As recent confirmed cyber attacks on the Middle East show that state-sponsored industrial espionage may no longer be the domain of spy films, AEC Magazine asks how secure is your CAD data?
Looking back over 50 years of James Bond it struck me that the typical target for hard-working bad guys were defense products. A facially scarred, multi-nippled or highly sadistic man with disposable henchmen, would steal nuclear/solar/bio/stealth weapons to extort cash or instigate world destruction. Unfortunately, these days, the really bad guys are not so obvious in their appearance and are more likely to be having a pizza and beer somewhere at the end of a telephone line.
We recent had ‘news’ from ESET security software developers that a virus specifically written for AutoCAD had been found that had infected computers in Peru and emailed thousands of DWG design files to web servers in China. Autodesk contacted AEC Magazine to say that the malware was almost 10 years old and that any virus checker would have picked it up, had the company bothered to have any and closed specific ports on its routers. Autodesk did admit, though, that the sending of DWGs to China was something new in the behaviour of this variant of the ‘ACAD/Medre.A’ malware.
Designs at risk
This got me thinking, just how safe are our designs? In this ever competitive world, industrial espionage does not require spys like James Bond and is not carried out by shoe-knife wielding eastern block maids or evil geniuses in Zeppelins.
Recent media reports claimed that the US and Israel sponsored a virus event in 2010 called Stuxnet, which used Windows to infect and self-destruct Siemens uranium enrichment centrifuges in Iran.
Another as yet unnamed nation state was implicacted in a malware attack, dubbed Flame, that used Skype to record nearby conversations, capture screenshots, activated bluetooth to capture IP addresses and transmit documents across the Middle East.
While state-sponsored espionage is bound to hit the headlines, it is the more ‘mundane’ cyber attacks that should give every design and engineering firm a pause for thought.
Senior technology consultant at anti-virus provider Sophos, Graham Cluley, said that the company finds over 100,000 new virus, trojans and malware for Microsoft Windows every day.
Compared to that, Sophos finds “a handful” each week of new viruses for Apple OSX. “Dozens” of Android visues are found, many of which are financial-scams, linked to premium rate SMS services, trojan access to files and collecting passwords. “Google has not done well in policing its App store,” he said.
Better the devil you know?
CAD developers have, over the years, expanded their software to include programming languages that manipulate design files. The AutoCAD case I mentioned previously was written in AutoLISP and Visual Basic Scripts. It is possible that, if someone should want to, they could pick any popular design system to manipulate. If defence designs are what is required how about Catia or Siemens’ PLM NX?
Mr Cluley did little to reassure me.
“We are seeing more attacks to steal designs and IP, as well as spying on organisations,” he said and warned that “just as the financial institutions protect their computers, the same has to be applied to engineering firms”.
However, Mr Cluley did indicate that, at present, there are “very few” viruses written to make use of the active components in CAD files. Instead, viruses of this kind are typically created by people trying to prove a point than cause damage.
“The real danger are Trojans,” says Mr Cluley. “[Trojans are] the regular malware that opens a back door to your computer, allowing remote access your files. These are system level and once inside, can go anywhere.”
I pondered whether cloud tools and collaborative storage was an increased risk of viruses or espionage? Mr Cluley agreed: “There’s an element of trust with cloud services which may not be well placed,” he said.
By way of example, Mr Cluley said that file sharing site Dropbox recently had its password authentication turned off, so that any password would gain access, even it it was incorrect.
“The cloud also opens up other issues, such as where exactly is your data stored,” says Mr Cluley. “What countries do the servers reside in? With a rise in state-sponsored spying maybe you would like to know exactly where your designs are residing and what laws protect your data, if any? It’s a question of who can you trust?”
This is a real concern. If CAD tools are migrating to the cloud, how would an organisation like the Atomic Weapons Research Establishment cope if it cannot isolate its CAD systems from the Internet? To my mind the cloud is just not feasible when highly sensitive design data is being stored or shared.
Then there is the thorny issue of social networking. “Social sites are becoming an easy way to gain access [to corporate networks],” says Mr Cluely.
“False invites from people you know to services such as Linked-In can let someone gain access to everyone you professionally know. Just because you think you know who the email is from doesn’t mean you know who did the typing.
“The Social networks have introduced a new dynamic in the way that viruses and malware are passed on. Like the real world, you get infections from people you know.”
With the extended reach of the design office and increased consumption of engineering data, the opportunity for theft increases.
The move to cloud services raises questions yet to be answered and pervasiveness of social networks make humans by far the weakest security link. All it takes is for one member of staff to accept a bogus invite and the whole network could be unlocked, with potential access to the rest of the company.
Pen and paper with your dry martini anybody?