Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Warning over malicious computer worm (infects sw controlling valves in pipelines, powerplants)
Financial Timesw ^ | Sept. 24, 2010 | Joseph Menn , Mary Watkins

Posted on 09/24/2010 6:35:14 AM PDT by SmartInsight

A piece of highly sophisticated malicious software that has infected an unknown number of power plants, pipelines and factories over the past year is the first program designed to cause serious damage in the physical world, security experts are warning.

The Stuxnet computer worm spreads through previously unknown holes in Microsoft’s Windows operating system and then looks for a type of software made by Siemens and used to control industrial components, including valves and brakes.

“It is not speculation that this is the first directed cyber weapon”, or one aimed at a specific real-world process, said Joe Weiss, a US expert who has testified to Congress on technological security threats to the electric grid and other physical operations. “The only speculation is what it is being used against, and by whom.”

They suggest that it is most likely associated with a national government and that terrorism, ideological motivation or even extortion cannot be ruled out.

(Excerpt) Read more at ft.com ...


TOPICS: Business/Economy; Extended News; War on Terror
KEYWORDS: computers; cyberterrorism; internet; siemens; software; stuxnet; terrorism; wot
Also see article from 2002:

Cyber-Attacks by Al Qaeda Feared Terrorists at Threshold of Using Internet as Tool of Bloodshed, Experts Say

Late last fall, Detective Chris Hsiung of the Mountain View, Calif., police department began investigating a suspicious pattern of surveillance against Silicon Valley computers. From the Middle East and South Asia, unknown browsers were exploring the digital systems used to manage Bay Area utilities and government offices. Hsiung, a specialist in high-technology crime, alerted the FBI's San Francisco computer intrusion squad.

Working with experts at the Lawrence Livermore National Laboratory, the FBI traced trails of a broader reconnaissance. A forensic summary of the investigation, prepared in the Defense Department, said the bureau found "multiple casings of sites" nationwide. Routed through telecommunications switches in Saudi Arabia, Indonesia and Pakistan, the visitors studied emergency telephone systems, electrical generation and transmission, water storage and distribution, nuclear power plants and gas facilities.

Some of the probes suggested planning for a conventional attack, U.S. officials said. But others homed in on a class of digital devices that allow remote control of services such as fire dispatch and of equipment such as pipelines. More information about those devices -- and how to program them -- turned up on al Qaeda computers seized this year, according to law enforcement and national security officials.

1 posted on 09/24/2010 6:35:20 AM PDT by SmartInsight
[ Post Reply | Private Reply | View Replies]

To: SmartInsight
Walmart was down worldwide yesterday.
2 posted on 09/24/2010 6:38:19 AM PDT by mountainlion (concerned conservative.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: SmartInsight
Mama always said these computers are going to destroy us.
DANG.
3 posted on 09/24/2010 6:48:22 AM PDT by no-to-illegals (Please God, Bless and Protect Our Men and Women in Uniform)
[ Post Reply | Private Reply | To 1 | View Replies]

To: SmartInsight

I used to work with Joe Weiss at EPRI. Good to see my old colleague getting some press.


4 posted on 09/24/2010 6:48:45 AM PDT by ProtectOurFreedom
[ Post Reply | Private Reply | To 1 | View Replies]

To: SmartInsight

We don’t need a EMP or solar event to reduce us to the middle ages.


5 posted on 09/24/2010 6:49:18 AM PDT by vanilla swirl (We are the Patrick Henry we have been waiting for!)
[ Post Reply | Private Reply | To 1 | View Replies]

To: SmartInsight

I have been arguing for years that the Windows monopoly is a monoculture. It will suffer the same fate as the Dutch tulip market crash, the Irish potato(e) famine, the boll weevil infestation and other monocultures over history.

If 95% of our computers are controlled by one family of operating systems, some day there will be a worldwide infection that has the potential to wipe them out.

The only answer is Diversity. I know this is a bad word with so-called Conservatives, but heterogeneity in computers is a necessary thing in a modern, wired, connected world economy.

Think about it: if all your connected computers run Windows, there is a 100% chance that a Windows infection on one of them will spread to another.

But say you have four Operating Systems in your institution; 1/4 Windows, 1/4Mac, 1/4 Linux, 1/4 some other obscure OS. If one system gets infected, the chances of the next is 1/4. The chances of ALL your systems getting the infection is (1/4)**N where N is the number of systems in your entire institution.

But as with all visionary concepts, this will be ignored until the disaster strikes. Then everyone will ask: “Why didn’t we take precautions?”


6 posted on 09/24/2010 6:59:23 AM PDT by eCSMaster
[ Post Reply | Private Reply | To 1 | View Replies]

To: eCSMaster
The only answer is Diversity.

I hear ya. I'm switchin' back to Windows 3.1.

7 posted on 09/24/2010 7:04:38 AM PDT by super7man
[ Post Reply | Private Reply | To 6 | View Replies]

To: eCSMaster
Indeed.

Worse, Microsoft believes that obscurity is security.

Look at that article again:

The Stuxnet computer worm spreads through previously unknown holes in Microsoft's Windows operating system

Somehow this reminds me of the 0bama administration, everything happens "unexpectedly"...

8 posted on 09/24/2010 7:10:46 AM PDT by null and void (We are now in day 612 of our national holiday from reality. - 0bama really isn't one of US.)
[ Post Reply | Private Reply | To 6 | View Replies]

To: _Jim

It’s happening.


9 posted on 09/24/2010 7:11:45 AM PDT by null and void (We are now in day 612 of our national holiday from reality. - 0bama really isn't one of US.)
[ Post Reply | Private Reply | To 8 | View Replies]

To: SmartInsight

bump for after work


10 posted on 09/24/2010 7:24:33 AM PDT by OrioleFan (Republicans believe every day is the 4th of July, democrats believe every day is April 15.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: SmartInsight

I was just reading about something similar:

The Farewell Dossier (How the CIA blew up the Trans-Siberian pipeline with pirated software)
http://www.freerepublic.com/focus/f-news/2594959/posts


11 posted on 09/24/2010 7:25:25 AM PDT by idkfa
[ Post Reply | Private Reply | To 1 | View Replies]

To: SmartInsight; rdb3; Calvinist_Dark_Lord; GodGunsandGuts; CyberCowboy777; Salo; Bobsat; JosephW; ...

12 posted on 09/24/2010 7:26:31 AM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: SmartInsight

This is the danger when you hire the lowest cost person in a third world country to program your systems. I am beginning to believe that these unknown exploits in Microsoft code are deliberately put there.


13 posted on 09/24/2010 7:34:56 AM PDT by w1andsodidwe (How can you tell when the President is lying? When his lips move, of course.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: mountainlion
Walmart was down worldwide yesterday.

Do you think it's related to this? The whole company? Kind of scary - always feel that Walmart will get 'the trucks through' - metaphorically speaking ( Hurricane Katrina and all )...

14 posted on 09/24/2010 7:36:56 AM PDT by GOPJ (http://www.freerepublic.com/focus/f-bloggers/2589165/posts)
[ Post Reply | Private Reply | To 2 | View Replies]

To: idkfa

Are you saying we put out the worm?


15 posted on 09/24/2010 7:38:27 AM PDT by GOPJ (http://www.freerepublic.com/focus/f-bloggers/2589165/posts)
[ Post Reply | Private Reply | To 11 | View Replies]

To: eCSMaster
The only answer is Diversity.

It's our strength.

16 posted on 09/24/2010 7:58:25 AM PDT by Still Thinking (Freedom is NOT a loophole!)
[ Post Reply | Private Reply | To 6 | View Replies]

To: null and void
"The Stuxnet computer worm spreads through previously unknown holes in Microsoft's Windows operating system"

Somehow this reminds me of the 0bama administration, everything happens "unexpectedly"...

And...it's full of previously unknown holes!

17 posted on 09/24/2010 8:04:23 AM PDT by Still Thinking (Freedom is NOT a loophole!)
[ Post Reply | Private Reply | To 8 | View Replies]

To: eCSMaster
I fear systems so dependent on computers that nothing can be done;in my view there should alwys be a way for actual human control.Nor is this total interconnection a good thing.People don't realize just how vulnerable we are to some evil computer terrorist.

For your most obscure 4th OS,you might try Amiga OS !

18 posted on 09/24/2010 8:04:52 AM PDT by hoosierham (Waddaya mean Freedom isn't free ?;will you take a credit card?)
[ Post Reply | Private Reply | To 6 | View Replies]

To: hoosierham; eCSMaster

I actually ran into a large industrial router not too long ago running on OS/2! The manufacturer wanted some ungodly amount for a Windows version of their operating software, so we had to deal with it as is.


19 posted on 09/24/2010 8:09:58 AM PDT by Still Thinking (Freedom is NOT a loophole!)
[ Post Reply | Private Reply | To 18 | View Replies]

To: ProtectOurFreedom
I used to work with Joe Weiss at EPRI.

I'm right down the street!

20 posted on 09/24/2010 8:49:50 AM PDT by martin_fierro (< |:)~)
[ Post Reply | Private Reply | To 4 | View Replies]

To: SmartInsight

It is infecting Siemens Step 7 PLC programming? That’s the only thing that I know of that they use in industrial operations.


21 posted on 09/24/2010 8:53:42 AM PDT by raybbr (Someone who invades another country is NOT an immigrant - illegal or otherwise.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: no-to-illegals

And the silly people in days of old did things manually,ain’t technology grand.


22 posted on 09/24/2010 9:09:36 AM PDT by Vaduz
[ Post Reply | Private Reply | To 3 | View Replies]

To: GOPJ
Are you saying we put out the worm?

Of course not. Someone else is doing it to us. Either a hostile foreign government or a hacker.

23 posted on 09/24/2010 9:49:30 AM PDT by idkfa
[ Post Reply | Private Reply | To 15 | View Replies]

To: ShadowAce

The first question I always ask myself when I see something like this is: “Why was it necessary to have this system connected to the web?”

If the answer is “Convenience” well, I can think of a lot of people who are going to be inconvenienced if the system goes down because of improper security.

From reading the article, I don’t see any reason for these systems to be this vulnerable.

This is not a Windows issue.

This is poorly implemented security, at best.


24 posted on 09/24/2010 11:01:23 AM PDT by stylin_geek (Greed and envy is used by our political class to exploit the rich and poor.)
[ Post Reply | Private Reply | To 12 | View Replies]

To: stylin_geek

They can infect systems without them being connected to the Internet. I think I read somewhere that some new, in-the-box thumbdrives and harddrives that were being sold in stores were infected. Connect it to a network and you are done.

Also, this article said that this particular worm can stay dormant, so you might not even know it’s there, until the time for when it’s programmed to do its damage.


25 posted on 09/24/2010 11:24:08 AM PDT by SmartInsight (Bad officials are elected by good citizens who do not vote. ~ G. J. Nathan)
[ Post Reply | Private Reply | To 24 | View Replies]

To: stylin_geek

They can infect systems without them being connected to the Internet. I think I read somewhere that some new, in-the-box thumbdrives and harddrives that were being sold in stores were infected. Connect it to a network and you are done.

Also, this article said that this particular worm can stay dormant, so you might not even know it’s there, until the time for when it’s programmed to do its damage.


26 posted on 09/24/2010 11:24:28 AM PDT by SmartInsight (Bad officials are elected by good citizens who do not vote. ~ G. J. Nathan)
[ Post Reply | Private Reply | To 24 | View Replies]

If it had to happen, it makes me kind of giggle that it is happening to the Siemens S7....WORST PLC EVER!!!!!


27 posted on 09/24/2010 12:56:54 PM PDT by dsrtsage (One half of all people have below average IQ...In the US the number is 54%)
[ Post Reply | Private Reply | To 21 | View Replies]

To: SmartInsight

So I guess the $64,000 question is one of who has developed software to check for and purge the worm from individual systems, and where can that be obtained?


28 posted on 09/24/2010 1:01:34 PM PDT by Smokin' Joe (How often God must weep at humans' folly. Stand fast. God knows what He is doing.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Still Thinking
I liked OS/2 ,Warp 4 was pretty cool!

But that was at least 10 years ago.

Of course a lot of upgrades are not really necessary if the existing system is doing the job you need.

29 posted on 09/24/2010 1:04:46 PM PDT by hoosierham (Waddaya mean Freedom isn't free ?;will you take a credit card?)
[ Post Reply | Private Reply | To 19 | View Replies]

To: vanilla swirl
We don’t need a EMP or solar event to reduce us to the middle ages.

How long until it's a snot nosed teenager ushering in the dark ages?

30 posted on 09/24/2010 1:10:35 PM PDT by GOPJ (http://www.freerepublic.com/focus/f-bloggers/2589165/posts)
[ Post Reply | Private Reply | To 5 | View Replies]

To: stylin_geek
A lot of systems are web-connected simply so the troubleshooting or adjestments can be done from an engineer or maintenance worker's home,obviating the inconvenience of a trip to the shop.But if one person can get into a sysytem then someone else can as well.

Thumbdrives are probably the biggest phyical security hazard today.

If I was in charge ,the computers at my workplace would have all those ports shut off,maybe phyically blocked as well.Employees routinely bring in thumbrives full of music and vacation pictures to show others or play while working.From a security standpoint,any company that allows this is foolish.

Unfortuneately some expensive software uses "secure" thumbdrives as license keys;that makes disconnecting the port a problem.

31 posted on 09/24/2010 1:12:13 PM PDT by hoosierham (Waddaya mean Freedom isn't free ?;will you take a credit card?)
[ Post Reply | Private Reply | To 24 | View Replies]

To: hoosierham; SmartInsight

In reading the article, there as talk about unknown browsers scanning these systems.

This indicates, at least to me, a very real problem with network security and internet security. Sensitive systems should not be on the internet. If it’s absolutely necessary for remote access, then someone should have to physically enable access. And, as soon as the remote work is done, access is removed.

With thumb drives, it’s possible to deny ordinary users the rights to run executables. I believe Sandisk is notorious for having some sort of stupid executable that runs when you insert the thumb drive. That’s the kind of thing you can’t allow in the interests of security.


32 posted on 09/24/2010 1:30:34 PM PDT by stylin_geek (Greed and envy is used by our political class to exploit the rich and poor.)
[ Post Reply | Private Reply | To 31 | View Replies]

To: ProtectOurFreedom
I used to work with Joe Weiss at EPRI. Good to see my old colleague getting some press.

I have met Joe a number of times as well, and he gets plenty of press.

33 posted on 09/24/2010 1:41:08 PM PDT by Ditto (Nov 2, 2010 -- Time to Clean House.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: stylin_geek
The first question I always ask myself when I see something like this is: “Why was it necessary to have this system connected to the web?”

From what I understand, the Suxnet is not coming over the web, but from infected USB memory sticks.

People give these things away like candy, pass them around all over the place, and you really have no idea what may be on them.

Be careful with them and never use one in an important device.

34 posted on 09/24/2010 1:48:00 PM PDT by Ditto (Nov 2, 2010 -- Time to Clean House.)
[ Post Reply | Private Reply | To 24 | View Replies]

To: Ditto

Agree with that...but first time I’ve seen him mentioned on FR!


35 posted on 09/24/2010 2:27:46 PM PDT by ProtectOurFreedom
[ Post Reply | Private Reply | To 33 | View Replies]

To: SmartInsight

Rename the main Siemens files so the bad program won’t know that is the program running.
Won’t then recognize the program it was supposed to attack.


36 posted on 09/24/2010 2:34:33 PM PDT by A CA Guy ( God Bless America, God bless and keep safe our fighting men and women.)
[ Post Reply | Private Reply | To 1 | View Replies]

To: GOPJ

“How long until it’s a snot nosed teenager ushering in the dark ages?”

“To destroy a dam physically would require “tons of explosives,” Assistant Attorney General Michael Chertoff said a year ago. To breach it from cyberspace is not out of the question. In 1998, a 12-year-old hacker, exploring on a lark, broke into the computer system that runs Arizona’s Roosevelt Dam. He did not know or care, but federal authorities said he had complete command of the SCADA system controlling the dam’s massive floodgates.

Roosevelt Dam holds back as much as 1.5 million acre-feet of water, or 489 trillion gallons. That volume could theoretically cover the city of Phoenix, down river, to a height of five feet. In practice, that could not happen. Before the water reached the Arizona capital, the rampant Salt River would spend most of itself in a flood plain encompassing the cities of Mesa and Tempe — with a combined population of nearly a million. “

http://www.washingtonpost.com/wp-dyn/content/article/2006/06/12/AR2006061200711_pf.html


37 posted on 09/24/2010 2:51:25 PM PDT by SmartInsight (Bad officials are elected by good citizens who do not vote. ~ G. J. Nathan)
[ Post Reply | Private Reply | To 30 | View Replies]

To: stylin_geek

Used to love Sandisk but now won’t buy anything that has their name on it over that issue. As if loading software on storage that you bought wasn’t cheeky enough, they made it look like a CD so it was read-only when you plugged it in! Not only do they know better than you what’s good for you, you’re not even allowed to use your man hours to correct their mistake! On flash memory you’ve paid for!


38 posted on 09/24/2010 4:41:33 PM PDT by Still Thinking (Freedom is NOT a loophole!)
[ Post Reply | Private Reply | To 32 | View Replies]

To: stylin_geek

Now, they DID post a utility on their website to “fix” the drives, but forgive me if I’m not all aflutter that the fix to unsolicited executable code is...more unsolicited executable code. Sounds like the kind of company you’d get if you left Democrats in charge.


39 posted on 09/24/2010 4:43:21 PM PDT by Still Thinking (Freedom is NOT a loophole!)
[ Post Reply | Private Reply | To 32 | View Replies]

To: SmartInsight
Unsettling signs of al Qaeda's aims and skills in cyberspace have led some government experts to conclude that terrorists are at the threshold of using the Internet as a direct instrument of bloodshed.

I'll bet most Qaeda cyber-terrorists were trained in American Universities... or maybe all....

40 posted on 09/24/2010 7:57:29 PM PDT by GOPJ (http://www.freerepublic.com/focus/f-bloggers/2589165/posts)
[ Post Reply | Private Reply | To 37 | View Replies]

To: SmartInsight

bump


41 posted on 09/24/2010 7:59:51 PM PDT by GOPJ (http://www.freerepublic.com/focus/f-bloggers/2589165/posts)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Still Thinking

Amen to that.


42 posted on 09/24/2010 9:20:19 PM PDT by stylin_geek (Greed and envy is used by our political class to exploit the rich and poor.)
[ Post Reply | Private Reply | To 39 | View Replies]

To: null and void
Worse, Microsoft believes that obscurity is security.

They don't believe that. It's just that Windows is such a complex and arcane contraption that it's too complicated for any given person to foresee how all the thousands of pieces will interact with one another.

Consider the registry key HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Services/abp480n5/Parameters/PnpInterface/5 - set to a value of "1" on my system.

The abp4805n5 service was associated with a severe security vulnerability which "lets remote attackers to execute arbitrary code through a web page that triggers existence of an object in memory that was not suitably downloaded or deleted, aka "Uninitialized Memory Corruption Vulnerability."

And that's just one of hundreds of possible services in Windows XP.

43 posted on 09/26/2010 5:39:42 AM PDT by mvpel (Michael Pelletier)
[ Post Reply | Private Reply | To 8 | View Replies]

To: stylin_geek

If you’re interested in all the things examined by the Defense Security Service, check out this page: http://www.dss.mil/isp/fac_clear/download_nispom.html

It’s the National Industrial Security Program Operating Manual. The DSS also maintains a set of Baseline Standards for Windows operating systems, available only to cleared personnel, which is about 150 pages worth of individual Windows registry and configuration settings.

Far too many people don’t take it far seriously enough, though.


44 posted on 09/26/2010 5:49:14 AM PDT by mvpel (Michael Pelletier)
[ Post Reply | Private Reply | To 32 | View Replies]

To: null and void

null and void: “It’s happening.”

Over-generalization (IOW: No it’s not); it’s a targeted event ... besides, the Iranians are all using ‘expired’ Siemens authoring control-software ...

For an interesting read see:
http://www.schneier.com/blog/archives/2010/09/the_stuxnet_wor.html

One of the better posts from that thread:

“The ability to take over a PLC/SCADA plant and make it do something specific is going to take inside knowledge, not just of the networks and SCADA, but of the actual process, wiring and components and so the question is, do the attackers have this information”

Yup that’s my reasoning as well (but I did not put it in my comment above because some people think I say to much as it is (No Nick P I’m not pointing the finger :-)

It’s why I questioned the origin of the worm with,

‘All this actually tells us is that they likley have significant experiance of SCADA or they where a lot closer to the target than people are admitting.’

Which is one of the reasons I sugested that Iran it’s self could have been the “state sponsor”.

Every time I hear about “cyber warfare” and how “crackers could bring down the world” I think ‘yup when they learn to be engineers with domain knowledge and that ain’t goner happen any time soon’.

To have more chance of success than luck as a cracker you have to,

1, Locate your chosen target.
2, Enumerate it for weaknesses.
3, Exploit weaknesses without tripping alarms.
4, Enumerate the internal network without tripping alarms.
5, Locate host controler.
6, Enumerate the host for weaknesses.
7, Gain access to host controler without tripping alarms.

To get this far there are three ways I know,

A, Have “insider knowledge”.
B, Have focused intel and “domain knowledge” to direct the attack.
C, Have “domain knowledge” and use a “fire and forget” attack methodology.

On the face of it this worm appears to be C and similar to the PDF/DOC harvest version of Zeus that went for the .mil network.

However when you look at what would be required to move forward with a real warfare attack then it comes a long way short as you said.

As you dig a little deeper you realise as you said that domain knowledge alone is insufficient to get a real warfare result.

Which means that either,

D, It was trying to close the intel gap.
E, It was a fund raiser / saber rattler.

Personaly from some experiance I would doubt that D would actually get you any where as near as direct human intel. Also D is quite costly compared with direct human intel. Further there is the issue of “footprints and fingerprints” burglers try very hard not to leave signs of “reconosaance” such as footprints, and further they try even harder not to leave positive incriminating evidence such as “fingerprints”.

This worm leaves both footprints and fingerprints, all of which is a little to obvious and makes me start looking for a rat.

Again on the face of it four Zero Day does seem a little extragavent, or does it?

Personaly I think not but my reasoning is long winded.

Which leaves us with shock horror access to code signing keys.

But again how significant is this... we have recently seen the HDCP master key being revealed and not so long ago the keys to TI calculators.

So the question becomes how many other code signing keys have become vulnerable and the answer unsurprisingly is ask how much security is used around the keys...

Generaly not a lot. That is lowley “code cutters” get lowley pay and getting code cranked through the code signing process is a lot easier than people think as the lowly code cutters do not regard it as security just part of the code cutting “handle cranking”.

And often neither do the managers etc, some “bought in” tallent may well have slipped code through the process without any body noticing.

All of which is just as easy for “state sponsored” as it is for “non state sponsored”...

This then brings in the question of “plausible deniability”, by the use of an intermediate party to a third party between a state player and the third party malware cutter.

I could go on but...

Posted by: Clive Robinson at September 23, 2010 12:08 PM


45 posted on 10/02/2010 3:43:16 PM PDT by _Jim (Conspiracy theories are the favored tools of the weak-minded.)
[ Post Reply | Private Reply | To 9 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson