Slashdot Mirror
Did Stuxnet Take Out 1,000 Centrifuges At Natanz?
AffidavitDonda writes "In late 2009 or early 2010, Iran decommissioned and replaced about 1,000 IR-1 centrifuges in the Fuel Enrichment Plant (FEP) at Natanz, implying that these centrifuges broke. Iran's IR-1 centrifuges often break, yet this level of breakage exceeded expectations and occurred during an extended period of relatively poor centrifuge performance. Although Iran has not admitted that Stuxnet attacked the Natanz centrifuge plant, it has acknowledged that its nuclear sites were subject to cyber attacks."
No, there are no weapons!!!
Yes, there are weapons!!!
If this is for real, this targeting sounds like a big step in the cyber attack side of the world. I wonder how cyber defense will counter it.
Home of The Suki Series
Well Doh!!
The malware seems to have specific code to target the centrifuges. There is reportedly sub par performance and high replacement rate for the centrifuges.
Do you need a diagram too?
Everyone is pretty sure Stuxnet was targeting Iranian nuclear centrifuges, it was a well build virus that did its creators job well. The team who created it did their research, and figured this was the best stab at slowing the Iranian nuclear processing. Just goes to show good planning/funds and smart programmers can do significant damage to some secure facilities.
Violence is the last refuge of the incompetent. -- Isaac Asimov
It's interesting how US was jabbing so much about cyber warfare and how they need to defend themself, and still they're the first one to attack.
From TFA, the rumored culprit is not the USA, it is "IDF’s Military Intelligence Unit 8200".
Home of The Suki Series
Somewhere, some guy working for the CIA/NSA/TLA just shat himself laughing.
Sent from my CR-48
What antivirus software would have protected the victims of this virus? Kaspersky? AVG? Windows Security Essentials? ClamAV?
While on the one hand, it is important to prevent infections from becoming a massive swarm with the ability to hammer away at particular locations in a DDOS, in this particular case it seems like specific machines were infected with the goal of harming them directly. Since these machines are running on specialized hardware, it doesn't really make sense to consider StuxNet a "swarm" virus. The swarming aspect only seems to have helped it spread in an organic way towards the targeted systems.
On the very end lay the centrifuges, but between those and the Internet lay Windows PCs. Would having Norton (or any other AV) running on startup have blocked this virus?
If none, then what hope do we really have of protecting ourselves from deliberate attacks on our network infrastructure?
Quite frightening, actually. (Unless Windows Security Essentials would have caught it.)
......that's what she said.
Dupes are one thing, but, wow, this is new territory.
Iran Admits Stuxnet Affected Their Nuclear Program
If the submitter had gone straight to the Google none of this ever would have happened.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Centrifuge subterfuge!
No, AV software would not have protected those systems from infection because the virus didn't attack the OS or any 'normal' program that an AV vendor would be used to protecting, it attacked a very specific installation of an industrial control package. Better computer hygine like not taking media from lower security systems to higher security ones would have prevented the infection of the vulnerable machines but even the NSA has admitted that they do not have 100% control over such procedures.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
None. No AV kit can protect you from a single target attack.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Iran has stepped up efforts at helping Hamas, Hezbollah, the Taliban and is now releasing all of its Al Qaeda terrorists back into the wilds of the Middle East, the question we should be asking, was this attack worth it if terrorism increased because of it? From what I have seen, no, we are now dealing with Iran supplying larger and larger munitions to the Taliban, 'Charlie Wilson's War' is going to have a sequel and this time the protagonist is going to be Iranian.
An Education is the Font of All Liberty
Okay so we have a weapon that disables the target without killing anyone. I'd call it a major advance and any government crying foul needs to consider the purpose of the centrifuges. Would it be better to bomb the place and kill hundreds of people?
Once and for all!
we need to quit doing warnings. Simple tell them that if they blow a nuke, that the west will drop in conventional bombs to take out their nuke sites. If they launch a missile during that time, then the bombs will change to nukes and will rain them down on them.
http://blogs.forbes.com/firewall/2010/12/14/stuxnets-finnish-chinese-connection/ It takes a while to get past the popups. I wonder if there are any major problems in this author's hedgeucated guessing?
Their they're doing there hair.
A truthy reference...sigh
The IR-1 is an older model centrifuge. It's basically a copy of an old URENCO design. Iran has an IR-2 and an IR-3 model, which use carbon fibre rotors, and new installations use those. Iran has at least three enrichment plants, incidentally, and they're all different. Various reports indicate replacement of the older models by newer ones, so some of this might be a routine phase-out.
Is that even 10% of their entire production capacity?
Moar liek centripets, amirite? http://xkcd.com/123/
But the virus required a vector, which was unprotected Windows systems. If the virus never reached the target devices, then how would the virus infect them?
If these top security facilities can't prevent viruses, how can protect ourselves with our measly little free AV software packages?
and based on their reckless oppression of people there is a lot more concern about forcing israel to get rid of their nukes.
The answer is no.
Because even if it was true (what is extremely unlikely), any confirmation of this would encourage idiots at Pentagon and similar places to write idiotic viruses and trojan horses that will end up doing nothing but creating massive epidemies among completely unrelated Windows computers.
So no it is.
Oh, and to Iranian nuclear engineers: keep all information about your facilities secret. What kind of kindergarten are you runnung there?
Contrary to the popular belief, there indeed is no God.
I think Iran -- or any other country -- would be pleased to have these kind of rumors about the damage done circulating. Disinformation or uncertainty as to the present condition of their activities can only benefit them, especially if it causes the enemy to underestimate their power. This assumes that Stux wasn't feeding back information about its activity or that another good source doesn't exist.
The funding of that unit is probably indirectly done by the US because of the subsidies Israel gets on "defense". If somebody considers that units action to be terrorist activity, they will consider US to be sponsoring terrorism. The amount of veto's done by USA in favor of Israel will also make people blame USA. Tough luck, things have consequences.
My take on this story was that the Siemens controllers were the problem. The centrifuges quit working right because the controllers went nuts, and then the controllers were careful to hide their defect.
So if Iran examined the controllers and centrifuges and figured (wrongly) that the centrifuges were the problem and replaced them, wouldn't the controllers just wreck the new ones as well? And if so, wouldn't that cause Iran to spend a lot of time replacing centrifuges again and again? It seems like that could account for some of the buying.
And of course, once the actual problem is figured out, then you need to replace the controllers and probably the centrifuges that got broken the second or third time around, and of course figure out how to keep the whole thing from happening again. Sure, you can replace the rogue controllers but how did they go bad to start with? If you don't know, this could cause a lot of extreme paranoia.
How Iran actually reacted is not clear to me, but I know what would happen if this occurred in a US factory.
If a machine broke, you'd replace the machine. If it broke again, you'd replace it again and start getting mad. If it broke again, then maybe you'd look at the controller. If it tests OK -and why would it lie to you- then you replace the centrifuge again. Etc. It might take a relatively long time to figure out that the controller is actually the problem AND that it was deliberately being subtle about it to avoid detection. The assumption with machines is that they don't lie to you. If they are good or bad, generally they will be straightforward to sort out via testing or diags.
So to start with, you have to accept the concept that yes, they can lie, before the source of the problem can begin to be understood much less dealt with.
Sig for hire.
The idiots in Israel is known to only think about their own interests. They have full support of the US no matter what crap they pull. The operatives in secret agencies knows that Stuxnet is now a gun-for-hire internationally. It is a security-threat, and the world already has too many of those.
Better computer hygine like not taking media from lower security systems to higher security ones would have prevented the infection of the vulnerable machines but even the NSA has admitted that they do not have 100% control over such procedures.
No kidding
http://michaelsmith.id.au
There is absolutely no way to defend such an attack. Unless of course, you build every.single.thing in-house.
You're not a high profile target.
Could your apartment door keep out an exceptional burglar who specialized in breaking into high profile objects? Could your home safe stop someone who is an expert in opening bank safes? Would someone trained in defeating multi layer security systems trip your alarm system at home?
I think none of those answers could be answered positively.
But these people do not break into your home. They got better, more profitable, targets to rob.
Likewise, nobody would "waste" 4 0day vulnerabilities just to infect YOU, and ONLY YOU (a blanket attack on multiple, nonspecific, targets is usually trivial to discover through early warning means and also quite easy to protect against).
As odd as it may sound, there's safety in numbers. The garden variety trojan is not targeted. They don't care too much who they infect, their goal is not a specific target, their goal is to infect as many machines as possible, for various reasons, but no matter what the reason, it's better (for them) to infect many instead of a specific target. Phishing, botnets, they all need many, but not specific, machines.
This is not the case here. The target was very specific and I am actually quite sure that infecting anything else with this trojan would actually have been seen as a flaw in the whole operation.
I'd guess that the malware was installed specifically where it should strike, not in the usual "release and wait" way but targeted and planted. In other words, I'd guess it would have taken a physical person to be physically present to get this rolling.
This is nothing that would affect you, or any Joe Randomsurfer for that matter.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The team who created it did their research, and figured this was the best stab at slowing the Iranian nuclear processing.
This part is especially interesting, critical for the success of such an attack, I'd say. You can't afford to make it work through trial and error, because your target will get alarmed when failed attack is detected and entryway security holes may get plugged. If you don't have an operative in the field, or inside the vendor which delivered the equipment to your target, then you have to have some sort of very low profile "scout worms" that would gather information about the target facility, map the network, retrieve sample of code that runs on machines, etc. Also, similar to aerial and artillery attacks, you need to get feedback information on attained damage. Are we really sure that Stuxnet attack was a success and Iranian centrifuges are damaged? How do we know? Is the source of information authoritative? And so on.
None. This attack was quite targeted. I would imagine the person writing this virus didn't just unleash it to the general public with the hope that one day maybe it would make it to intended target. Antivirus software needs a sample or otherwise needs a virus to match some kind of heuristic signature. Just to put this into perspective we actually got this virus where I work (industrial plant at the other side of the world but no Siemens controllers). The .lnk exploit wreaked havoc on the commercial network but no permanent harm done. None the less we all had the latest and greatest antivirus packages installed. We got a notice from IT saying that all network access has been suspended and the control networks have been isolated from the business networks and that we'll get more information when the AV vendor gets back to IT.
.... well 7 hours is a heck of a long time for a malicious program to do damage.
Took about 7 hours for the response. Then the advice was to run an update on the AV package and a notice that network drives would be brought online once they were properly cleaned.
Now you'd have no hope in hell of spreading quite the same way in our plant but at the time the virus and the 0-day exploit it used were quite foreign. It didn't actually manage to infect the control system due to due care in network design and physical access, but if it did, and we ran Siemens PLCs, and we were the intended target
Whoosh
It looks like you need to read a newspaper kid and find out why people in Iran don't like people in Al Qaeda and vice versa and in fact had a war with Iraq over those differences with a death toll of around 1,700,000 people. You'll be saying it's all a Chinese plot next. It's a big world and not everyone that is brown is identical.
As for Charlie Wilson, one of the guys he funnelled money to is one of our worst enemies now (not Bin Laden, one of the Afgan Warlords instead). Wilson was an easily bribed idiot that almost single handedly destroyed the reputation of the USA in Central America and the Middle East and fucked up all the efforts of the government of the day. He's a really good example of all the stupid shit people get up to on cocaine.
In the US, commerce controls the government.
You are entitled to your own opinions, not your own facts.
By USB thumb drive and then infected other PC's on private network. That means (if true) they had a spy or 20 inside this place and that simply taking these computers off the internet (which apparently they were) wouldn't have stopped it. (I'm not sure how hard it is to infect linux with a thumb drive to be honest so no idea if that would make a difference.)
Did you know 80 to 90% of the moderators on slashdot wouldn't recognize a troll even if one dragged them under a bridge.
Over the past year or more, Slashdot has been providing posts about the Stuxnet Worm. There have been several countries who have been accused of the creation of this worm, US being on the top of the list and I believe Israel being the second most accused. Just a week or two ago, China has been named as a possible suspect as well. I'm sure if you search upon Stuxnet you'll be able to find many links to many articles to find out a lot more information about the worm.
It's rather an interesting story to follow and will likely make for a great movie one day.
Life takes interesting turns, but the most interest is when you're off the beaten path.
One lesson of Stuxnet is clear:
If you are going to run thousands of centrifuges, you need to migrate from Windows to a Linux distro.
Will
Specifically, the 1982 Siberian pipeline sabotage.
Well, often you avoid taking high security media into a low security environment. The reverse path just doesn't take the same amount of atention, that would make it hard to even aquire new media.
Of course, WTF kind of system just executes things in removable media? (Yep, I know the answer, yet, that doesn't make it right.)
Rethinking email
Malware doesn't just magically get onto your computer; the user usually makes a decision to install untrusted code, and then AV software checks a blacklist. This is a process that is pretty much guaranteed to fail against a determined attacker.
If you decide that you don't want to automatically fail by default against determined attackers, then you need to make the decision to stop installing untrusted software. And as a side-effect: once you do that, you never ever under any circumstances, need or can possibly benefit from AV software. You don't ever need to use a third party blacklist, if you're using your own whitelist.
Oh, and don't put Windows on your whitelist. Not only did you never audit that software, but you don't know anyone who did, even third hand. For most OSes, you can usually say that at least you heard a rumor that your father's cousin's former roommate, who once read a mailing list message written by Theo de Raadt, once spent an afternoon looking at the code for security problems. Nobody can even make a claim that loose about Windows.
Call me crazy, and you probably will, but I think it would have been more effective if they'd have instead targetted the storage or final packaging stage machines for the enriched materials and tried to cause a detonation. I don't know if that's possible based on the equipment used but they at least could have caused a massive explosion that would splattered their precious refined radiactive materials all over their pretty little refinery, making it unsuitable for human presence and causing them to have to build at an entirely new location and start all over with a refined uranium count of zero. Now THAT is a financial hit that would matter, unlike just frying like 1/4 of the centrofuges and allowing them to still keep operating, just at a slower pace.
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
How do we know that, indeed, the virus damaged the facility? what if they discovered it, analyzed it, tell us a story while continuing, now unchallenged?
They got DDoS, but then now they also get slashdotted while trying to deal with the traffic
China supposedly got a chance to audit the code, so now you can rest assured.