Stuxnet's Infection Of Chevron Shows Why 'Weaponized' Malware Is A Bad Idea

from the cyberenemy-within dept

The Stuxnet worm that attacked an Iranian nuclear enrichment facility a couple of years ago was exceptional from several viewpoints. It is believed to have been the costliest development effort in malware history, involving dozens of engineers. It also made use of an unprecedented number of zero-day exploits in Microsoft Windows in order to operate. Finally, Stuxnet seems to be the first piece of malware known with reasonable certainty to have been created by the US, probably working closely with Israel.

As Techdirt reported earlier this year, we know all this largely because the malware escaped from the target environment in Iran, and started spreading in the wild. We now learn that one of the companies infected as a result was Chevron:

The oil giant discovered the malware in July 2010 after the virus escaped from its intended target, Mark Koelmel, Chevron's general manager of the earth sciences department, told The Wall Street Journal.

"I don't think the U.S. government even realized how far it had spread," he said. "I think the downside of what they did is going to be far worse than what they actually accomplished."
This highlights a huge problem with the use of malware by national security services to carry out these kinds of covert attacks on their enemies. Where a physical attack on a foreign nation is unlikely to cause direct casualties back at home -- although it may lead to indirect ones through retaliation -- attacks using worms and other malware are far less targeted. If they escape, as is likely to happen given the near-impossibility of controlling what happens to them once they have been released, they may well find their way back to the attacker's homeland, and start infecting computer systems there.

This makes the "weaponization" of malware an inherently dangerous approach. Imagine if a nation deployed worms or viruses that changed data on infected systems in subtle ways, and that these started spreading by mistake among that same country's health organizations or banks. Lives could be lost, and financial systems thrown into disarray.

That's something worth bearing in mind amid increasing calls for the development of software that can be used offensively: as well as the likelihood of tit-for-tat responses, there is also the very real danger that the weapon will turn against the nation that created it.

Follow me @glynmoody on Twitter or identi.ca, and on Google+



Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    Josh in CharlotteNC (profile), Nov 20th, 2012 @ 1:09pm

    No harm done elsewhere

    I'm going to quibble here. While everything you said is theoretically possible - it hasn't yet happened yet.

    From the WSJ article:
    "Chevron was not adversely affected by Stuxnet, says Chevron spokesman Morgan Crinklaw."

    Stuxnet was highly targetted. Other than spreading outside of its intended target - it didn't do anything. The malicious part of it did not activate unless it saw a certain number of controllers for a specific model of a certain number of centrifuges.

    While there is always an unknown factor, that this could have ended up somewhere else and caused damage/destruction, it didn't.

    Since we regularly call out officials for hyping up the impending doom of cyber-war, I want to be fair and make sure we're not doing the same thing.

    I'll also argue that the genie was already out of the bottle when it came to cyber-attacks by nation states against other nation states. Stuxnet was particularly effective and exceptional, yes. But it wasn't really the first. Look up the the Russian/Georgian conflict. There's also been plenty of theoretical talk about it for years.

     

    reply to this | link to this | view in thread ]

  2.  
    icon
    sehlat (profile), Nov 20th, 2012 @ 2:42pm

    Not a new argument

    Long before designer genes came along, the specter of tailored plagues mutating out of their controls and turning on their creators was (and is) a very real possibility. I recall several science-fiction stories (some in the sixties) which either mentioned the possibility or used it as a plot device.

    Think "genie out of the bottle."

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Joshy, Nov 20th, 2012 @ 2:51pm

    Wow I love this blog and don't want to be the hater of the day. but another non-story???

    Thousands upon thousands of computers companies and people worldwide were infected with Stuxnet.... that was kind of the plan in assisting the delivery. However [b]Stuxnet was so specifically written that only the intended target would see the effects. I.e. only nuclear centrifuges using the make and model of parts only found in Iran would be affected.[/b]

    What is more noteworthy is that Chevron was unable to prevent the infection that any off the shelf anti-malware would protect against

     

    reply to this | link to this | view in thread ]

  4.  
    icon
    Keii (profile), Nov 20th, 2012 @ 2:52pm

    This is just like the US Government, to create cyber-weapons that get out of control and use it as an excuse to raise cyber-defenses to strip us of our cyber-rights.

    /cyber-tinfoilhat

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, Nov 20th, 2012 @ 2:57pm

    Re: cyber-tinfoilhat has been patented.....

    Please provide the appropriate licensing fee so that we can ensure that your use of /cyber-tinfoilhat is appropriate and does not block the important 'cyber rays' designed to re-educate you...

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    Josh in CharlotteNC (profile), Nov 20th, 2012 @ 3:00pm

    Re:

    any off the shelf anti-malware would protect against

    Stuxnet used quite a few zero-day exploits. These are exploits which are unknown to anyone but the exploiter, or those in which have not been publicly released and in which there are no patches and no defenses.

    So no, your copy of AVG Free Edition is not going to protect you, or Chevron, against them.

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    David Muir (profile), Nov 20th, 2012 @ 3:04pm

    I have seen the cyber-enemy and he is us.

     

    reply to this | link to this | view in thread ]

  8.  
    icon
    Keroberos (profile), Nov 20th, 2012 @ 3:07pm

    Re:

    Yes, because Stuxnet was narrowly targeted certainly means any other new malware attack will also be. /sarc

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Nov 20th, 2012 @ 3:13pm

    Re: Not a new argument

    Thank heavens for whoever talked those war-happy idiots into pursuing "cyber-warfare". Imagine if they'd kept working on actual viruses instead of computer viruses!
    Now if they can just keep focused on cyber warfare, instead of going back to germ warfare. We'll lose vital infrastructure, but at least we won't all die.

     

    reply to this | link to this | view in thread ]

  10. This comment has been flagged by the community. Click here to show it
     
    identicon
    out_of_the_blue, Nov 20th, 2012 @ 3:19pm

    We live in strange times.

    As example, above it says "We now learn", while the article reads as it did when I first saw it, "November 8, 2012", a mysterious lapse of 12 days. -- What's mysterious is that's even longer than usual for Techdirt to catch up!

    Perhaps when news is slow, you guys might try some original writing, proposing specific solutions not just whining. Of course, if you did, and became a source, then you might begin to understand why creators object to every yahoo ripping off work.

    Anyhoo...

    "It is believed to have been the costliest development effort in malware history, involving dozens of engineers. It also made use of an unprecedented number of zero-day exploits in Microsoft Windows in order to operate." -- Suggesting that Microsoft was involved. Difficult to even guess, though, as Microsoft surely creates as many zero-day exploits by incompetence as by design.







    Click here for Mike "Streisand Effect" Masnick!
    http://en.wikipedia.org/wiki/Streisand_effect
    Help make Mike the #1 quipper on the net! -- Click one for The Quipper!

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, Nov 20th, 2012 @ 3:20pm

    Re: Re:

    Not that I expect every hole to be patched, but is Stuxnet still zero-day malware at this point? /semantics

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    Overcast (profile), Nov 20th, 2012 @ 3:20pm

    Yet another example of clueless "know it alls"...

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    Josh in CharlotteNC (profile), Nov 20th, 2012 @ 3:26pm

    Re: Re: Re:

    Good question. Given the high profile of this, and the time since it broke, I would wager they have all been. But there will always be exploits, some of them not discovered until actively used. It's hard enough for some companies (cough Oracle/Java) that can't even patch gaping holes in their products months after exploits are widely available.

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    Zos (profile), Nov 20th, 2012 @ 3:30pm

    My understanding of stuxnet was that it was very, very precisely targetted, to cause a certain model of centrifuge to destroy itself, right?

    So...while i tmight have spread, what would it actually do on any other machine? does it open the machine further to other threats? can it be hijacked? I know these aren't the kind of security questions techdirt normally deals with, but without some discussion of ACTUAL harm, the article reeks of FUD.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Pseudonym, Nov 20th, 2012 @ 3:34pm

    Re: No harm done elsewhere

    I hear what you're saying, but I disagree that "it didn't do anything". Chevron was right to reassure people that no damage was done, but it certainly did stuff.

    First off, it cost a considerable amount of time and money for Chevron, not to mention everyone else.

    Secondly, it reduced Chevron's security in a tangible sense. Stuxnet had remote command and control capabilities, through two web sites. Had someone managed to compromise or spoof those web sites before they were taken down, they would have had remote root access to a crapload of machines.

