Friday, October 01, 2010

Has Israel Unleashed a Cyber-Monster?

It's a computer superworm called Stuxnet.  It's apparently capable of causing nuclear power plants or pipelines to blow up and it's believed to have been created by Israel to disable Iran's nuclear programme.

Stuxnet, however, may have a blowback effect and it's got top computer security wizards in knots.  According to National Public Radio, Stuxnet was the hot topic at yesterday's Virus Bulletin conference in Vancouver.   The conference was organized by Symantec (Norton antivirus) whose experts have been analyzing Stuxnet for weeks:

Eric Chien, technical director at Symantec's Security Response Unit, says he and his colleagues have been stunned by what they've found.  "I've been dealing with malicious code threats for 15 to 20 years now, I've seen every large sort of outbreak, and we've never seen anything like this," Chien says. "It's fundamentally changed our job, to be honest."

That's because studying a computer worm designed to sabotage a power plant or gas refinery is a far cry from thinking about some virus engineered by a lone hacker.

"It changes the urgency at which we have to analyze these threats and understand them and make sure that people who are affected know they are affected and how to get themselves cleaned up," Chien says.

The Symantec researchers say the Stuxnet worm was designed by a well-funded, well-organized group, perhaps affiliated with a government. They're convinced it was meant to target facilities in Iran. The worm was apparently designed to penetrate and take over the computerized control system used in nuclear plants there.

But it's becoming clear that the repercussions may go far beyond Iran.

"Now that it's released, numerous other people will take that and go, 'aha,' " says Stephen Spoonamore, a veteran cybersecurity consultant who has spent years pursuing hackers. He thinks some other group may now be able to take the Stuxnet computer code and modify it slightly to create its own cyber superweapon.

Spoonamore says it probably would have been better if Israel had simply bombed Iran's nuclear facilities.   "Compared to releasing code that controls most of the world's hydroelectric dams or many of the world's nuclear plants or many of the world's electrical switching stations? I can think of very few stupider blowback decisions."

7 comments:

Anonymous said...

As someone that manages PLC control networks like what Stuxnet threatens, take this whole Israel-Iran thing with a big-GIGANTIC cube of salt. It's all conjecture (for instance, India and Indonesia got hit harder than Iran by this thing.)

http://www.sophos.com/blogs/duck/g/2010/10/01/stuxnet-security-theatre-blows-balloon/

Not to say that the threat isn't a problem, thing is you do not need a highly engineered virus like Stuxnet to take down a facility. I can do it with a 1995 DOS based computer. Why? Because PLCs will accept commands form any computer that talks to them. There's no username/password, security validation, nothing at all to prevent any computer from issuing a command to a PLC.

Using Stuxnet to take down a production facility is like using a nuke to blow up a car.

THAT's the problem. It has been a problem for almost 20 years now. I'm just surprised that nothing public has happened before now. It doesn't require any particular special set of skills. Hell, its easy enough to by accident.

So this whole Israel/Iran angle is a distraction from the real problem.

The Mound of Sound said...

Why do you think it's got Symantec so concerned? The NPR story claims they've been studying it for weeks and convened this conference because of it.

Anonymous said...

As a (former) customer of Symantec, I'm cynical enough to believe that they are trying to push their security solutions by raising mass hysteria. Sophos (my link) is also a security company.

The weird thing is, the Stuxnet virus part is "common" at least in terms to other viruses. So that alone justifies security measures.

Anonymous said...

i find myself between worlds a bit on this. People are incredibly complacent when it comes to viruses (half the reason Iran/India/Indonesia got infected was unpatched computers and lazy security practices). So raising concern is a good thing.

BUT not focus is on these insecure PLCs that run damn near every manufacturing facility/energy facility/anything automated are so easy to screw with and cause destruction.

Anonymous said...

Wide open spaces, uh, like all I need is the right URL and I can logon to the parent directory of the computer that controls the internal workings at a Nuke plant, after giving the right user name and password - this exists?

Anonymous said...

Lots of info at

http://www.f-secure.com/weblog/archives/00002040.html

Note the necessity of an initial act of "normal" crime...

Q: How could the attackers get a trojan like this [Stuxnet] into a secure facility?
A: For example, by breaking into a home of an employee, finding his USB sticks and infecting it. Then wait for the employee to take the sticks to work and infect his work computer. The infection will spread further inside the secure facility via USB sticks, eventually hitting the target. As a side effect, it will continue spread elsewhere also. This is why Stuxnet has spread worldwide.

Anonymous said...

@Anon:Wide open spaces, uh, like all I need is the right URL and I can logon to the parent directory of the computer that controls the internal workings at a Nuke plant, after giving the right user name and password - this exists?

People have done dumber things, but this and the next comment pertain to the hard exterior shell and soft gooey middle of facility network security. The hard outer shell is Firewall access controls, Intrusion Prevention Devices, etc. etc. The soft gooey middle is the network that all internal systems are on.

However, if they wish people to work in from home, there may well be a remote portal that allows remote access into the soft gooey middle. If it is only a username/password combo access, well then, there you go. That's all you need and you are in.

As you pointed out, one vector of attack is the USB stick of an employee. The other vector is an external consultant that is a "double agent" or who himself is unknowingly carrying an infected USB stick.

Heck, if physical security is lax, you may be able to just walk into the facility. After 12 years, I have yet to have anyone ask me for ID. I just say I'm from IT and they let me access what I want and remove any equipment I want. You would hope a Nuc. facility would have greater access control, but a friend of mine that consulted on the Bruce nuc. upgrade assured me its not much better. Just wear a badge and a white hard hat and they pretty much just waved you in.

Nervous yet?