Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
The Military Government Security

Stuxnet/Cyberwar Documentary Reviewer: 'The U.S. Has Pwned Iran' (networkworld.com) 138

Slashdot reader alphadogg quotes an article from Network World: The new documentary about Stuxnet, "Zero Days", says the U.S. had a far larger cyber operation against Iran called Nitro Zeus that has compromised the country's infrastructure and could be used as a weapon in any future war. Quoting unnamed sources from inside the NSA and CIA, the movie says the Nitro Zeus program has infiltrated the systems controlling communications, power grids, transportation and financial systems, and is still ready to "disrupt, degrade and destroy" that infrastructure if a war should break out with Iran...

For the more technically inclined, the film contains some riveting interviews with researchers at Symantec who devoted their lives to unraveling the code line by line to figure out what it did, how it did it, who created it and what the target was. It was also a bit chilling in that after they figured out that governments were behind the worm they worried that the researchers themselves might be targeted to keep them silent. One Friday night, says Symantec researcher Eric Chien, he said to his research partner Liam O Murchu, "I'm not suicidal. If I should show up dead on Monday, it wasn't me."

In the film former NSA and CIA director Gen. Michael Hayden says "This stuff is hideously over classified."
This discussion has been archived. No new comments can be posted.

Stuxnet/Cyberwar Documentary Reviewer: 'The U.S. Has Pwned Iran'

Comments Filter:
  • Well, now we know... (Score:4, Interesting)

    by Anonymous Coward on Monday July 11, 2016 @02:40AM (#52487217)

    ... why all those officals keep on derping about "cyber threats". They've scared themselves silly.

    So, knowing we too could be "pwned" at any time, why do we insist on running vulnerable systems everywhere? Why do we keep buying software from vendors who for the longest time explicitly didn't care about security anything, and now sit on a completely unfixably insecure software stack?

    • by Anonymous Coward

      vulnerable MANUFACTURERS and DESIGNERS?

      Seriously, anyone who is not extremely concerned by Intel/AMD/ARM ring 0 management processors should really read up on what they are capable of, how little they have been independently audited, and the full ramifications if a nation-state actor had that level of access to your computer system. This isn't just a rootkit you *MIGHT* get online, this is the rootkit you buy and pay for with no way to remove, short of replacing it with an older system that hopefully is sim

      • by Anonymous Coward

        Ring LESS THAN 0. If only slashdot defaulted to no-HTML by default.

        As an unrelated thread, since these submission waits are annoying:
        If the U.S. has Pwned Iran with a bunch of infrastructure hacks, what does that say about Iran bringing down that US drone a while back with the GPS spoof/hack?

        • If they did do it I would call it beginners luck. However, just because Iran said they brought it down doesn't mean they are telling the truth. Remember these are the same idiots who tried to pass off a model plane as their new stealth jet fighter. And the US has flown thousands of drone sorties in that part of the world and if Iran could actually do what they claim there would be drones falling out of the sky all over the place.

          • There's an active drone development community in Iran, I wouldn't doubt that they were trying to bring the drone down with a GPS hack and that the drone did indeed go down. I also wouldn't be surprised if there was zero causal relationship between the two coincidental events.

      • by DMJC ( 682799 )
        You could switch to Chinese CPUs... apparently they're the fastest now.
    • by jellomizer ( 103300 ) on Monday July 11, 2016 @04:41AM (#52487543)

      You are aware that Linux had had some recent (within the few years) vulnerabilities that had been around for decades, that were recently found and patched. If the biggest open source OS can have decade old bugs what hope is there to be fully secure?

      • by AmiMoJo ( 196126 )

        Defence in depth is the only solution. If one vulnerability in your OS is enough to take over the whole system, or even the whole network, you don't have enough depth.

        • When taken with that attitude, defense in depth reeks of security by obscurity. Not saying it doesn't work, not saying it isn't the most practical solution available, just that piling up six layers of 99.9% secure does not really give 99.9999999999999999% security - when human factors come into play.

          • by AmiMoJo ( 196126 ) <mojo@@@world3...net> on Monday July 11, 2016 @08:56AM (#52488591) Homepage Journal

            It's nothing to do with obscurity. It just means that a single vulnerability isn't very useful.

            Remember when Windows XP was so insanely insecure that it would be 0wned within seconds of being connected to the internet? That's because there was no depth. The user ran as admin all the time, so a single flaw in any application or service gave the attacker full control of the machine.

