Also its very unlikely anyone lost there lives due to a cyber attack.


And if we can't make a distinction how should cyber warfare be covered in terms of current international treaties/regulations?The problem is knowing who dun it.

With the specific worm, I guess my question would be, now that the code is out there, how easy would it be for other agencies to replicate the core functions of this attack ("vacuuming up all nearby wifi communication from non-infected machines allows for a pretty spectacular security breach)...? And what would the response to a similar attack on the US (UK) be? Can we respond to a cyber attack as an act of war? WELL, there is a big difference in having a copy of the virus, and having the code. Its much like a real virus, you might have a sample, and can watch it function in an isolated environment, know its operational patterns, and understand the level of its complexity, and yet still not know its code/genome. The real trick is that no one has any easy way to break down the genome of a computer virus. Detecting it, and experimenting with disabling and removing it is different from being able to turn it around and make use of it for your own purposes.

I am not an expert but do work in software development, so take what I say with a grain of salt, its been years since I was the guy whose job it was to defeat even common viruses.

I have seen some very complex virus's in my time, so if anything this makes me wonder just what this one was doing that made the experts believe it to be so much more complex than what we have seen in the years past.

Can we respond to a cyber attack as an act of war?
Of course we can.

And the moment it becomes convenient or necessary to do so, we probably will.

We could also respond to Somali pirate attacks on US shipping as acts of war, but what would be the point? And in fact, we do treat it as war from time to time; it's hard to argue that you're not at war with the US when there's a Navy SEAL putting a bullet in your head.

But international diplomacy isn't a black-or-white game. OMG China is espionaging us, we must totally now have to go to war with them!!!eleventy!!!

No. We do what's convenient and what's necessary. Mostly, that means entertaining a certain amount of low-level conflict with some other nations, without naively concluding that we're now committed to all-out war.

WELL, there is a big difference in having a copy of the virus, and having the code. Its much like a real virus, you might have a sample, and can watch it function in an isolated environment, know its operational patterns, and understand the level of its complexity, and yet still not know its code/genome. The real trick is that no one has any easy way to break down the genome of a computer virus.

If the "genome" of a computer virus is the source code, then all you have to do is put the virus through a decompiler (http://en.wikipedia.org/wiki/Decompiler). Problem solved.

Although, the source code produced by a decompiler won't have variables and functions conveniently labelled in a way that describes their purpose, nor any helpful comments to aide understanding, nor have everything laid out in a way that is easy for a programmer to make sense of.

But it will still be source code that can be examined to determine it's function.

...

But it will still be source code that can be examined to determine it's function.

Sometimes.

The best viruses are written in machine language and use obscure processor features like diagnostic instructions and also co-opt large segments of already-installed system code. They are very, very hard to understand without running them, and tend not to function the same in an emulator as on real hardware, so it becomes difficult to even see what they do.

Sometimes.

The best viruses are written in machine language and use obscure processor features like diagnostic instructions and also co-opt large segments of already-installed system code. They are very, very hard to understand without running them, and tend not to function the same in an emulator as on real hardware, so it becomes difficult to even see what they do.

For example; http://www.rcollins.org/p6/opcodes/CMOV.html

Seems to me that cyber attacking a country is no different in principle than attacking it any other way.

Hypothetically, suppose that Iran discovered certain proof that the US government had conducted this cyber attack, and responded by planting a terrorist bomb that disabled a US oil refinery. Iran then said that they had simply carried out a proportionate response to an unprovoked attack, something the US itself has done many times in the past.

I'd have a hard time saying that they had done anything wrong based on anything but "our side good, their side bad".

Seems to me that cyber attacking a country is no different in principle than attacking it any other way.

Hypothetically, suppose that Iran discovered certain proof that the US government had conducted this cyber attack, and responded by planting a terrorist bomb that disabled a US oil refinery. Iran then said that they had simply carried out a proportionate response to an unprovoked attack, something the US itself has done many times in the past.

I'd have a hard time saying that they had done anything wrong based on anything but "our side good, their side bad".

All the more reason to respect nations sovereignty, and require congress to enact war before we strike at nations.

Non intervention used to be the standard, not it is a rare exception.

I am not an advocate for the operations of the CIA, and the world policing role that the US has taken on in recent times. HOWEVER, I am skeptical about the claims that this virus must have originated with the US. Id be curious to see the evidence which prompts one to conclude such.

Seems to me that cyber attacking a country is no different in principle than attacking it any other way.

Hypothetically, suppose that Iran discovered certain proof that the US government had conducted this cyber attack, and responded by planting a terrorist bomb that disabled a US oil refinery. Iran then said that they had simply carried out a proportionate response to an unprovoked attack, something the US itself has done many times in the past.

I'd have a hard time saying that they had done anything wrong based on anything but "our side good, their side bad".

Yep.

I don't think there's anything "wrong" with cyberattacks, but against a nation I think it's certainly an act of war. And one shouldn't be surprised at a response.

And as you say, an exactly commensurate response is impossible if the attacked nation lacks the technology. Same deal with drones. If nation A drone-attacks nation B, which doesn't have drones, is nation B in the wrong for attacking nation A with conventional aircraft? I'd think the general view would be "no, that's fine", but maybe some think differently.

And I'd add another to your hypothetical--that Iran physically blows up computer networks of the US military (or nuclear program.) Same intent and result, the only difference would be a physical human doing the deed.

HOWEVER, I am skeptical about the claims that this virus must have originated with the US. Id be curious to see the evidence which prompts one to conclude such.

I don't know if this prompted the thread topic, but...

http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?pagewanted=1&_r=1

From his first months in office, President Obama secretly ordered increasingly sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment facilities, significantly expanding America’s first sustained use of cyberweapons, according to participants in the program.

[etc]

Also don't know if this would be considered evidence since I'm also skeptical about all reports based on "unnamed officials".

Crypto breakthrough shows Flame was designed by world-class scientists (http://arstechnica.com/security/2012/06/flame-crypto-breakthrough/)

The Flame espionage malware that infected computers in Iran achieved mathematics breakthroughs that could only have been accomplished by world-class cryptographers, two of the world's foremost cryptography experts said.

"We have confirmed that Flame uses a yet unknown MD5 chosen-prefix collision attack," Marc Stevens and B.M.M. de Weger wrote in an e-mail posted to a cryptography discussion group earlier this week. "The collision attack itself is very interesting from a scientific viewpoint and there are already some practical implications." [...]

The analysis reinforces theories that researchers from Kaspersky Lab, CrySyS Lab, and Symantec published almost two weeks ago. Namely, Flame could only have been developed with the backing of a wealthy nation-state. Stevens' and de Weger's conclusion means that, in addition to a team of engineers who developed a global malware platform that escaped detection for at least two years, Flame also required world-class cryptographers who have broken new ground in their field. [...]

Crypto breakthrough shows Flame was designed by world-class scientists (http://arstechnica.com/security/2012/06/flame-crypto-breakthrough/)

That's pretty cool.

As I said in another thread, I recently had the privilege of seeing exactly what The Threat is doing to American corporations, and it's worse than you can imagine, and more coordinated than you might be prepared to believe.

I can't say any more about it, but please take it seriously, and please don't criticize friendly governments who are trying to fight back unless they really step over the line.

Seems to me that cyber attacking a country is no different in principle than attacking it any other way.

Hypothetically, suppose that Iran discovered certain proof that the US government had conducted this cyber attack, and responded by planting a terrorist bomb that disabled a US oil refinery. Iran then said that they had simply carried out a proportionate response to an unprovoked attack, something the US itself has done many times in the past.

I'd have a hard time saying that they had done anything wrong based on anything but "our side good, their side bad".I'd still support nuking (or FABing) 'em. Make 'em sweat!!!:D

NM

Seems to me that cyber attacking a country is no different in principle than attacking it any other way.

True. But in detail it can be. Hell, even conventional weapons attacks vary considerably in detail.

I'd have a hard time saying that they had done anything wrong based on anything but "our side good, their side bad".

There are a other considerations, in particular threats to people's lives. As far as I understand it, Stuxnet etc. never posed any physical danger to anyone. That is inherently not the case with a bomb at an oil refinery. It's possible that such a bomb might not kill anyone, but the risk of injury and death is very high. Hell, even just fighting the fires from such a bomb could kill people, even if the explosion doesn't. Plus even if the damage could be reliably contained to property and not humans, there's the additional difference between government assets and those of private individuals.

Zigg, we had a refinery fire here years ago in which the company fire battalion were putting water on a reactor to cool it, and it exploded. It was found, most of it, five miles away. Not a single trace of any of the men was ever found.

Sabotage is as old as warfare. It's certainly not armed conflict. The US and USSR have played DOS games in the electronic spectrum for many years.

Sabotage is as old as warfare. It's certainly not armed conflict. The US and USSR have played DOS games in the electronic spectrum for many years.


Seems they switched to Windows now. ;)