The Right to Keep and Bear Cyber Arms: The 2nd Amendment and CyberWar

There have been several articles floating around about “Cyber Militias”, and though I will probably regret it, I think it is time to talk about cyber weapons and the second amendment.

I’ve seen some interesting video lately, where two armed thugs enter a business and threaten everyone inside. An armed civilian defends himself and everyone inside by drawing his weapon and chasing the perps out of the business with some well aimed shots. But what if your business, that you worked very hard to build with blood, sweat and toil, is targeted by cyber criminals, what can you do?

Well, right now, all you can legally do is contact the authorities. Even if you knew how, you can not take matters into your own hands and counter-hack the attackers. With all the media hype over Stuxnet, cyber war and cyber weapons – should US citizens be legally allowed to own and use these deadly weapons in accordance with their 2nd Amendment rights?

Okay, I am poking fun with the “deadly” thing, as so far no one has been officially killed by a “cyber weapon”. But Joel Harding has some very interesting points in his latest post on cyber militias. If Switzerland stays true to course, and hands out government made cyber code to home guard soldiers, shouldn’t American civilians have access to such weapons also?

Honestly, as the amendment is written and as code is being quantified as a weapon, why shouldn’t Americans be allowed to actively defend themselves against online electronic risks as well as physical threats?

Of course, I can foresee that a single user Denial-of-Service weapon would probably be given out without much ado, but there will probably be a ban on large capacity distributed DoS weapons. And of course their will be a 10 day waiting period on Stuxnet based threats.

Wouldn’t want someone blowing up a couple nuclear power processing plants in Iran just because they had a bad day at the office…

Alright, alright… All kidding aside, should the 2nd amendment apply to cyber weapons – what do you think?

New Version of Duqu Found

On Tuesday, Symantec reported on their blog that they have found yet another variant of Stuxnet’s relative “Duqu”. Symantec lists 15 variants in their Duqu Whitepaper(PDF). This version is different as it uses a new infection technique. It installs via a loader file that executes on reboot. The loader file then decrypts and installs the remaining Duqu code from the hard drive.

With a compile date of February 23, 2012, it seems that the Stuxnet creators are still alive and well.

Japan Building Automatic Cyber Defense Virus

Japan steps it up a notch in the cyber war arena. Apparently the Japanese government has hired IT product giant Fujitsu to create a cyberweapon virus that will automatically seek out and destroy enemy viruses:

“The three-year project was launched in fiscal 2008 to research and test network security analysis equipment production. The Defense Ministry’s Technical Research and Development Institute, which is in charge of weapons development, outsourced the project’s development to a private company. Fujitsu Ltd. won the contract to develop the virus, as well as a system to monitor and analyze cyber-attacks for 178.5 million yen.”

That’s a cool 2.3 million to create an offensive cyber defense system that will not only detect an attack, but will backtrack and seek out the attacker, even when attackers bounce through several proxy systems.  According to the article the “virus” will disable the incoming attack and record forensics data.

The defensive program almost acts like a human immune system tracking down and weeding out invading viruses. Systems like these are needed when facing the latest advanced threats.

Actually computer scientists and engineers are currently studying the human immune system to try to replicate it for computer defense.

Though automated cyber defense systems are classified, from what public data is available the US has had this capability for at least a couple of years now. US computer security company Rsignia comes to mind immediately. Rsignia creates cutting edge security devices used by the US government and in the US-CERT Einstein program.

We covered Rsignia’s Cyberscope automated offensive cyber weapon system back in 2010.

Cyberscope has the ability to detect and automatically counterattack incoming threats. It has several options that it can use in response. For example it can simply shut the attacking stream down or intercept the data that it being ex-filtrated, manipulate it, and feed it back to the attack. Or better yet, it can even infect the proxy machines used and turn them into bots to counter attack the infiltrator.

These were the capabilities openly discussed in mid-2010, who knows how far the US has advanced since.

Stuxnet II – Dubbed “Duqu” found in the Wild

On October 14th, Symantec was sent a sample of a Stuxnet variant from an organization in Europe.

The malware was very similar to Stuxnet, but the payload and purpose makes this a totally new creation.

Parts of the malware is basically stuxnet, it is so close that a report from f-secure says that their backend systems even thought that it was Stuxnet.

But as researchers dug into it, they found an interesting twist. This version was not created to destroy PLC equipment. This one is an electronic spy.

According to a 42 page analysis of Duqu released today, Symantec claims that the code was written by the same authors who wrote stuxnet, or at least a group that had access to the source code. But the twist is, this one isn’t made to take out nuclear power plants, this version collects information, possibly for a follow up attack at a later time:

“Duqu’s purpose is to gather intelligence data and assets from entities such as industrial control system manufacturers in order to more easily conduct a future attack against another third party. The attackers are looking for information such as design documents that could help them mount a future attack on an industrial control facility.

Duqu does not contain any code related to industrial control systems and is primarily a remote access Trojan (RAT). The threat does not self-replicate. Our telemetry shows the threat has been highly targeted toward a limited number of organizations for their specific assets. However, it’s possible that other attacks are being conducted against other organizations in a similar manner with currently undetected variants.”

The design also makes it difficult to ascertain the malware’s source nation. It uses a valid digital certificate from a company in Taipai, Taiwan (which has since been revoked). Communicates via HTTP and HTTPS communications to a Command and Control server in India. Encrypts data before transmission, communicates to the C&C server via dummy .jpg picture files and automatically removes itself in 36 days.

As this version seems to be an espionage tool, one has to wonder what is next. The author apparently wants to gather information on a target for what would seem to be future attacks. What could the future attack be?

Well, we may not need to wait long to find out, as of today Symantec received additional variants of Stuxnet from another European organization. These samples have a compilation date of October 17th. Symantec has not had time to analyze these new samples yet, but this is very interesting indeed.

For more information, check out Symantec’s detailed report.