I still am not convinced that it has to be the US or Israel. Just because geo-politically these two are the most adamant about shutting down Iran’s nuclear capability does not mean they are the Stuxnet authors. There is likely to be a more complex relationship of agents at work, such as Iranian dissidents, insiders and then perhaps support from the US and Israel.

Never mind me, however, the Telegraph says Israeli cyber unit responsible for Iran computer worm

Computer experts have discovered a biblical reference embedded in the code of the computer worm that has pointed to Israel as the origin of the cyber attack.

The code contains the word “myrtus”, which is the Latin biological term for the myrtle tree. The Hebrew word for myrtle, Hadassah, was the birth name of Esther, the Jewish queen of Persia.

Well, more to the point (pun not intended) Jewish mysticism associates myrtle with masculinity; specifically the penis. Are the computer experts saying this word “myrtle” is sufficient proof because they see Israel as the most likely nation to want to penetrate (for lack of a better word) Iran?

That interpretation is the opposite of the more traditional Jewish practices during harvest celebrations — myrtle is associated with with doing good deeds.

It seems the myrtle could be taken to mean many things.

Moreover, myrtle is also found in northern Africa. The Greeks link it to Aphrodite, Romans say it is dear to Venus. Code is shared. Teams are diverse. Thus, myrtle not only has many meanings but also appears to be important for many nations. I recently went to a Myrtle Beach in South Carolina. Come to think of it there was a suspicious looking person with a laptop there…

Those two reasons (interpretation and geographic distribution) make it difficult for me to automatically think of Israel when I hear of myrtle. If the official symbol for Israeli Unit 8200 was a branch of (flaming?) myrtle I would be more open to believe there is a clear and simple association.

Perhaps a little history can shed more perspective on the Stuxnet references and investigation; take, for example, the CIA document “Clandestine Service History — Overthrow of Premier Mosaddegh of Iran — November 1952-August 1953”

The demise of Prime Minister Mossadegh in 1953 came as a result of a coup that was backed by the US CIA to protect British oil companies operating in Iran. The CIA not only convinced Iranians that the democratically elected leader was too dictatorial, but they managed to pressure Mossadegh into defending his ability to stay in power. The US paid “fake” mobs (both against and for a coup) to destabilize the country, stage terrorist activities and eventually arrest the prime minister. Was foreign money the only motivator of these mobs?

Even with the advantage of time past the tangled relationship between US and British intelligence and their roles, not to mention collaboration by internal groups and organizations, are still debated. Some say the coup was clearly a US operation but it can not be denied that there were many facets to the threat that Iran faced.

At this point it seems the word myrtle makes Stuxnet an Israeli operation as much as one swallow makes it spring.

Edited to add: Another reference to Israel has been cited by Threatpost in “Stuxnet Analysis Supports Iran-Israel Connections”

Though most of the conversation about Stuxnet is still based on conjecture, [Symantec analyst Liam] O’Murchu said that Symantec’s analysis of Stuxnet’s code for manipulating PLCs on industrial control systems by Siems backs up both the speculation that Iran was the intended target and that Israel was the possible source of the virus. As for Iran, O Murch merely pointed to Symantec data that show the country was the source of the most Stuxnet infections. Iran has since blocked communications to Stuxnet’s command and control infrastructure, he said.

As for suggestions that Israeli intelligence may have authored the virus, O’Murchu noted that researchers had uncovered the reference to an obscure date in the worm’s code, May 9, 1979, which, he noted, was the date on which a prominent Iranian Jew, Habib Elghanian, who was executed by the new Islamic government shortly after the revolution.

Are you convinced? Attribution is virtually impossible on the network. This sounds more like wishful thinking than proof. Note the “shortly after the revolution” end to their analysis. That date could also be significant to Iranian insiders. Iranian Jews may not be Israeli, even if they have left Iran. Back to my point above, others were executed at the same time. Speaking of Time, an issue from May 21, 1979 makes my point rather darkly:

Last week’s execution of 38 men brought to 204 the number of those condemned to death before firing squads. Among the latest victims were two former Ministers of Information, the last speaker of the lower house of parliament under the Shah, and a number of members of the notorious antiterrorist committee of SAVAK, the disbanded secret police, including a physician charged with specializing in torture techniques.

The two businessmen, both multimillionaires, were Habib Elghanian, a plastics manufacturer and the first Jew to be condemned, and Rahim Ali Khorram, a Muslim who owned a string of gambling casinos and bordellos.

It could be a date significant to others; 204 men of different faiths, backgrounds, beliefs and families were executed at that time. This is not to downplay the importance of one man’s death, of course, but to try and paint a more realistic picture of who might want to now threaten Iran’s nuclear program (assuming Iran is the target).

It is not as easy as A versus B. My studies in International History, as well as travel, has pushed me towards threat models that are more like this:

Impressionable talent in country X, Y and Z end up in country B where they receive information and training from country C, which believes they must act upon information from country D, E and F, funded by countries D, G and H.

It is more like a social network effect, with hard and soft acquaintances, than the two sides of a boxing ring distinguished by their bright colors. The gray area has to remain in focus not only to keep a more accurate record of attribution but also to make it possible to understand the threats and hopefully detect or even prevent attack. It seems we like to think in polar terms because it brings comfort, but in reality we live in a complex world.

Or I could be totally wrong and the next thing revealed about the Stuxnet code is someone’s phone number and address in downtown Jerusalem, which is obviously located in (wait for it…) Arkansas, USA. Thought I was going to say Israel, didn’t you?

Edited again to add: F-Secure has a hilarious Q&A page on Stuxnet. Well worth reading for a balanced view from a security vendor. I suspect Stuxnet soon will be fodder for best joke of the year. Here is just a brief example:

Q: Is it true that there’s are biblical references inside Stuxnet?
A: There is a reference to Myrtus (myrtle plant). However, this is not “hidden” in the code. It’s an artifact left inside the program when it was compiled. Basically this tells us where the author stored the source code in his system. The specific path in Stuxnet is: \myrtus\src\objfre_w2k_x86\i386\guava.pdb. The authors probably did not want us to know they called their project “Myrtus”, but thanks to this artifact we do. We have seen such artifacts in other malware as well. The Operation Aurora attack against Google was named Aurora after this path was found inside one of the binaries: \Aurora_Src\AuroraVNC\Avc\Release\AVC.pdb.

Q: So how exactly is “Myrtle” a biblical reference?
A: Uhh…we don’t know, really.

Q: How does Stuxnet know it has already infected a machine?
A: It sets a Registry key with a value “19790509” as an infection marker.

Q: What’s the signifigance of “19790509”?
A: It’s a date. 9th of May, 1979.

Q: What happened on 9th of May, 1979?
A: Maybe it’s the birthday of the author? Then again, on that date a Jewish-Iranian businessman called Habib Elghanian was executed in Iran. He was accused to be spying for Israel.

Q: Oh.
A: Yeah.

Guava? What about 5th of September, 1979? Grateful Dead concert, dude, in Madison Square Garden! It also is the date that the Iranian army occupied Piranshahr on the border with Iraq. That seems more like an “infection marker” if you know what I mean.

Funny stuff.

Ok, so now I wonder how best to dress like Stuxnet for Halloween.

Link analysis can be very useful for security investigations as I explained last June with regard to the NYC Incident.

Mentionmap is a tool that allows you to graphically display conversations (e.g. replies and hashes) — link analysis for Twitter.

I started by looking at @Number10gov, the official UK government Twitter account (http://apps.asterisq.com/mentionmap/#user-umber10gov). It was fairly rich with connections. Note the connection to @whitehouse at the top of the image:

Compare that with the official Russian Twitter account (http://apps.asterisq.com/mentionmap/#user-Kremlin_e)

The Kremlin led a very well publicized technology tour through the Silicon Valley three months ago and even met with executives at Twitter.

Their account has been active since then, yet they have no links. I checked the Russian version (http://apps.asterisq.com/mentionmap/#user-KremlinRussia) but found the same result.

Differing state-level social media relations policy? Isolationism? Unfriendlyism? Twitter syntax unfamiliarism? I will let you draw (pun not intended) your own conclusions.

Margery Booth was a British opera singer that the BBC calls the WWII knicker spy

Unaware of her activities, Booth was held in high regard by the Nazi leadership and once sang in the presence of the Fuhrer with secret information hidden in her underwear.

Her photographs soon are to be auctioned.

I wrote earlier about Deputy Defense Secretary William Lynn’s political posturing for influence or control of CyberCommand in the US. I was brought back to this thought after I read an excellent opinion article in The Daily Star called “An obsession with cybersecurity is not what the US needs“

Lynn’s proposals are provocative. But the strategy could be costly and perhaps cumbersome, and it involves threats that aren’t well understood by the public – even by many of the companies that could be targets of attacks.

Talking with Lynn, I was struck by the gap between the way defense experts see cyberspace – as a source of potentially crippling assault – and the public’s view of an internet that is a generally benign companion. Although Lynn speaks of cyberspace as a “domain” that can be protected, such as airspace, it may be closer to the oxygen we breathe.

Anyone who has been in a country ruled by a military junta knows the downsides. A perfect example of this was when I was walking down a quiet street one day and noticed a little building surrounded by plants next to a river. It was an interesting scene and I pulled out my camera to take a picture.

No more than a brief moment after my finger pressed on the shutter control three heavily armed men in camoflage emerged from the bushes yelling at me in a foreign language. I stepped back into the pedestrian traffic behind me but I very quickly noticed they were headed right for me, guns now in their hands at their waist. Fortunately the crowd surrounded me and a yelling match ensued with the civilians telling the three men to stay back.

The soldiers saw me as a threat perhaps in the same way that Lynn is going to train his staff and tell everyone about the threats facing America. I was using digital equipment so I showed the photo to the soldiers. I did not let go of my camera. They at first said they would have to confiscate my camera and worse but the crowd and I managed to convince them that there was no harm, no threat and no need to waste any more time arguing in the street, blocking everyone’s day. Resolution came when I deleted the photo so the soldiers could see they had made their influence felt. They walked away with guns back over their shoulders and the crowd dispersed.

My experience in this country was overshadowed by the fact that they had been through several military coups. Power was influenced heavily by the presence of domestic and foreign military, both of whom had used force to instate control over the political landscape.

This is just one of many examples you will find that show a disparity can easily form between perceptions of risk by civilians and the military. This is not to discount the value of a military presence but rather to say it needs to be something in perspective, especially given the recent record of US military threat analysis. I agree completely with the writer in the Daily Star when he says this.

In the debate about cyberstrategy, I hope officials will recognize the dangers of militarizing the global highway for commerce and communication.

All that being said, I also remember when I crossed the border from Mexico into the United States. It was a small town border on a dustry stretch of desert. I sauntered through a small gate with my camera out in front of me. A yellow school bus was parked along a line of yellow posts in the distance. I raised the camera and pressed the button…a second later I had a U.S. Border Patrol officer jump out of a box fifty feet ahead and yell that I was breaking a Federal law of 1920 that prohibits blah, blah, blah. 

I was familiar enough with US laws, unlike the example above, to know this was nonsense and I had done nothing wrong. Nonetheless, here was a man with a gun again telling me that my tourist photo was a clear and present threat to national security. I showed the photo but did not offer to delete it. He said delete it or he was going to seize the camera, which indicated to me this was a kind of process for him. Perhaps it was how he passed the time. I hope you can see where the story goes. This is not the mentality the US needs in an office meant to protect the country from harm. Real threats should be handled. False positives can do more harm than good. Where is the emphasis to prevent false positives?

A secure network is one that operates without interruption, just like a secure neighborhood is one that has no need for military roadblocks. It is possible that the US military will consider civilian values of efficiency and freedom when they work on their new domain of “potential warfare” but so far I have seen little evidence. Instead I see a lot of military speakers being given open forums to scare civilian crowds with threats (bad guys are at the door, don’t you want to hand over control to the military now?) and Lynn has fit the rule not the exception.

The Wired report on Operation Buckshot Yankee supports my earlier assertion that it is more hype about threat than reality. No clear harm, no clear link to a clear threat; just a vulnerability — apparently weak security controls in the US military.

But exactly how much (if any) information was compromised because of agent.btz remains unclear. And members of the military involved in Operation Buckshot Yankee are reluctant to call agent.btz the work of a hostile government — despite ongoing talk that the Russians were behind it.

Although I remain wary, at the very least I have to thank Lynn and the State Department for giving me excellent and somewhat contradictory material to add to my Top Ten Breaches presentation this October at the RSA Conference in Europe. The analysis feels very similar to my history studies when I had to make sense of the UK Foreign Office, Colonial Office and War Office fighting for control of resources at the end of WWII.