    It's kind of like someone forging a master key to Chevron's buildings, and sneaked in and had a look around, but didn't touch anything. Yeah, they did do something, even if it wasn't as nearly bad as it could have been.

     

    reply to this | link to this | view in thread ]

  16.  
    icon
    Richard (profile), Nov 20th, 2012 @ 3:41pm

    Biological Weapons

    It seems that computer "viruses" when used as weapons, suffer from the same problem that has so far prevented the widespread use of their biological equivalents. That is their unique unpredictability and tendency to bite back on their masters.

     

    reply to this | link to this | view in thread ]

  17.  
    icon
    Kelly (profile), Nov 20th, 2012 @ 3:45pm

    Just because something is carefully targeted doesn't mean it's safe. And, just as antibodies and anti-virus companies learn from each new attack, so do those targeted. Having seen the constant war that MMOs are playing to keep hacks/dupes/stolen accounts down, I don't know if it's a wise idea to start unleashing computer viruses, no matter how carefully coded.

     

    reply to this | link to this | view in thread ]

  18.  
    identicon
    cosmicrat, Nov 20th, 2012 @ 3:48pm

    Cyber-warfare

    So maybe the fear-mongering about planes falling out of the skies or the power grid being hacked has some valid basis. Perhaps the government wants cyber security funded so they can fight against their own rogue creations. Sheesh, this all starts to sound more and more like a William Gibson novel.

     

    reply to this | link to this | view in thread ]

  19.  
    icon
    Crashoverride (profile), Nov 20th, 2012 @ 3:56pm

    Symantec released the ability to scan and identify on July 13th 2010

    Microsoft offered a Stuxnet patch Sept 15th



    Personally I think Not only Chevron but all industrial and infrastructure computers should be secured off the net.... And made to accept only secured recognized files and such.

     

    reply to this | link to this | view in thread ]

  20.  
    icon
    Crashoverride (profile), Nov 20th, 2012 @ 4:03pm

    article doesn't exactly say how widespread or on what computers the virus was found. Was it just one computer or whole network was it limited to the secretarial pool or drilling and other critical infrastructure computers.


    This is like complaining about an employees email that passed through the corporate network. Yes the email might have been offensive illegal etc.... But since it just passed through and even to this day has no way for either the creators or others to use it to do harm to Chevron then uhm..... I'm sure an occasional Chevron handles dynamite does that make him a terrorist because he handled dynamite but never used it for other than intended???

     

    reply to this | link to this | view in thread ]

  21.  
    icon
    silverscarcat (profile), Nov 20th, 2012 @ 4:05pm

    Re: We live in strange times.

    "Perhaps when news is slow, you guys might try some original writing, proposing specific solutions not just whining. Of course, if you did, and became a source, then you might begin to understand why creators object to every yahoo ripping off work."

    I write for fun, you stupid yahoo. If someone takes my work and can do better, more power to them.

    Course, they'll get lambasted by my fans so... ;P

     

    reply to this | link to this | view in thread ]

  22.  
    identicon
    Digitari, Nov 20th, 2012 @ 4:07pm

    Re: We live in strange times.

    OOTB is a fucking freetard and ADMITS it

    http://www.techdirt.com/articles/20111208/12500917012/riaa-doesnt-apologize-year-long-blog-cen sorship-just-stands-its-claim-that-site-broke-law.shtml

    HA HA HA HA HA HA HA HA HA HA HA

     

    reply to this | link to this | view in thread ]

  23.  
    identicon
    Anonymous Coward, Nov 20th, 2012 @ 4:17pm

    Re: Re: No harm done elsewhere

    Secondly, it reduced Chevron's security in a tangible sense. Stuxnet had remote command and control capabilities, through two web sites. Had someone managed to compromise or spoof those web sites before they were taken down, they would have had remote root access to a crapload of machines.

    Honestly I think this is a positive more than a negative. Every IT employee who has been pandering for more security and funding at Chevron just received the best talking point possible... and it did no damage.

    How often do you have your security and network isolations tested without either paying a fortune for a specialist company to conduct it or damage being done?

     

    reply to this | link to this | view in thread ]

  24.  
    icon
    GMacGuffin (profile), Nov 20th, 2012 @ 4:49pm

    ...at least it wasn't Skynet...

     

    reply to this | link to this | view in thread ]

  25.  
    identicon
    Anonymous Coward, Nov 20th, 2012 @ 5:03pm

    Re: We live in strange times.

    Wait, everyone! Let's not dismiss OOTB out of turn. To be fair: he normally goes off as soon as he sees "Mike" on the byline. In this case he actually got through a paragraph and a half before he could find anything to complain about. Never mind the fact that it was just the word "now".

    This is progress people! He can learn!

     

    reply to this | link to this | view in thread ]

  26.  
    identicon
    ldne, Nov 20th, 2012 @ 5:04pm

    Re:

    I.e. only nuclear centrifuges using the make and model of parts only found in Iran would be affected.


    That should be " I.e. only nuclear centrifuges using the make and model of parts only found in Iran at this point in time would be affected."
    What happens if the Iranians do quit, and sell off their components for other uses? Or this thing ends up in someone else's systems down the road that have the same make and model of parts? The problem with stuff like this is that once you cut it loose, realistically, it's around as long as the internet is because there is always someone who doesn't keep up with their security requirements or plugs in an antique computer they bought at a yard sale.

     

    reply to this | link to this | view in thread ]

  27.  
    icon
    sgt_doom (profile), Nov 20th, 2012 @ 5:32pm

    Never assume .....

    Josh in CharlotteNC is incorrect, of course, but we only find out about the horrors much, much later.

    Take that malware which interfered and was blamed for bringing down that airliner (I believe it was in Spain, if I'm not mistaken). After news of it came out, and their stock began to dip, another story was released, claiming the malware was actually on the avionics diagnostic machine, at a mx facility, and not aboard the aircraft's avionics systems after all (they always do that, after the cat's out of the bag --- or never release the real truth).

    The malware wasn't targeted at the airliner's avionics, it simply interfered with the routine alarms being sounded as it occupied specific memory vector spaces it shouldn't have --- similar to that Sony attack on millions.

    When Sony CDs were sent out with their own malware aboard --- which interfered with the running of any other brand's CDs on PCs, and also made the infected PC's vulnerable to further hacks, or cracker attacks, ect., plus caused major rebooting loops when an OS patch was trying to be downloaded (funny how the corporate media never mentions this when they mentioned those Anonymous hacks against Sony).

    Remember those at least 1,300 computers at embassies around the world which were infected by malware from China? It activated the workstation, or PCs', cams and microphones, and it lasted almost 2 years (discovered by Canadian computer scientists back in 2009).

    That was bad enough, but who knows who else accessed those hacked computers as well????

    One can't make unequivocal statements about the damages wrought from malware, unless you've gone through every single line of code, and are equally familiar with every single existing system out there.

    Assumptions simply don't cut it.....

     

    reply to this | link to this | view in thread ]

  28.  
    identicon
    Anonymous Coward, Nov 20th, 2012 @ 6:08pm

    I don't know of any zero day exploits that have not been patched in reference to Stuxnet. I suspect that those that were used, the company hardware and software were told of the exploit after the it was in place but under speculation I would think they were requested by the US gov to have the patches ready but not to use them until notified.

    I suspect this to be the case simply because after the own up of the US involvement almost everyone from Siemens to Microsoft had a patch out in days.

    Chevon's SCADA control is not hooked to the net. It runs on a separate system, tied through the company's intranet and by itself is not able to connect to the internet. A separate computer is used for report generation, record keeping, company emails, and web surfing. Changing ladder logic requires the software as well as a dongle to obtain authorization access to alter software settings as well as making changes in operation parameters outside those already set up. I know this because I used to run such systems for them.

    It is hooked up this way so that when a hurricane abandonment happens, the offshore platforms are now left running. The crews that operate them come inshore and continue to monitor and operate the platforms from remote control. Due to Federal laws, some operations can not be restarted if they go down unless the operator is physically present to restart them. This due to things like if you had a hole in a line spraying oil and had a shut down due to a low pressure sensor, the last thing you would want is for someone to be able to restart with out looking over the area first.

    In addition, video feeds for sea conditions as well as current, wave, on site weather conditions, are all fed through the system. The operators are liable to be several hundred miles from the platform they are controlling under hurricane conditions.

     

    reply to this | link to this | view in thread ]

  29.  
    icon
    Laroquod (profile), Nov 20th, 2012 @ 7:10pm

    Re: Re: Re: No harm done elsewhere

    That's only a 'positive' if it leads to impenetrable security. I'd say the chances of that are about zero, especially when faced with malware as sophisticated as this.

     

    reply to this | link to this | view in thread ]

  30.  
    icon
    Laroquod (profile), Nov 20th, 2012 @ 7:13pm

    Re: Re: Not a new argument

    Unfortunately with most everybody corrupt there is plenty of evil to go around nowadays.

     

    reply to this | link to this | view in thread ]

  31.  
    icon
    Laroquod (profile), Nov 20th, 2012 @ 7:24pm

    Re:

    Careful there, Julian Huxley's estate probably still owns the copyright on the phrase 'tinfoil hat'. The keyword filter nanites that have entered your bloodstream via "fluoridated" water will edit that phrase from your memory, and put your name on the no-fly list, unless you pay a modest settlement fee of say, $3000.

     

    reply to this | link to this | view in thread ]

  32.  
    identicon
    Anonymous Coward, Nov 20th, 2012 @ 7:31pm

    Re: We live in strange times.

    "... It also made use of an unprecedented number of zero-day exploits in Microsoft Windows in order to operate."

    That is NOT suggesting Microsoft was involved in developing this malware. All the writer said was it involved 0-days that are in Windows. You're suggesting that because if I find a exploit in the Linux kernel then somehow Linus Torvalds helped me.

    Do you even know what a 0-day even is? No? Didn't think so.

     

    reply to this | link to this | view in thread ]

  33.  
    icon
    Josh in CharlotteNC (profile), Nov 20th, 2012 @ 8:43pm

    Re: Never assume .....

    One can't make unequivocal statements about the damages wrought from malware,

    And yet you're comparing it to planes falling out of the sky. That is what I am arguing against, the alarmism displayed in your comment, and a subtle tone of it in the original article.

    We can have rational discussions on information security without resorting to the hype that we rightly criticize when some congressman does the Chicken Little routine trying to scare up votes for their overreaching bill.

    Perhaps me saying there was no harm done was not strictly correct - but we currently know of no ill effects outside of the intended target - and it has been awhile - besides some people and organizations having to do routine scans and purges of their systems. If you know of any, please share, but until we have evidence, we also shouldn't assume there was harm.

     

    reply to this | link to this | view in thread ]

  34.  
    identicon
    Pseudonym, Nov 20th, 2012 @ 9:26pm

    Re: Re: Re: No harm done elsewhere

    I can only imagine what it would be like for Chevron's IT people saying "we haven't done enough to protect ourselves from our own government".

     

    reply to this | link to this | view in thread ]

  35.  
    identicon
    Pseudonym, Nov 20th, 2012 @ 9:28pm

    Re: Re:

    Of course! Attacks by the US and Israeli governments have never resulted in harm to innocent parties.

     

    reply to this | link to this | view in thread ]

  36.  
    identicon
    Pseudonym, Nov 20th, 2012 @ 9:32pm

    Re: We live in strange times.

    Suggesting that Microsoft was involved.

    A simpler explanation is that someone at Microsoft leaked a copy of the Windows source code to the malware authors. I hope they were well paid.

     

    reply to this | link to this | view in thread ]

  37.  
    icon
    Jesse (profile), Nov 20th, 2012 @ 10:53pm

    I'll take digital warfare over nuclear warfare any day.

     

    reply to this | link to this | view in thread ]

  38.  
    identicon
    Mowhammid, Nov 21st, 2012 @ 1:19am

    I find it ironic that Iran, a country that hates the United States, uses Windows. Which is an operating system made in the United States. Can you imagine what will happen when Iran's nuclear missile systems, running on WinXP, get hacked and nukes start getting launched left and right?

     

    reply to this | link to this | view in thread ]

  39.  
    identicon
    Anonymous Coward, Nov 21st, 2012 @ 2:54am

    Re:

    the original virus (probably) won't harm anything aside from iranian centrifuges. But what is going to stop a hacker from extracting one or more exploits from it?
    I bet a team of engineers could even repurpose the whole package to target something else. Especially the iranian engineers since they know what the target looked like and can detect the parts of the code that identify them.

     

    reply to this | link to this | view in thread ]

  40.  
    icon
    Machin Shin (profile), Nov 21st, 2012 @ 5:49am

    Re: Re: Not a new argument

    Kind of funny you would say that "We'll lose vital infrastructure, but at least we won't all die."

    Apparently you don't realize how many people could die as a direct result of an attack to that infrastructure. Hospitals are especially problematic. Just walk into any hospital and look around at how much is ran by computers. These days loosing the computers would cripple a hospital. This could easily cause the loss of many lives and it is just one example.

    The use of computer viruses for warfare is just as stupid as using real viruses. You can never truly anticipate the effects it will have in the wild. Once a virus is loose their is no calling it back.

     

    reply to this | link to this | view in thread ]

  41.  
    icon
    BentFranklin (profile), Nov 21st, 2012 @ 6:36am

    Re:

    False choice.

     

    reply to this | link to this | view in thread ]

  42.  
    icon
    weneedhelp (profile), Nov 21st, 2012 @ 7:25am

    Re: No harm done elsewhere

    "Chevron was not adversely affected by Stuxnet, says Chevron spokesman Morgan Crinklaw."

    Yes because we should believe the spokesman for Chevron.

    Phooey. Its his job to reassure investors no "damage" was done.

    If a machine is infected, it is damaged, and will need someone to re-image it. Then you need to be sure all of the thousands of computers were not compromised. And then there is the specialized scientific equipment sometimes running on NT(in the case of ExxonMobile). It is a costly event even if centrifuges werent damaged.

    Oh yeah then there is the time needed to (DFIR)Digital Forensics, Incident Response to put policies in place so it doesnt happen again.

    No damage? Depends on how you define damage.

     

    reply to this | link to this | view in thread ]

  43.  
    icon
    weneedhelp (profile), Nov 21st, 2012 @ 7:29am

    Re: Re: We live in strange times.

    What he needs is a jacket with really long sleeves, a room with soft cushy walls, and nice gentlemen to make sure he takes his "vitamins" on time.

     

    reply to this | link to this | view in thread ]

  44.  
    icon
    KJ (profile), Nov 21st, 2012 @ 7:31am

    Re:

    It's fairly difficult to have nukes "launched left and right" when there aren't any nukes... Even US generals have admitted that.

     

    reply to this | link to this | view in thread ]

  45.  
    icon
    artp (profile), Nov 21st, 2012 @ 7:33am

    No, this is GOOD news!

    Now maybe we can get Microsoft Windows declared a Weapon of Mass Destruction, and have it banned from export, or import, or maybe they'll just throw it all in an old missile silo? Who knows?

    Good things will happen, though, I can feel it!

     

    reply to this | link to this | view in thread ]

  46.  
    identicon
    Anonymous Coward, Nov 21st, 2012 @ 8:46am

    Re:

    I'll take digital warfare over nuclear warfare any day.

    Excellent idea.

    If a nuclear strike hits a city, the (majority of) victims will die quickly, almost instantaneously.

    If a digital strike manages to disrupt major civic infrastructure, we only have to worry about the slow deaths of disease, starvation, and dehydration. And perhaps some localized violence as a side effect.

    I don't beleive that we are in any sort of cyber danger right now. I do not beleive we need a massive cyberwar program that monitors everything going on over the nets. But I am not foolish or complacent enough to assume that there is no threat.

    Large cities are only sustainable through amazing feats of logistics. Anyone familiar with the resources needed to maintain a city understands that a significant disruption in the infrastructure causes conditions to degrade rapidly. When you have millions of people in the close proximity of any major city, you require millions of gallons of water and millions of pounds of food to be made available on a daily basis, as well as massive amounts of electricity to power everything from hospitals to iPods. Food and water can be kept in reserve, but any disruption longer than a week on a large scale can have dramatic consequences.

    True, we have a robust and redundant infrastructure, and are able to truck in food and water if necessary, and power essential devices. But we're far from invulnerable.

    If I'm going to be a casualty of war, I'd rather be incinerated by a bomb than starve to death as I watch civilization crumble from within.


    We don't face an imminent threat. Any major blow from cyberwarfare would be several years into the future, and would require significant coordination, but it's not impossible.