            First line of defence was to enable the firewall. Second line, run as a normal user account so that compromise only gets you user credentials. Third line, sandbox the browser. Forth line, enable ALSR. Fifth line, built in Windows Defender to block known malicious activity. Sixth line, protect critical OS files so that even administrators can't modify them. Seventh line, enable secure boot to check the integrity of boot files, drivers and the kernel.

            By the time you get to Windows 8.1 a single exploit isn't very useful. Say you can execute arbitrary code in a Chrome process. Congratulations, you now have access to one tab and the data in it. Your process is heavily sandboxed. You need multiple exploits to do anything useful, so you can escape the sandbox, bypass user account protection, bypass OS level protections, bypass Windows Defender... That's why most malware these days takes the form of a trojan, tricking the user into executing them willingly.

            • by Anonymous Coward

              Linux had an exploitable bug in gethostbyname(), which was for some funny (or not so, imo) reason executed inside the kernel.

              So opfor inserts a "bad url" containing malware into a website you visit. Boom - machine pwned. And all your funny firewall "defense in depth" is useless.

              American computers and software are only safe if you disconnect them from any electronic network.

              Ask yourself why.

              • by ceoyoyo ( 59147 )

                That's an example of a failure of defense in depth. Why shouldn't gethostbyname() be executed in the kernel? Seems like a reasonable place to execute system calls no? The reason is, you want to execute everything with the lowest possible privileges. If there is an exploitable bug, the exploit doesn't get you very far.

                • Microkernels are more secure. At some point we just need to pay the context switch overhead and get on with it.

      • "what hope is there to be fully secure?"

        None whatsoever.

        However, unplugging your internet connection would provide a lot of relative security compared to your neighbors. You surely know that. ... and yet you're here using an internet message board that you know damn well is designed and implemented by folks whose mental state and technical competence seems at the very least a bit iffy. ... As am I

      • Build systems with smaller, simpler, better vetted (older) OSs, or perhaps no OS layer at all - just a collection of certified software components.

        It's not fast, nor cheap, but it can be secure. If you want it to interact with the latest whiz-bang hardware/software from the insecure commercial world, and you want development to proceed on any reasonable sort of timetable, you may need to accept some level of insecurity to do that.

  • by Anonymous Coward

    If we consider the date speculated to be Stuxnet's first appearance by some that makes 2005.

    Let's assume most humans only become mildly useful to the coding society around 18 so these researchers that dedicated their lives are 29 years old!?

    That's still less years than they've lived without this so called "dedication".

  • The fear (Score:5, Insightful)

    by dbIII ( 701233 ) on Monday July 11, 2016 @02:53AM (#52487251)
    The fear of being knocked off by spooks looks more than a little bit ridiculous unless you understand that Mossad was in the mix. The "supergun" guy was assassinated by them but it's still a bit of a stretch that they would go after antivirus people that are only threatening exposure instead of being a threat themselves.
    • by AmiMoJo ( 196126 )

      I dunno, they bumped off Dr. David Kelly for less. It really depends how well protected you are, because if the cost and risk is low enough they apparently won't hesitate to murder you.

      • by jabuzz ( 182671 )

        Really, Dr. Kelly clearly took his own life after he majorly bigged up his roll in the production of the dossier and this was just about to come out. Basically he threw his career down the toilet and was unable to live up to it. The idea that the UK state had him bumped off is plainly ridiculous. There was no need he was about to be utterly humiliated all of his own doing. People commit suicide for FAR FAR less.

        • by AmiMoJo ( 196126 )

          His name was leaked and he was set up as the fall guy, diverting attention away from the intelligence failures by MI6 and other parts of the government. The stress lead to him committing suicide.

          Just because they didn't kill him themselves doesn't mean that they aren't responsible for his death. My point was that they are more than capable of driving someone to suicide, and will do so if they think it is necessary. They almost certainly didn't intend for him to die, but none they less that's what happened.

    • Mossad aren't the only murderous spooks on the planet. Arguably, they're some of the more clumsy ones - getting publicly tied to their actions.

      • Context: They were the only murderous spooks in the operation.
        It's not as if the far more murderous Russian spooks were involved.

        Arguably, they're some of the more clumsy ones - getting publicly tied to their actions

        French spooks were clumsy and got caught. Mossad let people know they are involved and spread the fear without getting caught.

    • I'm just going to say it: this is how spooks should work/be regarded.

      If what I'm doing is directly inimical to the interests of country X, then I *should* be terrified that country X's spooks will 'deal with' me.

