If you tell enough stories, perhaps the moral will show up.


We Are At War!

Possibly. The story has been running in the computer press for a fortnight or so -- google “Stuxnet Iran” but it’s gone mainstream with articles in the Economist this week.

A specific malware -- called Stuxnet by its original discoverers -- turns out to be:

  • Very sophisticated, robust and prolific, particularly well able to travel on USB memory sticks to infect systems kept off the Internet
  • Targeted rather specifically to attack WinCC, a notoriously insecure plant and process control system from Siemens
  • And, weirder, even at sites running WinCC, despite all that specicifity, it doesn’t do any of the harm it is capable of. Except in Iran.
Because it seems that the Iranian nuclear fuel and reactor plants run WinCC. And when it’s activated in Iran -- the details of that aren’t clear -- it causes harm.

Cutting a long story short, the line offered to us is that Stuxnet was build by a well-resourced team to smash up the centrifuges at Natanz or even the reactors, by disabling the computers that manage them. The Americans are said to have form here. The Israelis have an obvious interest. And both nations have deep capabilities in development and experts in malware analysis.

I think this could very well be true. Stuxnet is really hard to explain on any other theory. It “wasted” a previously unknown Windows vulnerability on an esoteric target -- a weakness that could have made millions installing Zeus to collect banking passwords. The “waste” is just as gross when you consider the huge skill and work that’s gone into the code -- just to bugger up some plant for no obvious economic benefit.

So, Stuxnet is a weapon in an undeclared war against Iran. And that’s interesting because it’s a first look since Titan Rain at what modern information weapons look like. And what do they look like?

Well, unimpressive, mostly:

  • Slow. Stuxnet has been around for months, and if there was an effect at Natanz, it took a while.
  • Expensive. There’s a lot of effort in that code, no doubt, and a lot of investment in the test and development rig it first ran on, but the real cost is that as soon as it goes public it betrays the zero-day vulnerabilities it depends on for its unique spreading capabilities. Zero-days are wasting assets -- and the clock starts running the moment they’re used.
  • Weakly targeted. Stuxnet went global. It was designed to limit the harm in non-target sites, but it would be better from the security point of view if it had never got there. Global distribution tipped off every WinCC site, including the Iranians to get smart.
  • Limited scale. You can’t do wave after wave of this sort of attack, as the victim will tighten up their patching and filtering, and at any time the supply of zero-days is limited.
  • Limited effect. The Iranians still have a nuclear programme.
  • And, finally, there’s no magic. No doubt Stuxnet is quality work, but it’s just a well made malware. Like all current malware, it’s a combination of understood techniques.

That last one seems crucial to me. If you do all the things that you should be doing to manage routine malware and zero-days: endpoint, removable media, gateways; then you’re also, and entirely for free, building yourself a bunker which will stifle many of the best efforts of the “cyber” warriors.

I’ve been meaning to write about the boondoggle called information war, but it will have to wait. All I’m going to say here is that I’ve felt for some time that even the idea of IW is unsound -- a hysterical reaction to the pathetic network security seen in the United States and the defence establishments of other countries. If Gary Mackinnon can break into your systems by guessing telnet passwords, then, yes, probably you are at risk to rather broad attacks. But that has nothing to do with expanding warfare into the cyber domain and, frankly, everything to do with being a tosspot.

In the meantime, for the rest of us, the lesson of Stuxnet is that Information Warfare is, and remains, a matter for routine operational security.

No comments: