Posted on 09/24/2010 6:35:14 AM PDT by SmartInsight
A piece of highly sophisticated malicious software that has infected an unknown number of power plants, pipelines and factories over the past year is the first program designed to cause serious damage in the physical world, security experts are warning.
The Stuxnet computer worm spreads through previously unknown holes in Microsoft’s Windows operating system and then looks for a type of software made by Siemens and used to control industrial components, including valves and brakes.
“It is not speculation that this is the first directed cyber weaponâ€, or one aimed at a specific real-world process, said Joe Weiss, a US expert who has testified to Congress on technological security threats to the electric grid and other physical operations. “The only speculation is what it is being used against, and by whom.â€
They suggest that it is most likely associated with a national government and that terrorism, ideological motivation or even extortion cannot be ruled out.
(Excerpt) Read more at ft.com ...
bump
Amen to that.
They don't believe that. It's just that Windows is such a complex and arcane contraption that it's too complicated for any given person to foresee how all the thousands of pieces will interact with one another.
Consider the registry key HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Services/abp480n5/Parameters/PnpInterface/5 - set to a value of "1" on my system.
The abp4805n5 service was associated with a severe security vulnerability which "lets remote attackers to execute arbitrary code through a web page that triggers existence of an object in memory that was not suitably downloaded or deleted, aka "Uninitialized Memory Corruption Vulnerability."
And that's just one of hundreds of possible services in Windows XP.
If you’re interested in all the things examined by the Defense Security Service, check out this page: http://www.dss.mil/isp/fac_clear/download_nispom.html
It’s the National Industrial Security Program Operating Manual. The DSS also maintains a set of Baseline Standards for Windows operating systems, available only to cleared personnel, which is about 150 pages worth of individual Windows registry and configuration settings.
Far too many people don’t take it far seriously enough, though.
null and void: “It’s happening.”
Over-generalization (IOW: No it’s not); it’s a targeted event ... besides, the Iranians are all using ‘expired’ Siemens authoring control-software ...
For an interesting read see:
http://www.schneier.com/blog/archives/2010/09/the_stuxnet_wor.html
One of the better posts from that thread:
“The ability to take over a PLC/SCADA plant and make it do something specific is going to take inside knowledge, not just of the networks and SCADA, but of the actual process, wiring and components and so the question is, do the attackers have this information”
Yup that’s my reasoning as well (but I did not put it in my comment above because some people think I say to much as it is (No Nick P I’m not pointing the finger :-)
It’s why I questioned the origin of the worm with,
‘All this actually tells us is that they likley have significant experiance of SCADA or they where a lot closer to the target than people are admitting.’
Which is one of the reasons I sugested that Iran it’s self could have been the “state sponsor”.
Every time I hear about “cyber warfare” and how “crackers could bring down the world” I think ‘yup when they learn to be engineers with domain knowledge and that ain’t goner happen any time soon’.
To have more chance of success than luck as a cracker you have to,
1, Locate your chosen target.
2, Enumerate it for weaknesses.
3, Exploit weaknesses without tripping alarms.
4, Enumerate the internal network without tripping alarms.
5, Locate host controler.
6, Enumerate the host for weaknesses.
7, Gain access to host controler without tripping alarms.
To get this far there are three ways I know,
A, Have “insider knowledge”.
B, Have focused intel and “domain knowledge” to direct the attack.
C, Have “domain knowledge” and use a “fire and forget” attack methodology.
On the face of it this worm appears to be C and similar to the PDF/DOC harvest version of Zeus that went for the .mil network.
However when you look at what would be required to move forward with a real warfare attack then it comes a long way short as you said.
As you dig a little deeper you realise as you said that domain knowledge alone is insufficient to get a real warfare result.
Which means that either,
D, It was trying to close the intel gap.
E, It was a fund raiser / saber rattler.
Personaly from some experiance I would doubt that D would actually get you any where as near as direct human intel. Also D is quite costly compared with direct human intel. Further there is the issue of “footprints and fingerprints” burglers try very hard not to leave signs of “reconosaance” such as footprints, and further they try even harder not to leave positive incriminating evidence such as “fingerprints”.
This worm leaves both footprints and fingerprints, all of which is a little to obvious and makes me start looking for a rat.
Again on the face of it four Zero Day does seem a little extragavent, or does it?
Personaly I think not but my reasoning is long winded.
Which leaves us with shock horror access to code signing keys.
But again how significant is this... we have recently seen the HDCP master key being revealed and not so long ago the keys to TI calculators.
So the question becomes how many other code signing keys have become vulnerable and the answer unsurprisingly is ask how much security is used around the keys...
Generaly not a lot. That is lowley “code cutters” get lowley pay and getting code cranked through the code signing process is a lot easier than people think as the lowly code cutters do not regard it as security just part of the code cutting “handle cranking”.
And often neither do the managers etc, some “bought in” tallent may well have slipped code through the process without any body noticing.
All of which is just as easy for “state sponsored” as it is for “non state sponsored”...
This then brings in the question of “plausible deniability”, by the use of an intermediate party to a third party between a state player and the third party malware cutter.
I could go on but...
Posted by: Clive Robinson at September 23, 2010 12:08 PM
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.