Stuxnet Still Out of Control At Iran Nuclear Sites 361
Velcroman1 writes "Iran's nuclear program is still in chaos despite its leaders' adamant claim that they have contained the computer worm that attacked their facilities, cybersecurity experts in the US and Europe say. Last week President Mahmoud Ahmadinejad, after months of denials, admitted that the worm had penetrated Iran's nuclear sites, but he said it was detected and controlled. The second part of that claim, experts say, doesn't ring true. Owners of several security sites have discovered huge bumps in traffic from Iran, as the country tries to deal with Stuxnet. 'Our traffic from Iran has really spiked,' said a corporate officer who asked that neither he nor his company be named. 'Iran now represents 14.9 percent of total traffic, surpassing the United States with a total of 12.1 percent.'"
The difference engineering makes (Score:5, Informative)
I think this attack just shows the difference that good engineering can make. Most worms out there are relatively unsophisticated, or are developed by people with limited means to pull off quick scams.
Stuxnet shows what a truly determined adversary can do. One who knows your internal processes. One who understands your industry-specific software - the stuff nobody outside the industry ever touches. One who has a large team of talented programmers, carefully designing and building the attack. One who has access to government resources - the ability to tap communications lines, inject traffic, etc. One who is funded strategically - they don't want to hold your business for ransom for $1M, they want your $100B company to collapse so that one they favor can take over, or whatever.
The software out there that runs on intranets around the world is some of the most insecure stuff you'll ever see. It rarely gets subjected to serious attack, and the vulnerabilities aren't evident to the average corporate IT guy who is just doing basic due-diligence. Your average PHB doesn't want to pay for testing that will actually uncover serious flaws - they want the system to look good to their customers and have the right bells and whistles - and pricetag.
We'll see more of these attacks in the future - count on it...
Re:The real question (Score:5, Informative)
If you read about how this thing works, the real payload is a rootkit for a motor drive plc built by an Iranian manufacturer and spinning in the range needed to enrich uranium. It was also targetted at the desktop software designed to program said motor drive, which is windows. If they were running Linux, I'm sure there are a few zero day sploits out there suitible for hiding a rootkit dropper. The people that made this thing had time, information, legitimate driver signing certificates, and resources. I doubt there are many platforms that can deal with such a determined attacker.
Re: Iran... (Score:5, Informative)
Re:The difference engineering makes (Score:4, Informative)
One who has a large team of talented programmers, carefully designing and building the attack.
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf [symantec.com]
Symantec speculates a team size around 5-10 not including QA (whatever the heck that means).
Personally I think there is probably a "team" of 1-3 people sniggering to and congratulating themselves. (Probably adding "Stupid Americans"). That is if they haven't been shot.
I'll give you talented, though.
Re:This Is Real Hacktivism (Score:4, Informative)
The attack was very specific. Uranium enrichment requires and exact rpm over a long period of time. Most industrial equipment does not have that exacting level of tolerance needed.
Re:This Is Real Hacktivism (Score:4, Informative)
Enrichment does not require EXACT rpm. Its a centrifuge, nothing more.
Thousands of industrial applications require exact speed (far greater exactness than a centrifuge). Electrical Generators, Paper machines, rolling mills, sewage pumps, blower motors, automated bottling lines, automated assembly lines of all kinds.
Try not to make assertions your experience will not back up.