Information Warfare: The Irresistible Trojan Horse

Archives

February 15, 2015: In late 2014 South Korean security officials got a scare when a harmful bit of hacker software was found in the control system of a nuclear power plant. That network was not connected to the Internet and it was determined that the malware got in via a thumb drive (USB stick) someone had plugged into a computer attached to the network. The malware was not harmful, and officials pointed out that the software that controlled the reactor itself was not at risk. This type of malware distribution is called a worm and they are becoming more of a problem.

For example the U.S. Department of Defense believes a computer worm (agent.btz), introduced into their heavily protected (not connected to the Internet) SIPRNet network in 2008, was developed by Russia and is still active. Agent.btz got into the top secret Department of Defense network when a soldier in Central Command, stationed in the Middle East, plugged an agent.btz infected thumb drive into a laptop that was connected to the secure net. Despite years of efforts the Department of Defense has not been able to completely clean out agent.btz. New versions of agent.btz have shown up in other U.S. government networks.

Hostile software like agent.btz is programmed to constantly try and duplicate itself and move to other networks. That's what a worm does. But agent.btz also seeks to find a network that is connected to the Internet, so that it can transmit out data it has collected. This is the perfect spy, and there are more of them out there every month. There are not only more of them, but they get more capable. New ones are programmed to evade defenses (anti-virus software) and most of them are equipped to insert them onto your hard disk so that they are difficult to detect. A worm can also be programmed to do something specific to a system it detects. This is what the Stuxnet worm did when it got inside an Iranian nuclear facility and caused millions of dollars in damage.

Organizations determined to make it difficult for malware like agent.btz to spread add more detection software as well as prohibiting the use of removable media (thumb drives, read/write DVD and CD drives, diskettes, memory cards and portable hard drives) on PCs connected to key networks. Thumb drives are now almost always banned.

Enemy agents have found the easiest way to get an infected thumb drive into a well-guarded facility is to leave data CDs and thumb (USB) drives on the ground in the parking lots or other areas visited by people who work in secret facilities. More than have of these CDs and thumb drives are taken inside wherever someone works and plugged in to an office computer so the finder can see what was on the CDs and thumb drives.

One solution to this form of infiltration is to modify the operating system to not allow unauthorized CDs or thumb drives to be used on PCs in top secret facilities. Sure, it's more work for the security people (who would have to work with similarly "user hostile" software and hardware developers), but in the end it's less hassle for the users, and fewer security problems. Sometimes doing things the right way takes a little more effort, and the use of a bit more insight.