How safe is your CAD data?

31 July 2012

With an increase in ‘state-sponsored espionage’ and with the move to the cloud, Martyn Day looks at the issue of viruses that steal Design IP

The newspapers recently looked back over 50 years of James Bond when it struck me that the majority of the things that were stolen in the films were defence products.

The baddie was usually a facially scarred, multi-nippled or highly sadistic man with disposable henchmen, who would steal a nuclear/solar/bio/stealth weapon or instigate world destruction. Unfortunately these days, the really bad guys are not so obvious in their appearance and are more likely to be having a pizza or a beer somewhere at the end of a phone line.   

This month we had ‘news’ from ESET security software developers that it had found a virus specifically written for AutoCAD that had infected computers in Peru and emailed thousands of DWG files of the design back to web servers in China.

Autodesk contacted us to say that the malware was almost ten years old and that any virus checker would have picked it up, had the company bothered to have any and closed specific ports on its routers. Autodesk did admit though that the sending of DWGs to China was something new to them in the behaviour of this variant of the ‘ACAD/Medre.A’ malware.

This got me thinking, just how safe are our designs? In this ever competitive world, industrial espionage doesn’t require spies like James Bond and isn’t carried out by shoe-knife wielding eastern bloc maids or evil geniuses in Zeppelins.

Recently Iran had a state-sponsored virus event called Stuxnet which used Windows to infect and self-destruct Siemens uranium enrichment centrifuges. Flame is another malware that used Skype to record nearby conversations, capture screenshots, activated bluetooth to capture IP addresses and transmit documents. While these are obviously targeted at middle-eastern countries, it doesn’t mean we aren’t subject to equally complex attempts at espionage. 

CAD developers have all expanded their programs to include programming languages that manipulate design files. The AutoCAD case I mentioned above was written in AutoLISP and Visual Basic Scripts. It’s possible that if someone should want to, they could pick any popular design system. If defence designs are what’s required how about Catia or Siemens’ PLM NX?

Suitably concerned, I talked to my local anti-virus company, Sophos. Graham Cluley, senior tech consultant at Sophos did little to reassure me. “We are seeing more attacks to steal designs and IP, as well as spying on organisations. Just as the financial institutions protect their computers, the same has to be applied to engineering firms. People don’t really think of their CAD files as having active components.

The virus problem has been with us a long time but now as design is important there is an increased risk of someone trying to steal these kinds of files

However, the truth is there are very few written to make use of this and they are mainly done by people trying to prove a point than actually damage. The real danger is Trojans, the regular malware that opens a back door to your computer, allowing someone to remotely access your files. These are system level and once inside, can go anywhere.” 

With the promotion of cloud tools and collaborative storage, I pondered if this was an increased risk? Cluley agreed, “There’s an element of trust with cloud services which may not be well placed. Recently Dropbox had their password authentication turned off, so if you entered in any password you got access, even it was wrong. 

“The cloud also opens up other issues, such as where exactly is your data stored? What countries do the servers reside in? With a rise in state-sponsored spying maybe you would like to know exactly where your designs are residing and what laws protect your data?”

This is something that has concerned me. If CAD tools are migrating to the cloud, maybe not now, but they will be cloud delivered services, how would someone like the Atomic Weapons Research Establishment cope if they can’t isolate their CAD systems from the internet? I just don’t see cloud–anything as a solution when highly sensitive design data is being stored or shared.

Sophos recommends a layered approach, anti-virus software and an increase in the use of internal encryption, so if your system is penetrated, the data files they may get will have another degree of protection.

Data Loss protection (DLP) systems can also monitor internal network traffic, only allowing encrypted data to be sent out and limiting files, which have credit card numbers or over a certain number of contacts in them - and perhaps no unencrypted CAD drawing files. It’s also important to keep up to date on the security patches.

With the extended reach of the design office and increased consumption of accurate engineering data, the opportunity for theft increases. And that’s against a background of an utterly massive onslaught against the Windows operating system. One of Cluley’s remarks left me gobsmacked,

“We find over 100,000 new virus, trojans and malware for MS Windows every day, there have been 600 found while we have been chatting. We find a handful each week on Apple OSX, but dozens of Android ones a week but these are more financial-scams, linked to premium rate SMS services, trojan access to files and collecting passwords. Google has not done well in policing its App store.”

The virus problem has been with us a long time but now as design is important there is an increased risk of someone trying to steal these kinds of files. The move to cloud raises questions yet to be answered and pervasiveness of social networks make humans the weakest security link between the chair and the computer. 

Pen and paper with your Dry Martini anybody? Shaken, not stirred, of course.

 

Comments on this article:

AutoCAD can "lock" DWG files through passwords. Only those with the password can open the file, although I suppose someone else could write software to bypass the password. Best solution is to disconnect AutoCAD computers from the Internet; use separate computers in the office that access the Internet.

Posted by Ralph Grabowski on Wednesday 01 2012 at 08:43 PM

I can remember industry commentators sighing about me drawing attention to Autodesk's licencing and the forewarning of what was latter delivered, Autodesk's CIP Trojan. Autodesk have ripped a lot of data of their customers design computers and their denials they have not taken anything important is false. Autodesk publicly admit to loading one Trojan (others as well I bet) onto their customers computers without having the professionalism to give their customers the choice and ability to prevent, software designed to compromise customers design systems, from being loaded. Couple that unconscionable behaviour with Autodesk's refusal to allow validation of their known actions and what you have is a disaster in the making. Autodesk, and other vendors doing the same stupid things have created, for their customers, exploitable weak links. CAD customers, in particular, have missed the opportunity to prevent much of what they are now facing. Aided and abetted by industry commentators who for too long believed CAD vendors would do their customers no wrong with the result they have let their readers down. Now the truth is known we all will pay penalty!

Posted by R. Paul Waddington on Saturday 04 2012 at 01:21 AM

Leave a comment

Enter the word you see below: