Techdirt. Stories filed under "stuxnet"

Stuxnet's Infection Of Chevron Shows Why 'Weaponized' Malware Is A Bad Idea

Glyn Moody — Tue, 20 Nov 2012 14:30:09 PST

The Stuxnet worm that attacked an Iranian nuclear enrichment facility a couple of years ago was exceptional from several viewpoints. It is believed to have been the costliest development effort in malware history, involving dozens of engineers. It also made use of an unprecedented number of zero-day exploits in Microsoft Windows in order to operate. Finally, Stuxnet seems to be the first piece of malware known with reasonable certainty to have been created by the US, probably working closely with Israel.

As Techdirt reported earlier this year, we know all this largely because the malware escaped from the target environment in Iran, and started spreading in the wild. We now learn that one of the companies infected as a result was Chevron:

The oil giant discovered the malware in July 2010 after the virus escaped from its intended target, Mark Koelmel, Chevron's general manager of the earth sciences department, told The Wall Street Journal.

"I don't think the U.S. government even realized how far it had spread," he said. "I think the downside of what they did is going to be far worse than what they actually accomplished."

This highlights a huge problem with the use of malware by national security services to carry out these kinds of covert attacks on their enemies. Where a physical attack on a foreign nation is unlikely to cause direct casualties back at home -- although it may lead to indirect ones through retaliation -- attacks using worms and other malware are far less targeted. If they escape, as is likely to happen given the near-impossibility of controlling what happens to them once they have been released, they may well find their way back to the attacker's homeland, and start infecting computer systems there.

This makes the "weaponization" of malware an inherently dangerous approach. Imagine if a nation deployed worms or viruses that changed data on infected systems in subtle ways, and that these started spreading by mistake among that same country's health organizations or banks. Lives could be lost, and financial systems thrown into disarray.

That's something worth bearing in mind amid increasing calls for the development of software that can be used offensively: as well as the likelihood of tit-for-tat responses, there is also the very real danger that the weapon will turn against the nation that created it.

Follow me @glynmoody on Twitter or identi.ca, and on Google+

Permalink | Comments | Email This Story

Should We Want A 'Cyberwar'? It's A Lot Less Bloody Than A Real War

Mike Masnick — Wed, 20 Jun 2012 05:05:00 PDT

We've certainly written an awful lot about the ridiculousness of the concept of "cyber war." Even with things like Stuxnet and Flame, it seems silly to compare what amounts to either electronic espionage or a little hacking as "war." But perhaps we were looking at it the wrong way. In a Foreign Policy article by John Arquilla, he argues that perhaps we should be embracing this kind of "cool war" as it can be effective at stopping threats (even distributed ones like terrorist operations, rather than just centralized ones like governments), while causing minimal bloodshed:

On balance, it seems that cyberwar capabilities have real potential to deal with some of the world's more pernicious problems, from crime and terrorism to nuclear proliferation. In stark contrast to pitched battles that would regularly claim thousands of young soldiers' lives during Robert E. Lee's time, the very nature of conflict may come to be reshaped along more humane lines of operations. War, in this sense, might be "made better" -- think disruption rather than destruction. More decisive, but at the same time less lethal.

And, indeed, if we believe that reports of "cyber attacks" being used to make planes fall from the sky are greatly exaggerated, perhaps we should welcome a "war" that mainly involves hackers vs. hackers trying to disrupt each others "real" warfare capabilities. But, of course, there are plenty of other issues that come up here as well -- such as how secret hacking programs can be abused. If it gets governments to stop physical battles that lead to real lives lost, that does seem like an improvement, though I'm not sure anyone should think that continuing to attack each other through computers is ever a "good" situation overall.

Permalink | Comments | Email This Story

Politicians Grandstand About Leaks, But The Rest Of Us See The Prosecution Of Whistleblowers

Mike Masnick — Wed, 13 Jun 2012 12:26:00 PDT

Early last week, we wrote about the oddity of how the White House didn't seem to much mind "leaks" that made the President look good in terms of being "tough" on our enemies, such as in the NY Times story confirming that the US was behind the Stuxnet malware, and that the President himself was very familiar with the program. This came at the same time as the White House continuing to vindictively prosecute people responsible for even very minor leaks, such as the Thomas Drake affair, in which some whistleblowing about out-of-control spending at the NSA tuned into a malicious prosecution.

Soon after that story came out, the issue of "good leaks" and "bad leaks" became a huge political football, as it gave the President's opponents an angle to attack him for leaking classified info. The President himself had to shoot back and insist that there were no such leaks happening from the White House -- which is clearly not true. Some of the information could have only come from administration officials.

And, of course, it wasn't just limited to Stuxnet, but other "leaks" of classified info, such as stories around the unmanned drone strike program, which lots of people have reported on, but which is still "classified." Of course, we've now seen grandstanding on both sides of the aisle decrying these leaks -- but not the actions that were exposed by them!

Instead, they all seem to be upset about the leaks themselves, rather than the fact that these questionable activities were secret in the first place. As John Cook recently wrote, these kinds of "leaks" are important because they let us know what our government is doing in our name. That's why these aren't leaks, so much as whistleblowing. And that's an important distinction. That's doubly true as we see to what ridiculous lengths the very same administration goes to in order to attack anyone who reveals information that makes it look bad.

One person's leak is another person's whistleblowing. To treat them all as "leaks" that must be punished (often severely) creates a significant chilling effect on reporting on key issues -- and (worse) gives the government a bubble in which it gets to abuse its power. Rather than condemning all these "leaks," we should be trying to (a) celebrate those who blew the whistle and (b) understand the details behind why such things were secret in the first place.

Permalink | Comments | Email This Story

Sen. Feinstein More Worried About Reaction To The Leak About Stuxnet, Rather Than Reaction To Stuxnet Itself

Mike Masnick — Fri, 8 Jun 2012 09:59:00 PDT

Last week, we wrote about the NYTimes investigative report that revealed that the US government was behind Stuxnet, and that President Obama was very, very involved in the process. It was widely assumed that the US was involved, but this revealed a bunch of details. We were surprised that the White House appeared not to pressure the NYTs to kill the story (as it has with other leaks of classified info), but wondered if the fact that this made the White House look "tough" and showed a "success story" for the administration, caused them to let it go forward. Since then, however, reports have come out that the FBI is investigating the leak, and Senator Feinstein is similarly calling for hearings on the leak (though, the cynical might argue that this just keeps the "success story" in the news).

But, the most bizarre response to this also comes from Senator Feinstein, who publicly worried that the leak would lead to copycat attacks against the US. The leak. Not the actual attack:

Sen. Dianne Feinstein (D-Calif.), chairwoman of the Intelligence Committee, said the leak about the attack on Iran’s nuclear program could “to some extent” provide justification for copycat attacks against the United States.

“This is like an avalanche. It is very detrimental and, candidly, I found it very concerning,” Feinstein said. “There’s no question that this kind of thing hurts our country.”

This is, to put it mildly, crazy. The argument appears to be that it's okay to do technological attacks... just as long as it's all done in secret and no one ever talks about it. Without the leak, the attack still happened, and that information became public quite some time ago. If anything was going to inspire copycat attacks it would have been that. Though, even then, the claim is questionable. Those who wish to do this country harm haven't been sitting around saying "gee, we can't do anything technological" until they saw Stuxnet come along.

What's really ridiculous about Feinstein's statement is the basic chilling effects that it puts forth. It suggests that the US government can do whatever it wants in attacking other countries, just so long as no one ever talks about it. The talking about factual information isn't the issue here. And Feinstein should know that, rather than suggesting that basic investigative reporting is the problem.

Permalink | Comments | Email This Story

F-Secure Explains Why It Missed Spotting Flame, Despite Having Seen It Two Years Ago

Mike Masnick — Mon, 4 Jun 2012 16:29:00 PDT

With all the attention on the Flame malware, there's a great post over at Wired by F-Secure's Chief Research Officer, Mikko Hypponen, explaining why various security firms totally missed Flame (and Stuxnet and DuQu) for quite some time -- despite samples having been sent all the way back to 2010. What's refreshing (even as it's surprising) is to see someone so forthright about this being a failure on his part:

What this means is that all of us had missed detecting this malware for two years, or more. That’s a spectacular failure for our company, and for the antivirus industry in general.

It's so rare to see someone admit to a mistake -- especially one that seems so big (even if it doesn't really impact most people outside of the Middle East. Part of the problem, he notes, is that spotting this kind of thing is just beyond what companies like his can do:

The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers and e-mail worms. But targeted attacks like these go to great lengths to avoid antivirus products on purpose. And the zero-day exploits used in these attacks are unknown to antivirus companies by definition. As far as we can tell, before releasing their malicious codes to attack victims, the attackers tested them against all of the relevant antivirus products on the market to make sure that the malware wouldn’t be detected. They have unlimited time to perfect their attacks. It’s not a fair war between the attackers and the defenders when the attackers have access to our weapons.

Antivirus systems need to strike a balance between detecting all possible attacks without causing any false alarms. And while we try to improve on this all the time, there will never be a solution that is 100 percent perfect. The best available protection against serious targeted attacks requires a layered defense, with network intrusion detection systems, whitelisting against known malware and active monitoring of inbound and outbound traffic of an organization’s network.

He later concludes: "We were out of our league, in our own game."

Of course, this is the nature of a security system that is based on reacting to threats, rather than preventing security holes and risks, as he more or less explains. In the end, there's a bit of a cat and mouse game going on here, and no one's going to be able to catch all malware. But as even Hypponen admits, the best solution is to rely on more than one method for trying to keep systems secure, rather than believing that there is a single bullet.

Permalink | Comments | Email This Story

NYTimes Reveals Details Of How US Created Stuxnet... And How A Programming Error Led To Its Escape

Mike Masnick — Fri, 1 Jun 2012 14:42:00 PDT

With a lot of new attention being paid to the Flame malware that was datamining computers around the Middle East, there have been plenty of comparisons to Stuxnet, the famous bit of malware that was targeted at mucking up Iran's nuclear power program. So it's very interesting timing to see the NY Times reveal many of the details behind Stuxnet, including confirming that it was a program driven by the US, with a lot of help from the Israelis. Many, many, many people suspected that already, but it certainly appears that the NYTimes has numerous detailed sources that support this claim.

Perhaps even more interesting, however, is the fact that Stuxnet (which apparently originally infected Iranian nuclear plants via workers using USB keys when they shouldn't) was never supposed to get out into the wild. It was supposed to just sit in the computers at the power plant, confusing the hell out of the Iranians. But, obviously, that didn't happen. Having that info get out into the wild probably killed off the effort much earlier than expected, since it basically explained to the Iranians what was happening.

It's also noteworthy that a source in the article claims that Stuxnet was the first example of using a computer attack to destroy physical items (it made centrifuges work irregularly in ways that could cause them to break). Some have therefore used Stuxnet as "proof" of the cybersecurity threats out there and the misnamed "cyberwar." I'm not sure that's true. Stuxnet still appears to be a rather unique case in terms of a very, very specific target that had some significant vulnerabilities. We hear lots of worries about cybersecurity impacting physical infrastructure -- and I'm sure that those who wish to do harm would love to bring down power grids and airplanes through some form of a cyber attack. But I'm not convinced that the success of Stuxnet is so easily replicable in other such areas. And I don't see how that automatically justifies effectively tossing out all privacy protections.

Permalink | Comments | Email This Story

Are We Talking About 'Cyberwar' Or Massive Incompetence?

Mike Masnick — Thu, 11 Aug 2011 16:13:00 PDT

Rich Kulawiec points us to the news of Dillon Beresford of NSS Labs recently discovering (and revealing) that the Siemens control systems targeted by Stuxnet have massive security holes, including a hardcoded username/password combo ("basisk" for both, in case you were wondering). As Kulawiec noted:

We have been treated, over the past few years, to an increasing chorus of hysteria and hype about "cyberwar". Some of that has come from governments eager to justify their increasing invasion of citizen privacy. Some of that has come from government contractors, eager to score more $100M do-nothing contracts. And since Stuxnet has come to light, it's been held up repeatedly as an example of the extreme cleverness of attackers.

But while Stuxnet is pretty darn clever, that's not the real problem. The real problem is that the incompetent morons at Siemens allowed this piece of crap to get out the door and into production environments. Thus the storyline isn't so much about the devious and subtle craft of Stuxnet's creators, as it is about the jaw-dropping negligence of Siemens: how could their QA miss this? How could they allow such a rudimentary, obvious mistake to pass?

We don't need to spend billions (or trillions) on elaborate cyberwar initiatives. We need to stop making fundamental mistakes. We need to stop doing the stupid things that we KNOW are stupid.

But that kind of stuff isn't quite as sexy as declaring "cyberwar" and asking for billions of dollars from the government.

Permalink | Comments | Email This Story

Stuxnet Increasingly Sounding Like A Movie Plot

Mike Masnick — Tue, 18 Jan 2011 16:01:00 PST

Like many people, I've been following the story of the Stuxnet worm with great interest. As you probably know, this worm was apparently designed to infect Iranian nuclear operations to create problems -- and supposedly setting back their nuclear operations quite a bit. The NY Times came out with a fascinating investigative report about the background of Stuxnet over the weekend, and it's worth a read. What I found most entertaining was the rather Hollywood-trickery angle by which Stuxnet did its dirty work:

The worm itself now appears to have included two major components. One was designed to send Iran’s nuclear centrifuges spinning wildly out of control. Another seems right out of the movies: The computer program also secretly recorded what normal operations at the nuclear plant looked like, then played those readings back to plant operators, like a pre-recorded security tape in a bank heist, so that it would appear that everything was operating normally while the centrifuges were actually tearing themselves apart.

That latter part is, indeed, right out of a movie. I guess sometimes truth does mimic fiction. That said, I'm still trying to figure out how or why Iran allowed any sort of outside code or computers into their nuclear operations.

Permalink | Comments | Email This Story