Stuxnet/Cyberwar Documentary Reviewer: 'The U.S. Has Pwned Iran' (networkworld.com) 138
Slashdot reader alphadogg quotes an article from Network World:
The new documentary about Stuxnet, "Zero Days", says the U.S. had a far larger cyber operation against Iran called Nitro Zeus that has compromised the country's infrastructure and could be used as a weapon in any future war. Quoting unnamed sources from inside the NSA and CIA, the movie says the Nitro Zeus program has infiltrated the systems controlling communications, power grids, transportation and financial systems, and is still ready to "disrupt, degrade and destroy" that infrastructure if a war should break out with Iran...
For the more technically inclined, the film contains some riveting interviews with researchers at Symantec who devoted their lives to unraveling the code line by line to figure out what it did, how it did it, who created it and what the target was. It was also a bit chilling in that after they figured out that governments were behind the worm they worried that the researchers themselves might be targeted to keep them silent. One Friday night, says Symantec researcher Eric Chien, he said to his research partner Liam O Murchu, "I'm not suicidal. If I should show up dead on Monday, it wasn't me."
In the film former NSA and CIA director Gen. Michael Hayden says "This stuff is hideously over classified."
For the more technically inclined, the film contains some riveting interviews with researchers at Symantec who devoted their lives to unraveling the code line by line to figure out what it did, how it did it, who created it and what the target was. It was also a bit chilling in that after they figured out that governments were behind the worm they worried that the researchers themselves might be targeted to keep them silent. One Friday night, says Symantec researcher Eric Chien, he said to his research partner Liam O Murchu, "I'm not suicidal. If I should show up dead on Monday, it wasn't me."
In the film former NSA and CIA director Gen. Michael Hayden says "This stuff is hideously over classified."
This is not propaganda. (Score:2)
Re: (Score:1)
That's what they all said.
Re: (Score:2)
But for which side?
For Americans so we feel like we have our hand at the button and in control when those rogue governments go too far?
Or is it from those countries who have other issues and want to distract those issues because America has a major influence force corrupting them from the inside.
America is the big dog with a lot of power and influence however we are not all powerful nor have this constant hidden influence trying to keep all the other countries down.
Re: This is not propaganda. (Score:4, Insightful)
For Americans so we feel like we have our hand at the button
American, huh. We say "hand on the button..."
Re: (Score:1)
Utterly impossible to tell how much truth there is in such unverifiable statements.
After all, the US government also benefits if Iran just _thinks_ they're pwned. If they rip out perfectly fine infrastructure that could not be infected, and replace it with new stuff, that creates a chance for the CIA to smuggle in new malware. It also costs them money and distracts them from other efforts.
But I'm not the only person that can make that deduction, so can Iranian Intelligence. That makes it essentially a doub
Re:This is not propaganda. (Score:4, Insightful)
Well, it appears that once Stux got out in the open and it was discovered and analyzed and tested on the same controllers that Iran used...it seems to have been proven successful.
The problem, it seems...is that Israel fucked up and on their own, made it much more aggressive and Stuxnet (aka Olympic Games, or OG) then jumped out an infected on a global scale, calling attention to itself, whereas it has earlier been successful, but still covert and confined it appears to only the Iranian targets.
I think this act by Israel explains a LOT about why obama has been so cold towards them....
And..I'm guessing the Iranian retaliation on the US infrastructure led to the crappy deal the US took with regard to the nuclear deal with Iran. I'm thinking Iran scared the US enough to take this horrible deal which will essentially let Iran become a weaponized nuclear power in about 8+ years....
Re: (Score:2)
Israel wrote the original Stux. They more or less admitted it on the retirement of the commander (who's name escapes me). No in so many words, but they are responsible and deserve all _credit_.
Re: (Score:3)
Well, now we know... (Score:4, Interesting)
... why all those officals keep on derping about "cyber threats". They've scared themselves silly.
So, knowing we too could be "pwned" at any time, why do we insist on running vulnerable systems everywhere? Why do we keep buying software from vendors who for the longest time explicitly didn't care about security anything, and now sit on a completely unfixably insecure software stack?
Why do we keep buying *COMPUTERS* from... (Score:3, Informative)
vulnerable MANUFACTURERS and DESIGNERS?
Seriously, anyone who is not extremely concerned by Intel/AMD/ARM ring 0 management processors should really read up on what they are capable of, how little they have been independently audited, and the full ramifications if a nation-state actor had that level of access to your computer system. This isn't just a rootkit you *MIGHT* get online, this is the rootkit you buy and pay for with no way to remove, short of replacing it with an older system that hopefully is sim
Correction.... (Score:1)
Ring LESS THAN 0. If only slashdot defaulted to no-HTML by default.
As an unrelated thread, since these submission waits are annoying:
If the U.S. has Pwned Iran with a bunch of infrastructure hacks, what does that say about Iran bringing down that US drone a while back with the GPS spoof/hack?
Re: (Score:2)
If they did do it I would call it beginners luck. However, just because Iran said they brought it down doesn't mean they are telling the truth. Remember these are the same idiots who tried to pass off a model plane as their new stealth jet fighter. And the US has flown thousands of drone sorties in that part of the world and if Iran could actually do what they claim there would be drones falling out of the sky all over the place.
Re: (Score:2)
There's an active drone development community in Iran, I wouldn't doubt that they were trying to bring the drone down with a GPS hack and that the drone did indeed go down. I also wouldn't be surprised if there was zero causal relationship between the two coincidental events.
Re: (Score:2)
Re:Well, now we know... (Score:4, Insightful)
You are aware that Linux had had some recent (within the few years) vulnerabilities that had been around for decades, that were recently found and patched. If the biggest open source OS can have decade old bugs what hope is there to be fully secure?
Re: (Score:3)
Defence in depth is the only solution. If one vulnerability in your OS is enough to take over the whole system, or even the whole network, you don't have enough depth.
Re: (Score:1)
When taken with that attitude, defense in depth reeks of security by obscurity. Not saying it doesn't work, not saying it isn't the most practical solution available, just that piling up six layers of 99.9% secure does not really give 99.9999999999999999% security - when human factors come into play.
Re:Well, now we know... (Score:5, Interesting)
It's nothing to do with obscurity. It just means that a single vulnerability isn't very useful.
Remember when Windows XP was so insanely insecure that it would be 0wned within seconds of being connected to the internet? That's because there was no depth. The user ran as admin all the time, so a single flaw in any application or service gave the attacker full control of the machine.
First line of defence was to enable the firewall. Second line, run as a normal user account so that compromise only gets you user credentials. Third line, sandbox the browser. Forth line, enable ALSR. Fifth line, built in Windows Defender to block known malicious activity. Sixth line, protect critical OS files so that even administrators can't modify them. Seventh line, enable secure boot to check the integrity of boot files, drivers and the kernel.
By the time you get to Windows 8.1 a single exploit isn't very useful. Say you can execute arbitrary code in a Chrome process. Congratulations, you now have access to one tab and the data in it. Your process is heavily sandboxed. You need multiple exploits to do anything useful, so you can escape the sandbox, bypass user account protection, bypass OS level protections, bypass Windows Defender... That's why most malware these days takes the form of a trojan, tricking the user into executing them willingly.
Meh (Score:1)
Linux had an exploitable bug in gethostbyname(), which was for some funny (or not so, imo) reason executed inside the kernel.
So opfor inserts a "bad url" containing malware into a website you visit. Boom - machine pwned. And all your funny firewall "defense in depth" is useless.
American computers and software are only safe if you disconnect them from any electronic network.
Ask yourself why.
Re: (Score:2)
That's an example of a failure of defense in depth. Why shouldn't gethostbyname() be executed in the kernel? Seems like a reasonable place to execute system calls no? The reason is, you want to execute everything with the lowest possible privileges. If there is an exploitable bug, the exploit doesn't get you very far.
Re: (Score:2)
Microkernels are more secure. At some point we just need to pay the context switch overhead and get on with it.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
"what hope is there to be fully secure?"
None whatsoever.
However, unplugging your internet connection would provide a lot of relative security compared to your neighbors. You surely know that. ... and yet you're here using an internet message board that you know damn well is designed and implemented by folks whose mental state and technical competence seems at the very least a bit iffy. ... As am I
Re: (Score:2)
Build systems with smaller, simpler, better vetted (older) OSs, or perhaps no OS layer at all - just a collection of certified software components.
It's not fast, nor cheap, but it can be secure. If you want it to interact with the latest whiz-bang hardware/software from the insecure commercial world, and you want development to proceed on any reasonable sort of timetable, you may need to accept some level of insecurity to do that.
Re: (Score:2, Informative)
Note that much of the most "incriminating" stuff in the film comes from an actress playing a "composite character" but they don't tell you that until the end, which is a bit of an ethical lapse, in my book.
Re:Just watched this (Score:5, Informative)
Dedicated their lives? (Score:1)
If we consider the date speculated to be Stuxnet's first appearance by some that makes 2005.
Let's assume most humans only become mildly useful to the coding society around 18 so these researchers that dedicated their lives are 29 years old!?
That's still less years than they've lived without this so called "dedication".
The fear (Score:5, Insightful)
Re: (Score:2)
I dunno, they bumped off Dr. David Kelly for less. It really depends how well protected you are, because if the cost and risk is low enough they apparently won't hesitate to murder you.
Re: (Score:3)
Really, Dr. Kelly clearly took his own life after he majorly bigged up his roll in the production of the dossier and this was just about to come out. Basically he threw his career down the toilet and was unable to live up to it. The idea that the UK state had him bumped off is plainly ridiculous. There was no need he was about to be utterly humiliated all of his own doing. People commit suicide for FAR FAR less.
Re: (Score:2)
His name was leaked and he was set up as the fall guy, diverting attention away from the intelligence failures by MI6 and other parts of the government. The stress lead to him committing suicide.
Just because they didn't kill him themselves doesn't mean that they aren't responsible for his death. My point was that they are more than capable of driving someone to suicide, and will do so if they think it is necessary. They almost certainly didn't intend for him to die, but none they less that's what happened.
Re: (Score:2)
Mossad aren't the only murderous spooks on the planet. Arguably, they're some of the more clumsy ones - getting publicly tied to their actions.
Context (Score:2)
It's not as if the far more murderous Russian spooks were involved.
French spooks were clumsy and got caught. Mossad let people know they are involved and spread the fear without getting caught.
Re: (Score:2)
I'm just going to say it: this is how spooks should work/be regarded.
If what I'm doing is directly inimical to the interests of country X, then I *should* be terrified that country X's spooks will 'deal with' me.
Unlike the CIA, whose reputation is basically incompetent dilettante technocrats who 'missed' the collapse of the single giant entity they were tasked pretty much solely to watch for the previous 50 years.
Then again, that's exactly the reputation a witchalock would WANT us to believe they have...
"Future" war? (Score:2)
Symantec help hackers say Feds (Score:1)
Re: (Score:2, Interesting)
well, it's true.
because the products are so much shitty. if they were installed on iranian systems they would be an attack route.
however, this seems like a lot of bullshit just to hype up a few security researchers. the software itself, stuxnet in this case, is trivial. what is not trivial is bridging the airgap and getting some sod to install it on actual machines.
HOWEVER.. there would be this practical reason to keep the stuxnet government affair secret: FINANCIAL LIABILITY, since stuxnet made it into the
A route to world peace? (Score:2, Interesting)
If all countries had such viruses inserted into their critical infrastructure, then none could afford to disrupt the world's peace...
I THINK I'm joking!
One of the stranger failures of Islamic terrorism is their not attacking infrastructure assets in the West. Some trivial damage to certain items could do amazing amounts of economic damage. Let's hope they remain unimaginative.
Re:A route to world peace? (Score:4, Insightful)
It's not a lack of imagination, it's a lack of terror. Where's the scare when they do a computer attack? People are used to computers acting weirdly, they simply wouldn't care. It's also too easy to claim that it ain't terrorism, it's just "that weird computer stuff".
A need for publicity in radical Islam (Score:2)
Interesting point about their need for it to be terrorism. And there is a strange yearning after visibility; the murders of Lee Rigby in London hung around after the attack waiting to be caught. Let's be grateful.
Re: (Score:2)
It's not strange. It's right in the name. Terrorism isn't about killing people, it's about scaring them to achieve a political end. Terrorists choose targets to generate maximum fear, which usually means doing something intensely violent on a small scale.
Alternative strategy (Score:2)
Whilst you are of course right if jihadism is committed to terrorism, but the question is whether it must be. The alternative of doing massive amounts of economic damage to the USA until it does what they wants is one that they haven't attempted yet, which is what I'm getting at. A serious and sustained attack on the vulnerabilities of the rail network of a major city would probably be more debilitating and therefore effective in changing the mind of the general public than a spectacular terrorist attack. I
Re: (Score:1)
Where's the scare when they do a computer attack?
In the American psyche, apparently, and rightfully so.
This study shows it as the #2 fear, behind government:
http://www.livescience.com/52535-american-fear-survey-2015.html [livescience.com]
And another study shows it as the #2 fear, behind ISIS:
http://www.dailydot.com/layer8/cyberattacks-isis-global-threats-america-survey/ [dailydot.com]
Re: (Score:2)
I hope they also get the tools they used to commit the crime confiscated...
Re: (Score:3)
Who says it would have to be a computer attack?
I'm only guessing, but I think a planned and coordinated physical sabotage of power systems could cause chaos on a regional level if the right substations and pylons were knocked out. Knock out some primary feeds, get some secondary ones to overload and go offline and you've got a regional blackout that could days or longer to repair, as not all of the transformers and switchgear could necessarily be just swapped out (depending on the nature of the sabotage).
M
Re: (Score:2)
The grid is pretty robust.
The attack you describe would only work well on one of the hottest days of the year. But on that day it could really fuck things.
Re: (Score:2)
Re: (Score:2)
They dont have the means. It took many thousands of man-years of highly educated mathematicians to build the capabilities of the western services.
It seems that the NSA subverted the crypto infrastructure for several decades now, and penetrated systems on many levels. Heck, the only way that i would be moderately sure that nothing really bad is hidden somewhere in the system would involve Z80s or MOS 6502.
In comparison to what the NSA does the "cyber-attacks" which most terroristic groups are capable of are
Re: (Score:2)
Been done, stories in 2004 about an event in 1982:
http://www.telegraph.co.uk/new... [telegraph.co.uk]
http://www.zdnet.com/article/u... [zdnet.com]
and then, years later, we have the results of counter-information campaigns:
http://jeffreycarr.blogspot.co... [blogspot.com]
hard to know what's truth and what's fiction, and how much has been done but not leaked.
their lives? (Score:5, Insightful)
researchers at Symantec who devoted their lives to unraveling the code line by line
You know, when you "devote your life" to something it's usually for longer than a season of Game of Thrones. Mayhaps the claim is a bit hyperbolic?
just sayin'.
Re: their lives? (Score:1)
Still it feels like an eternity until the next season comes out.
Re: (Score:2)
researchers at Symantec who devoted their lives to unraveling the code line by line
You know, when you "devote your life" to something it's usually for longer than a season of Game of Thrones. Mayhaps the claim is a bit hyperbolic?
just sayin'.
I think it is more in reference to their not leaving basements or showering while surviving off a healthy diet of Mountain Dew and Doritos. I am pretty sure I read a few were known to yell "Mom! Bathroom!" too.
Re: (Score:2)
On the other hand, when you actually think your work is likely to get you suicided by the feds it gives the term a whole 'nother meaning wouldn't you say?
Re: (Score:1)
That's just not how the Feds work. They just draft you into the military, whereupon you can be legally required to keep the secret. Happened to a friend of mine (worked out OK for him, since he managed to keep reserve officers pay for many years - good chunk of change, that).
Movie link? (Score:2, Informative)
TFA does not list one either. Is it bad form to link to IMBD? Here it is http://www.imdb.com/title/tt5446858/
"It was also a bit chilling" (Score:1, Troll)
they worried that the researchers themselves might be targeted to keep them silent.
No. It's more than a bit stupid, in the same way that anti-Bush whiners always claimed that they were going to "wind up in Gitmo", yet somehow never did.
Re: (Score:2)
Worrying about it does not mean they expected it.
Are you aware that a number of Iranian scientists have been assassinated?
If the researchers were a little paranoid, I can understand that. They are westerners, so they'd probably not be killed.
The sailors on the USS Liberty thought that before they died.
Re: (Score:2)
Worrying about it does not mean they expected it.
"If I should show up dead on Monday, it wasn't me." means that he more than half-expected it.
The Government has a much better method of silencing Americans on American soil: the Aaron Swartz Gambit (legally harass emotionally weak people until they commit suicide).
Are you aware that a number of Iranian scientists have been assassinated?
I've heard it, and it's irrelevant to whether or not Symantec researchers would be assassinated by Western powers.
The sailors on the USS Liberty thought that before they died.
You're comparing American civilians working in America to Navy sailors in a Navy ship. That's... weak.
Re: (Score:2)
They did kill people in Iran:
http://www.itworld.com/article... [itworld.com]
There were other strange events.
If I'm not mistaken the guy from MIcrosoft that was going to give a presentation in Germany about Stuxnet had an accident, a car hit him while walking on the sidewalk.
Re: (Score:2)
NSA has many different departments that don't work together. Ha ! Even Microsoft has that. :-)
Michael Hayden (Score:1)
Sadly (Score:2)
Re: (Score:1)
Well, a centrifuge plant (and I would hope other nuclear systems) is likely more protected than the average industrial infrastructure.
I have seen many enormous security holes in industrial control systems in the past, some requiring almost no knowledge to exploit: telnet to the right IP on the right port, enter valid command, press enter. This often happens when an older system that has a serial port for control is connected to the Internet using a TCP/IP to UART gateway. The original software for communica
Re: (Score:2)
And in the 1960s the water supplies were going to be laced with LSD...
Europe is broke, apparently? (Score:2)
Why only Iran? (Score:2)
Lawsuit (Score:3)
Cheaper solution (Score:2)
One great big advertisement (Score:1)
Make a movie about something Symantec supposedly found. Buy our software that we can't even give away anymore because it sucks so bad. The real joke is, it'll slow their machines down big time.
Re: (Score:1)
I believe they also include the EU, as well as the UK, regardless of whether it's in or out of the EU.
Re: (Score:2)
Re: (Score:2)
Dude, all that stuff happened in the fifties. And sixties. Okay, and seventies too. Israel hasn't been actually invaded by a coalition of their neighbours, bent on annihilation, in, like, decades!
A cynical person, or one older than 40, might say that their strategy is working.