Drone fleet keylogger infection: How'd it happen?
So far, there are more questions than answers regarding keylogger-infected UAV control systems, such as how it got there, what its purpose is and if the problem starts with the militaries' own monitoring software.
By George V. Hulme
October 11, 2011 — CSO —
As you've probably heard by now, a rather tenacious keylogger has reportedly infected an Air Force unmanned aerial vehicle command center at the Creech Air Force Base in Nevada.
These unmanned drones have become increasingly important to U.S. military efforts, used to both gather intelligence and to launch attacks, such as the controversial killing of U.S.-born militant cleric Anwar al-Awlaki last month. One New York Times report states that the Pentagon has roughly 7,000 aerial drones currently, up from less than 50 a decade ago, and that Congress seeks nearly $5 billion for drones in next year's budget.
According to reports, the keylogger was detected about two weeks ago by the military's own intrusion prevention systems and host-based firewall. While the military has tried to remove the suspected malware, it keeps returning.
"The first thing I thought when I saw this was that it was a keylogger on a ground-based system, not on the drones itself, which is a much less scarier scenario than having a drone system, which could be theoretically disconnected from control at any time, infected with code," says Chris Wysopal, computer security expert and CTO of application security firm Veracode.
CSO's Daily Dashboard gives you a one-stop view of latest business threats. We created it for you! Bookmark it! Use it!
With no clear answers yet as to how the keylogger managed to finagle its way onto sensitive and classified systems, questions remain about the code's genesis and intent.
Dave Lewis, security researcher and contributing analyst at the security research firm Securosis, says he "has his money on a contractor" as the culprit. Lewis says the challenge there is that contractors are trusted advisors, often with minimal background checks, who are more apt to break policy and use systems not managed directly by the government. "They have the means and the opportunity," says Lewis.
Others, such as Gartner security and compliance research director Ian Glazer, wonder if the keylogger could be the military's own software, placed on the systems as someone's idea of how to conduct "oversight" on the systems.
Computing expert Miles Fidelman posted his thoughts along similar lines on a popular security mailing list: "After seeing this, from a few sources, I'm reminded that there are a couple of vendors who've been selling the Defense Department security monitoring packages that are essentially rootkits that do, among other things, key logging," he wrote. "I kind of wonder if the virus that folks are fighting is something that some other part of DoD deployed intentionally."
Understanding malware techniques and the ever-more sophisticated cybercrime ecosystem
Advanced evasion techniques emerge
Organized cybercrime revealed
Inside the global hacker service economy
Anatomy of a DDoS extortion attack
The rise of anti-forensics
The botnet hunters
Timeline: a decade of malware
- FireEye Advanced Threat Protection KnowledgeVault
- Solving Cloud Complexity with Service Brokers with Cloud Security Alliance & NIST
- The CISO's Survival Guide to Securing Data
- Data Privacy and Protection in Production Environments: New Research from Ponemon Institute
- Five Tips to Consider in a Data Security Strategy for Smartphones and Tablets
- Moving Your Email to the Trusted Cloud
- #FFSec: Security pros to follow on Twitter, May 25
Follow these names on Twitter. Together, they make cyberspace a more secure place. (copy and paste) - Step right up and listen to the security barker
- Is the title 'security evangelist' really that bad?
More Salted Hash with Bill Brenner
