27 September 2013

How Stuxnet hit Iran - inside story


We all know how Stuxnet hit Iran and its nuclear research center, via infected USB drive prepared by its enemies.
Of course Iran had security software installed but did not manage to discover Stuxnet.
Later a known security software company announced the discovery of Stuxnet.
This is the public until known history.

The truth is another.
The security software used by Iran had the possibility to detect by heuristics the suspicious behaviour of Stuxnet.
I tested it and get the confirmation.
What happened?
The security software company used by Iran made few, but capital mistakes, some are already solved now after years, other still persist.

1. When updating the definitions files (virus definitions, trojan definitions, other threats definitions) assure that all files are digitally signed, not only some of them.

2. Assure that your clients are receiving the updated definitions files from a trusted server in a secure and trusted friend country, and if your customer is at your borders, make a direct secure connection, not via other countries.

3. Use digital certificates issued by an authority in own country, not a foreign company in a foreign nation.

What really happened?
The updated definitions files were partly faked on the definitions files server.
Being grouped as many files, the official legitimate file got its name changed with a blank in front, and a modified file was created with the same correct name. It's an old trick based on the fact that Windows names can not start with blank and at that time the update engine worked similarly. For people from FXP gold era the trick is known and was used in so-called mazes in hacked FTP servers.
The modified file was exactly the one which heuristically could detect the Stuxnet. The modified one ignored the Stuxnet.
How could this happen? For sure the state authorities in the respective country updated definitions distribution server have persuaded the server owner to make these modifications.
In other words, official state supported IT terrorism.
It was excluded that the security software company self would have done this, it would have been unimaginable to sabotage its own international reputation.
A hacked updated definitions distribution server? Unprobably, the anomaly disappeared after a time. A clear sign that the real authors were so confident in the secrecy of their operation.

It's a shame what happened, when a state supports upon external pressures, IT terrorism.

Conclusions:

1. Digitally sign all your files with your own security certificates (when you are a security software company), never more use other countries companies digital certificates.

2. Use updated definitions distribution servers in trusted countries only.

3. Use direct distribution channels if your clients are at your country borders.

4. Depending on your country political situation, use security products only from friend countries, never from politically adversary countries.

5. Assure you receive the updated definitions files from trusted friend countries.

The Stuxnet is a lesson for history, Internet is no longer an international academic and clean environment! It's just a new dirty Cold War field.




23 September 2013

My programs for Windows Mobile

Cloud services and Politics - The new cold war

Cloud services, Cloud hosting - a very hyped matter since few years. In the light of the recent Snowden affair and latest Wikileaks revelations, every little aspect in IT is now related to politics, foreign nations tendency to superpower and domination.
Cloud services, so popular in advertisements for people, are in fact , the most dangerous ways to compromise your private life data, your company own security or your own country state secrets.
The world political polarisation is best seen in security software, where being a citizen/rezident of a certain country and using the security suite of an other country company makes the difference between life and death in some situations or you as a person, in good trust, are transformed without your consent in a"foreign" spy by using your backdoored computer-smartphone or alike.
We are living in an era where the software piracy from 10 years ago made by individuals and groups is completely replaced by companies and state organised IT espionage on large scale, IT sabotage and more exactly defined, full scale war on IT plane.
It's ugly and rough, but it's quite scary when reputated or "once reputated" security software companies make security suites which are politically biased, defending computers of certain nations and spying or sabotaging computers of other nations.
We are living now in times when what was once called the academical spirit and the scientifical enthusiasm, is now fully used for political supremacy, wide scale espionage and words like democracy, humanity, are only empty words used for greed and murder.
Have you ever think why many software products which could be used offline for edit-import-export their data, nowadays, all offline support is gone and replaced by so-called cloud-services?
Same products are still loudly shouting they defend and respect your private life and personal data, but...in order to use them, you need to send in cloud somewhere your personal data!
Known browsers, personal data-password managers, all are no longer support offline data export-import.
Why?
Are you so naive to trust that this is because of their concern that you can access your private data when travelling? And that your data , even if in cloud, is secure and "encrypted" with AES-256 or alike? So no reason to worry?
Well, you have all reasons to be worried and never more use any cloud service.
At the following links, you have the proof of how AES-256 (depicted as so secure) is decrypted on the fly:

http://zenosloim.blogspot.com/2013/10/tutorial-how-to-get-any-version-samsung.html

http://forum.xda-developers.com/showthread.php?p=23376722

http://www.modaco.com/topic/352298-tutorial-how-to-get-any-version-samsung-omnia-ii-i8000-firmware-directly/



22 September 2013

I decided to start a blog related to IT Security and Politics because I felt that the times we are living right now impose to take an attitude. To start publishing your personal views is important and a clear expression of what is called freedom of expression. We'll see how long this blog will survive before being closed by foreign parts named here:countries, companies, government agencies.
We'll see how long Google as it pretends to be a free-speech sustainer, will tolerate the articles being published here or the foreign pressures will be stronger and will censure my articles.
If my blog will be erased, I will try to make it public again where possible, somewhere else.