Cyber warfare has been advanced a step by militants in Afghanistan, who have managed to intercept the unecrypted video feeds from UAVs orbiting overhead.

At the beginning of the year, I laid out some examples of what effective cyber warfare entails, including this:

Imagine compromising the enemy’s C4ISR infrastructure and not only knowing where all enemy assets are, but having the ability to provide false information (if at least a few times before being discovered).

Now, over at Danger Room, we see this:

If you think militants are going to be content to just observe spy drone feeds, it’s time to reconsider. “Folks are not merely going to listen/watch what we do when they intercept the feeds, but also start to conduct ‘battles of persuasion’; that is, hacking with the intent to disrupt or change the content, or even ‘persuade’ the system to do their own bidding,” Peter Singer, author of Wired for War, tells Danger Room.

The militants have managed to intercept drone feeds from a $4.5M piece of equipment with a $26 piece of software. That clearly demonstrates that deploying very sophisticated, very expensive technology in the battlefield does not negate the need for operational security, or OPSEC.

The next step may be a man-in-the-middle attack on those feeds, allowing the insurgents to inject fabricated feeds into the system. This could change how U.S. soldiers on the ground react to what they are seeing, maybe by unintentionally attacking a hospital instead of an insurgent safe-house, or maybe even attack fellow U.S. soldiers rather than an intended target.

In the grand scheme of things, this is nothing new. Signal intelligence, or SIGINT in military lingo, has been with us since we were tattooing secret messages onto shaved heads and waiting for the hair to grow back to conceal it. What is troubling is that the drones are a critical aspect of the AF-PAC theater. Their sole purpose is to provide video surveillance (using that intelligence to then deliver a missile is a secondary purpose). They are remotely piloted primarily using that video feed. Not protecting that signal’s confidentiality, integrity or availability potentially negates its usefulness altogether. If the enemy can either jam or alter that feed, they can simply crash the drone or dictate its mission and by extension dictate the mission of ground teams dependent on the feed.

In the opening paragraph I credited the militants with advancing cyber warfare, however now I’m inclined to credit the U.S. for having receded the art of OPSEC.

Once word hit our office of the upcoming Google Wave, we saw renewed interest in leveraging such collaboration tools, which means we have to again evaluate our stance against putting our intellectual property ‘in the cloud.’ (I really hate that term)

Putting information in the cloud means relinquishing control of that document to whatever provider is hosting the application as a service. Our business can basically be boiled down to “information provider” (I work for an architecture firm). A large chunk of what we sell is information in the form of computer-generated drawings, schematics, pictures, animated fly-throughs, etc.

Therefore our information, our intellectual property, is our life-blood. If we lose control of it and the competition gets it, we’re dead in the water. We can’t compete for jobs if the competition knows what we plan to propose and how much we plan to charge. A huge part of competing for a job in our architecture niche is being able to deliver something so unique that it blows away the competition. Therefore securing our information is very important to us.

The future of collaboration obviously lies in the cloud. We’ve been able to resist so far, but I don’t expect that to last.

So I’m posing a question to both readers of this blog

How do you deal with the risks of putting intellectual property in the cloud?

While this will be obvious to many, it still bears mentioning; Blackberries and other smart-phones can be carriers for worms and viruses when USB storage is enabled.

I ran into a case earlier this week. Our HIPS software was alerting to an auto-run virus on an IT staffer’s F drive, which usually indicates a USB drive. When asked about it, he indicated the only thing he used was his Blackberry. He had a micro SD card installed and used it to move pictures and movies between computers.

Explorer in Windows wouldn’t display the autorun.inf nor the virus executable so I plugged the Blackberry into my Mac, which showed both files. VirusTotal.com verified the executable as a virus and we manually removed it and he’s now going through all of his computers to find out which ones have the virus.

Our primary antivirus software didn’t detect the virus at all. Luckily the supplemental AV in our HIPS software triggered on the autorun.inf and prevented execution of the virus executable. We implemented strict rules regarding auto running anything from a USB drive after Conficker. Since then, the HIPS software does its own scan of the entire USB drive before permitting access to it, including access by the primary AV software. So far this has protected us significantly, because the primary AV rarely flags the autorun.inf files, but the supplemental does.

Another win for defense in depth.

The conficker/downadup worm has impacted the French Ministry of Defense, according to an article posted by The Telegraph. According to the article;

…aircraft were unable to download their flight plans after databases were infected by a Microsoft virus they had already been warned about several months beforehand.

At one point French naval staff were also instructed not to even open their computers.

Like the recent compromise of the British MoD, the compromise of the French MoD appears to have been isolated to the unclassified network called Intramar. Coincidentally it was the navy that has reportedly been compromised in both cases.

It’s still being questioned whether or not aircraft were grounded by the worm. However, the fact that the worm impacted the MoD is not in question and that illustrates the risk of having weapons systems interconnected with the Internet.

To my knowledge the botnet created by conficker/downadup hasn’t been put into action yet. However, the fact that it now has two major trophies; the French and the British Ministries of Defense is certainly worth pondering. The propagation methods this worm uses have proven to be very effective.

Conficker, aka Downadup is gaining popularity among the non-techy news sites. Today I ran across this article on Rawstory.com. In it, David Perry of Trend Micro is quoted as saying “Downadup uses brute force from the infected network of botnets to break the password of the machine being attacked”.

To my knowledge that isn’t how the worm works, but please correct me if I’m wrong. According to everything I’ve read, a single instance of the worm will indeed try to “brute force” passwords but it isn’t a distributed effort spread across portions of the botnet. In none of the following evaluations of conficker is ‘distributed brute forcing’ mentioned:

Trend Micro (fails to even mention the password-guessing aspect)
Symantec
Sophos
F-Secure
McAfee
Panda (added to my list 1/23/09)

Not to mention the fact that the total number of passwords hardwired into the worm is 184, which is miniscule when compared to Cotse’s “all-words” list of 53,082. The smaller number of passwords was certainly intentional to keep the code lean and mean and doesn’t lend itself to distributed brute force.

The author of the story also states that “A troubling aspect of Conficker is that it harnesses computing power of a botnet to crack passwords.” That, according to everything I’ve read is false. Conficker does not crack passwords, it guesses them from a small list of “weak” passwords. Something like L0phtcrack built into a worm would indeed be new and certainly nasty but what conficker is doing isn’t near what L0phtcrack does…

Can anyone validate Mr. Perry’s statement?