    The point of Mr. Moody's post is that we're playing with fire. Fire can be a very good thing, when properly controlled and understood. But there's nothing alarmist in reminding people that fire is in fact dangerous.

    Stuxnet is simply one of many examples of a widely-acknowledged truism. There is no such thing as perfect security. With unlimitied time and money, a thousand monkeys with typewriters will bypass your triple authentication biometric-passcode-keyed lock. Stuxnet managed to jump air gaps, exploit vectors, and hack the Gibson.

    More importantly, Stuxnet was a generalized attack with a specific payload. It "attacked" millions of computers, and was successful in doing so. It didn't "do anything" because the payload was limited. The cyberware scares come from the idea of a generalized attack with a generalized payload. This is somewhat overstated because computers don't really have the uniformity required for a generalized payload to exist. HOWEVER, a payload can be successfully crafted so that it isn't quite as specific as Stuxnet. With a more generalized payload, the scattershot approach of weaponized malware can easily turned into "pissing in the wind," so to speak.

     

    reply to this | link to this | view in thread ]

  47.  
    icon
    Rick Smith (profile), Nov 21st, 2012 @ 8:56am

    Re:

    I think the real issue is not the fact that it was specifically targeted and didn't harm Chevron, but is the fact that when it was first discovered we (public/companies) didn't know that. It took years before the government owned up to it and said what it was for. So before that time it was the same as any other virus.

    If we applied your logic to others, then we shouldn't be arresting any virus writer until its proven to harm your system. Because what it seems to me you are saying is that the US (and whoever else helped them) didn't do any damage so they should get a pass. If we can do that for the government then we should be doing that for everyone. The reason we don't is that its been deem illegal to do this, because of potential damage, not because of actual damage. So why should we give the government a pass. They purposely infected more than just their target. I guarantee that if anyone of us did this, we would have guys in suits and sunglasses breaking in the door within an hour of discovering our identity. The cost to businesses around the world to analyze and clean this from their systems (which needed to be done, even if they knew it was from the government, and they didn't for a long time) is a drain to their profits, which in turn could be driving stock prices, downsizing, higher consumer prices, you name it. So this little attack has most likely played a part in the global economic issues over the last several years. And who's to say that this is the only one.

     

    reply to this | link to this | view in thread ]

  48.  
    icon
    sgt_doom (profile), Nov 21st, 2012 @ 10:09am

    Re: Re: Never assume .....

    but we currently know of no ill effects outside of the intended target ...

    Again, I just gave several examples you appear to have completely ignored --- it was never made publicly exactly what malware intefered with the normal alarm systems and cause at least one (???? who really knows if there were more) airliner crash, with many dead, it could have been the earliest version of Stuxnet --- airliners and their pax do get around, ya know?????

    Any malware, when it gets into biomedical devices with limited memory onboard --- can cause untold problems, etc.

    And the full amount of problems caused by Sony is still unknown --- two prime examples (three counting Stuxnet) with untold and unknown consequences.

    Until all the information and data is in, you are making unqualified assumptions.

     

    reply to this | link to this | view in thread ]

  49.  
    icon
    sgt_doom (profile), Nov 21st, 2012 @ 10:17am

    Re:

    .. a country that hates the United States

    And many of us find such opinions, based upon pure ignorance rendered by the corporate media's false and fictionalized reporting -- or rather misreporting, of statements from Iranian politicians, more than ironic, dangerously ignorant.

    Since the overthrow of their democratically elected president or prime minister by the CIA, Brits and criminal elements within that country (Iran), and with the theft of their monies on account in the USA during the hostage crises --- which very likely was precipitated by at least two major events: the previous overthrow, and installing of the dictator that Shah of his Peacock Throne, and during their revolution in the late '70s, Jimmy Carter's presidential directive to destabilize the then-secular government of Afghanistan (moving Islamic Wahabist extremists from Saudi Arabia, with Saudi Arabian financial backing as well, to Afghanistan's northern border with the old Soviet Union to foment political and religious turmoil there --- the precursor to the Mujahedeen and eventually the Taliban --- when Sufi Islam [a more moderate form and non-extremist] was the majority religion among those living at the northern border).