      Unlike the CIA, whose reputation is basically incompetent dilettante technocrats who 'missed' the collapse of the single giant entity they were tasked pretty much solely to watch for the previous 50 years.

      Then again, that's exactly the reputation a witchalock would WANT us to believe they have...

  • As I read it, all the "digital bombers" are already over the country. The US have already attacked. If any country would do this to the US, the US would certainly see it that way.
  • On Tuesday, the law enforcement agency issued an alert that "all Symantec and Norton branded antivirus products" could allow hackers "to take control" of a computer. link [cnn.com]
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      well, it's true.
      because the products are so much shitty. if they were installed on iranian systems they would be an attack route.

      however, this seems like a lot of bullshit just to hype up a few security researchers. the software itself, stuxnet in this case, is trivial. what is not trivial is bridging the airgap and getting some sod to install it on actual machines.

      HOWEVER.. there would be this practical reason to keep the stuxnet government affair secret: FINANCIAL LIABILITY, since stuxnet made it into the

  • If all countries had such viruses inserted into their critical infrastructure, then none could afford to disrupt the world's peace...

    I THINK I'm joking!

    One of the stranger failures of Islamic terrorism is their not attacking infrastructure assets in the West. Some trivial damage to certain items could do amazing amounts of economic damage. Let's hope they remain unimaginative.

    • by Opportunist ( 166417 ) on Monday July 11, 2016 @03:37AM (#52487345)

      It's not a lack of imagination, it's a lack of terror. Where's the scare when they do a computer attack? People are used to computers acting weirdly, they simply wouldn't care. It's also too easy to claim that it ain't terrorism, it's just "that weird computer stuff".

      • Interesting point about their need for it to be terrorism. And there is a strange yearning after visibility; the murders of Lee Rigby in London hung around after the attack waiting to be caught. Let's be grateful.

        • by ceoyoyo ( 59147 )

          It's not strange. It's right in the name. Terrorism isn't about killing people, it's about scaring them to achieve a political end. Terrorists choose targets to generate maximum fear, which usually means doing something intensely violent on a small scale.

          • Whilst you are of course right if jihadism is committed to terrorism, but the question is whether it must be. The alternative of doing massive amounts of economic damage to the USA until it does what they wants is one that they haven't attempted yet, which is what I'm getting at. A serious and sustained attack on the vulnerabilities of the rail network of a major city would probably be more debilitating and therefore effective in changing the mind of the general public than a spectacular terrorist attack. I

      • by Anonymous Coward

        Where's the scare when they do a computer attack?

        In the American psyche, apparently, and rightfully so.

        This study shows it as the #2 fear, behind government:

        http://www.livescience.com/52535-american-fear-survey-2015.html [livescience.com]

        And another study shows it as the #2 fear, behind ISIS:

        http://www.dailydot.com/layer8/cyberattacks-isis-global-threats-america-survey/ [dailydot.com]

      • by swb ( 14022 )

        Who says it would have to be a computer attack?

        I'm only guessing, but I think a planned and coordinated physical sabotage of power systems could cause chaos on a regional level if the right substations and pylons were knocked out. Knock out some primary feeds, get some secondary ones to overload and go offline and you've got a regional blackout that could days or longer to repair, as not all of the transformers and switchgear could necessarily be just swapped out (depending on the nature of the sabotage).

        M

        • The grid is pretty robust.

          The attack you describe would only work well on one of the hottest days of the year. But on that day it could really fuck things.

    • by jeti ( 105266 )
      It's called MAD for a reason.
    • by drolli ( 522659 )

      They dont have the means. It took many thousands of man-years of highly educated mathematicians to build the capabilities of the western services.

      It seems that the NSA subverted the crypto infrastructure for several decades now, and penetrated systems on many levels. Heck, the only way that i would be moderately sure that nothing really bad is hidden somewhere in the system would involve Z80s or MOS 6502.

      In comparison to what the NSA does the "cyber-attacks" which most terroristic groups are capable of are

    • Been done, stories in 2004 about an event in 1982:

      http://www.telegraph.co.uk/new... [telegraph.co.uk]

      http://www.zdnet.com/article/u... [zdnet.com]

      and then, years later, we have the results of counter-information campaigns:

      http://jeffreycarr.blogspot.co... [blogspot.com]

      hard to know what's truth and what's fiction, and how much has been done but not leaked.

  • their lives? (Score:5, Insightful)

    by Gravis Zero ( 934156 ) on Monday July 11, 2016 @03:22AM (#52487309)

    researchers at Symantec who devoted their lives to unraveling the code line by line

    You know, when you "devote your life" to something it's usually for longer than a season of Game of Thrones. Mayhaps the claim is a bit hyperbolic?

    just sayin'.

    • by Anonymous Coward

      Still it feels like an eternity until the next season comes out.

    • researchers at Symantec who devoted their lives to unraveling the code line by line

      You know, when you "devote your life" to something it's usually for longer than a season of Game of Thrones. Mayhaps the claim is a bit hyperbolic?

      just sayin'.

      I think it is more in reference to their not leaving basements or showering while surviving off a healthy diet of Mountain Dew and Doritos. I am pretty sure I read a few were known to yell "Mom! Bathroom!" too.

    • by bentcd ( 690786 )

      On the other hand, when you actually think your work is likely to get you suicided by the feds it gives the term a whole 'nother meaning wouldn't you say?

      • by lgw ( 121541 )

        That's just not how the Feds work. They just draft you into the military, whereupon you can be legally required to keep the secret. Happened to a friend of mine (worked out OK for him, since he managed to keep reserve officers pay for many years - good chunk of change, that).

  • Movie link? (Score:2, Informative)

    by Anonymous Coward

    TFA does not list one either. Is it bad form to link to IMBD? Here it is http://www.imdb.com/title/tt5446858/

  • they worried that the researchers themselves might be targeted to keep them silent.

    No. It's more than a bit stupid, in the same way that anti-Bush whiners always claimed that they were going to "wind up in Gitmo", yet somehow never did.

    • by quenda ( 644621 )

      Worrying about it does not mean they expected it.
      Are you aware that a number of Iranian scientists have been assassinated?
      If the researchers were a little paranoid, I can understand that. They are westerners, so they'd probably not be killed.
      The sailors on the USS Liberty thought that before they died.

      • by Nutria ( 679911 )

        Worrying about it does not mean they expected it.

        "If I should show up dead on Monday, it wasn't me." means that he more than half-expected it.

        The Government has a much better method of silencing Americans on American soil: the Aaron Swartz Gambit (legally harass emotionally weak people until they commit suicide).

        Are you aware that a number of Iranian scientists have been assassinated?

        I've heard it, and it's irrelevant to whether or not Symantec researchers would be assassinated by Western powers.

        The sailors on the USS Liberty thought that before they died.

        You're comparing American civilians working in America to Navy sailors in a Navy ship. That's... weak.

    • by Lennie ( 16154 )

      They did kill people in Iran:

      http://www.itworld.com/article... [itworld.com]

      There were other strange events.

      If I'm not mistaken the guy from MIcrosoft that was going to give a presentation in Germany about Stuxnet had an accident, a car hit him while walking on the sidewalk.

  • by Anonymous Coward
    This is the same guy that formed a cybersecurity consultancy to help companies secure themselves against state-sponsored hackers and speaks freely in public on commuter trains. https://www.theguardian.com/wo... [theguardian.com] I sincerly doubt this guy knows what should be classified and what shouldn't be. He's probably got Russian, Chinese, and Iranian spies following him non-stop just to see what he'll say next.
  • by lapm ( 750202 )
    Problem is, industrial systems are weakly protected. And stuxnet proved how easy it is to attack them, now everyone knows it. It even proved that targeted attack like this can spread all over the world very very easily... I think its only matter of time before we see terrorist use this sort of stuff instead of suicide bombs. Why kill docent people when you can poison thousands by messing water purification systems.... Whats even more worrying is people dont realise those industry systems need protection..
    • And in the 1960s the water supplies were going to be laced with LSD...

  • I've been trying for 30 minutes now to watch this legally. http://theoatmeal.com/comics/g... [theoatmeal.com] Europe does not have any money, or whatever... according to: - Amazon - google play - youtube - 30+ minutes in... I quit. I will start my bittorrent client now... Thank you, international movie-business, for saving me money!
  • If that's been so effective, why should USA deploy it just in Iran? I'd bet there are many instances sleeping everywhere waiting for the alarm clock to wake them up!
  • by jasper160 ( 2642717 ) on Monday July 11, 2016 @07:54AM (#52488189)
    I wonder how much of a chance the government of Iran would have in suing the US gov in a US or in the international courts?
  • Pokémon Go.... Iran! That should disable just about everything.
  • Make a movie about something Symantec supposedly found. Buy our software that we can't even give away anymore because it sucks so bad. The real joke is, it'll slow their machines down big time.

Numeric stability is probably not all that important when you're guessing.

Working...