Having discovered the virus that targetted Iran’s nuclear plants, Liam O’Murchu is one of the world’s top computer security experts, writes Noel Baker. Hacking is now a major industry, and tracking it carries its own risks.
Every bit of Stuxnet file I looked at was doing something unusual, with a new technique never used before
You need to have a hacker mindset to understand what is going on ... to understand the attackers
FOR Liam O’Murchu, it was computer love at first sight. The Kildare man, who was transported to the frontline of global computer security in 2010 with the discovery of the weird and frightening Stuxnet virus, still remembers the first time he got to mess with a computer. It was when a teacher at the CBS in Athy decided to take on extra classes for anyone interested in these futuristic boxes and keyboards. “I did like to break things apart when I was a kid, although putting them back together was not my forte,” he says, speaking from his office at computer software security company Symantec in California.
The Stuxnet virus he discovered is believed to have been created by United States and Israeli agencies to undermine Iran’s nuclear facilities. American whistleblower, Edward Snowden, also believes this.
O’Murchu, (35), a UCD science graduate, still speaks with wonderment about the discovery of the virus. “It was a real thrill,” he says. “By chance, I ended up working on it. It had come into our team, and there was an engineer i analysing it for experience and, when I started looking at it, I just thought ‘this is off the charts, there is so many things wrong with this picture’. Everything didn’t fit, every bit of a file I looked at was doing something unusual, with a new technique that never had never been used before.”
Symantec’s Stuxnet dossier, available online, says that “Stuxnet is one of the most complex threats we have analysed... it is a large, complex piece of malware with many different components and functionalities”.
It appears Stuxnet was primarily written to target industrial systems, such as those used in gas pipelines and power plants.
And, simply by making a cog in one component spin too fast, it put Iran’s nuclear programme back by two years.
That claim was made in a BBC Horizon documentary, which also outlined O’Murchu’s role, when he and his Symantec colleague, Eric Chien, began analysing the worm.
“We got a sample from another security company. They sent it out to all other security companies, because they knew something weird was going on,” O’Murchu says. Just how weird became apparent.
“The vast majority (of threats) we have seen before, stealing credit cards and passwords, this one, when I looked at it, none of them was there. There were red flags everywhere.”
Most hacking enterprises seek to steal bank account and credit card details, to get at the money. When it came to Stuxnet, however, that theory went out the window.
The devastating impact of Stuxnet sent tremors around the computer world, and indicates where future hacking threats might come from and how they might look.
“We see, at the moment, a couple of different trends going on — there’s profit-driven malware, specifically to make money. That’s 95% of them, getting into your Facebook, your social security number. Then, there is what has occurred in the last couple of years, hacktivism, groups like Anonymous, with some political view. We’ve seen computers in Iran and Saudi being wiped, attacks on broadcasters in US and Korea, and all have a political message behind them. On top of the politically motivated attacks, you have state sponsored and state driven [hacking], where one country is breaking into the computers of another country. Those are the big three areas, and, going forward, we will see more in those areas,” O’Murchu says.
To take a recent example, the pro-Assad Syrian Electronic Army recently redirected Twitter, changing settings on domain names and launching cyber attacks on its opponents.
There was also the troubling case of another contributor to the Horizon programme, Barnaby Jack. The New Zealander had shown how ATMs could be hacked to dispense money, and was due to talk on how pacemaker technology could be sabotaged, opening up the possibility of a threat to the health of millions of Americans. Days before his scheduled talk, in July, he was found dead in his apartment, by his girlfriend. As yet, there has been little clarity as to the cause of death. Jack, the hacker’s hacker, was aged just 35 and numerous conspiracy theories have sprung up about his death.
O’Murchu is obviously aware of the case and while he doesn’t feel at any risk, he appreciates that personal security, as well as online security, is a consideration.
“It sounds a little bit far-fetched, but we could imagine there are scenarios where people don’t want us investigating their code, whether it could be state sponsored code, or mafia-backed code. There have been incidents, in the past, where security researchers were threatened because of the work they were doing, such as mafia links to the threat they were investigating, so we do have to take some precautions when analysing certain pieces of code,” he says.
O’Murchu has lived in America for five years, but remembers his introduction to computers. “As soon as I got to UCD’s computer labs, that was pretty much it,” he says. “I loved that environment, the library, reading books on programming, how to control computers, and then met a couple of other friends. Then, I began to recognise other faces doing the same thing. I still have, to this day, friends that I met on day one in the computer lab in UCD.” The Horizon programme illustrated how hackers, despite having supreme technical skills, need to think like a scammer to pull off a successful hack, whether through fake phone calls, impersonations, or deception aimed at getting access to someone’s passwords.
“You really do need to have a hacker mindset to understand what is going on,” O’Murchu says. “In my current role, I try to understand and read into what the attackers are trying to do. You have to have the same kind of intuition as the hackers.”
This is why Symantec employs teams of reverse engineers, who can work backwards to solve a puzzle. “We want people who, when given an unknown or a certain amount of unknowns, can put the picture together.
“The net landscape is changing all the time. It’s something that is a challenge for us. You always have to learn something new.
“When I was going to college, people were interested in hacking into your computer in the lab, or stealing your coursework — that has all moved to cloud or mobile phone, ipads. The technology has changed a lot, but the idea behind a lot of what is going on is the same,” O’Murchu says.
After college, O’Murchu “was working in Dublin, at an anti-spam company, originally. It was a temporary job to earn some money. That company got bought by Symantec, and, on day one, I knew what job I wanted at Symantec: the instant response team.
“We got a tour before we moved offices, of the Symantec building in Blanchardstown, the design and art departments, and I was only interested in security response and I started asking tons of questions, like ‘what tools do you use?’.”
Within a couple of months he got into the security team, later becoming the supervisor.
“Then, the American team needed a supervisor and asked me to come over.”
O’Murchu has already helped to land the big one, but he isn’t finished yet. “I definitely did have that feeling, with Stuxnet, that I’ll never see anything more complex or better than this, but we are always seeing new things that we need to analyse,” he says.
© Irish Examiner Ltd. All rights reserved