    No irony involved, simply the typical American ignorance of their own history, which is why, with the typical American media attention span of 20 seconds, when President Obama claims it to be the right of Israel to "defend" itself against retalitory missiles fired into that country, when President Obama has directed exactly how many missiles fired by US drones into how many different foreign countries?????

     

    reply to this | link to this | view in thread ]

  50.  
    icon
    sgt_doom (profile), Nov 21st, 2012 @ 10:21am

    Re: No, this is GOOD news!

    Excellent points, especially 'cause those phony powers-that-be (the political lackeys of Wall Street) continuously proclaim that China is the New Enemy (after offshoring all the jobs, technology, and investment there), when it was Micro$oft who opened their OS source code to them, then next the Canadian computer scientists discovered how China had penetrated and inserted malware in at least 1,300 computers in embassies all around the world, discovered by in 2009, after almost 2 years of their monitoring activated cams and microphones in said penetrated computers.

     

    reply to this | link to this | view in thread ]

  51.  
    icon
    Jeffrey Nonken (profile), Nov 21st, 2012 @ 10:25am

    Cautionary tales of human-made autonomous entities turning on their creators have been around for centuries. Have the Stuxnet folks never heard of Mary Shelley's book Frankenstein; or, The Modern Prometheus? Members of the U.S. government may be more out of touch than we realized.

     

    reply to this | link to this | view in thread ]

  52.  
    icon
    nasch (profile), Nov 21st, 2012 @ 4:24pm

    Re: Re: Re: Re: No harm done elsewhere

    That's only a 'positive' if it leads to impenetrable security.

    That's an example of the perfect solution fallacy. There is no such thing as impenetrable security.

     

    reply to this | link to this | view in thread ]

  53.  
    icon
    nasch (profile), Nov 21st, 2012 @ 4:26pm

    Re: Re: Re: Not a new argument

    That's all true, but I'd still much rather suffer a computer virus attack than a biological warfare attack.

     

    reply to this | link to this | view in thread ]

  54.  
    identicon
    Anonymous Coward, Nov 21st, 2012 @ 7:40pm

    Re:

    Would you also willingly walk into a disintegration chamber if your name appeared on a list of casualties?

     

    reply to this | link to this | view in thread ]

  55.  
    icon
    Josh in CharlotteNC (profile), Nov 23rd, 2012 @ 6:45am

    Re: Re: Re: Never assume .....

    Again, you're accusing me of making assumptions while you're assuming that Stuxnet caused a plane to crash.

    There is a lot more data and evidence around about the extent that Stuxnet spread (relatively limited to a few Mid-East countries), and what it was capable of, than you seem to be aware of.

    Based on the evidence we have so far, I feel comfortable saying that Stuxnet did not cause whatever plane you're referring to crash. What are the pieces of evidence I'm basing that on? First, again Stuxnet was highly targeted and had a limited spread, primarily in the Mid-East. And second, there are tens of thousands of malware families (and millions of variants, but lets keep it simple), of which Stuxnet is only one - and many of those pieces of malware are far more aggressive and damaging. It is much more likely that if whatever plane crash you're referring to was caused by malware, it was caused by one of the "garden variety" threats we see every day, and not some specialized version that was designed to infect an Iranian nuclear facility.

     

    reply to this | link to this | view in thread ]

  56.  
    icon
    Josh in CharlotteNC (profile), Nov 23rd, 2012 @ 6:48am

    Re: Re: Re: Never assume .....

    Again, you're accusing me of making assumptions while you're assuming that Stuxnet caused a plane to crash.

    There is a lot more data and evidence around about the extent that Stuxnet spread (relatively limited to a few Mid-East countries), and what it was capable of, than you seem to be aware of.

    Based on the evidence we have so far, I feel comfortable saying that Stuxnet did not cause whatever plane you're referring to crash. What are the pieces of evidence I'm basing that on? First, again Stuxnet was highly targeted and had a limited spread, primarily in the Mid-East. And second, there are tens of thousands of malware families (and millions of variants, but lets keep it simple), of which Stuxnet is only one - and many of those pieces of malware are far more aggressive and damaging. It is much more likely that if whatever plane crash you're referring to was caused by malware, it was caused by one of the "garden variety" threats we see every day, and not some specialized version that was designed to infect an Iranian nuclear facility.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This