5 minute read
your data?
Who is watching your CAD data?
As recent confirmed cyber attacks on the Middle East show that state-sponsored industrial espionage may no longer be the domain of spy films, AEC Magazine asks how secure is your CAD data?
by Martyn Day
Looking back over 50 years of infect and self-destruct Siemens uranium was written in AutoLISP and Visual Basic James Bond it struck me that the enrichment centrifuges in Iran. Scripts. It is possible that, if someone should typical target for hard-working Another as yet unnamed nation state was want to, they could pick any popular design bad guys were defense products. implicacted in a malware attack, dubbed system to manipulate. If defence designs are A facially scarred, multi-nippled or highly Flame, that used Skype to record nearby what is required how about Catia or sadistic man with disposable henchmen, conversations, capture screenshots, activat- Siemens’ PLM NX? would steal nuclear/solar/bio/stealth ed bluetooth to capture IP addresses and Mr Cluley did little to reassure me. weapons to extort cash or instigate world transmit documents across the Middle East. “We are seeing more attacks to steal destruction. Unfortunately, these days, the While state-sponsored espionage is bound designs and IP, as well as spying on organireally bad guys are not so obvious in their to hit the headlines, it is the more ‘mundane’ sations,” he said and warned that “just as appearance and are more likely to be hav- cyber attacks that should give every design the financial institutions protect their coming a pizza and beer somewhere at the end and engineering firm a pause for thought. puters, the same has to be applied to engiof a telephone line. Senior technology consultant at anti-vi- neering firms”.
We recent had ‘news’ from ESET securi- rus provider Sophos, Graham Cluley, said However, Mr Cluley did indicate that, at ty software developers that a virus specifi- that the company finds over 100,000 new present, there are “very few” viruses written cally written for AutoCAD had to make use of the active compobeen found that had infected computers in Peru and emailed thousands of DWG design files to web ‘‘ We are seeing more attacks to steal nents in CAD files. Instead, viruses of this kind are typically created by people trying to prove a point than servers in China. Autodesk contacted AEC Magazine to say that designs and IP, as well as spying cause damage. “The real danger are Trojans,” the malware was almost 10 years on organisations says Mr Cluley. “[Trojans are] the old and that any virus checker would have picked it up, had the company bothered to have any ’’ regular malware that opens a back door to your computer, allowing remote access your files. and closed specific ports on its routers. virus, trojans and malware for Microsoft These are system level and once inside, Autodesk did admit, though, that the send- Windows every day. can go anywhere.” ing of DWGs to China was something new Compared to that, Sophos finds “a hand- I pondered whether cloud tools and colin the behaviour of this variant of the ful” each week of new viruses for Apple laborative storage was an increased risk of ‘ACAD/Medre.A’ malware. OSX. “Dozens” of Android visues are viruses or espionage? Mr Cluley agreed: found, many of which are financial-scams, “There’s an element of trust with cloud Designs at risk linked to premium rate SMS services, tro- services which may not be well placed,” This got me thinking, just how safe are our jan access to files and collecting passwords. he said. designs? In this ever competitive world, “Google has not done well in policing its By way of example, Mr Cluley said that industrial espionage does not require spys App store,” he said. file sharing site Dropbox recently had its like James Bond and is not carried out by password authentication turned off, so that shoe-knife wielding eastern block maids or Better the devil you know? any password would gain access, even it it evil geniuses in Zeppelins. CAD developers have, over the years, was incorrect.
Recent media reports claimed that the US expanded their software to include program- “The cloud also opens up other issues, and Israel sponsored a virus event in 2010 ming languages that manipulate design files. such as where exactly is your data stored,” called Stuxnet, which used Windows to The AutoCAD case I mentioned previously says Mr Cluley. “What countries do the serv-
ers reside in? With a rise in state-sponsored spying maybe you would like to know exactly where your designs are residing and what laws protect your data, if any? It’s a question of who can you trust?”
This is a real concern. If CAD tools are migrating to the cloud, how would an organisation like the Atomic Weapons Research Establishment cope if it cannot isolate its CAD systems from the Internet? To my mind the cloud is just not feasible when highly sensitive design data is being stored or shared.
Then there is the thorny issue of social networking. “Social sites are becoming an easy way to gain access [to corporate networks],” says Mr Cluely.
“False invites from people you know to services such as Linked-In can let someone gain access to everyone you professionally know. Just because you think you know who the email is from doesn’t mean you know who did the typing.
“The Social networks have introduced a new dynamic in the way that viruses and malware are passed on. Like the real world, you get infections from people you know.” Conclusion With the extended reach of the design office and increased consumption of engineering data, the opportunity for theft increases.
The move to cloud services raises questions yet to be answered and pervasiveness of social networks make humans by far the weakest security link. All it takes is for one member of staff to accept a bogus invite and the whole network could be unlocked, with potential access to the rest of the company.
Pen and paper with your dry martini anybody?
There are “very few” viruses written to make use of the active components in CAD files, said Sophos’ Graham Cluley. Instead, viruses of this kind are typically created by people trying to prove a point than cause damage
