Loading the podcast player...
spacer
spacer Telecom: 10.20.2011
Stuxnet Successor Looking for New Cyber Targets?

Warnings go out to industrial control systems manufacturers and users

spacer Telecom: 10.13.2010
How Stuxnet Is Rewriting the Cyberterrorism Playbook

A computer virus targeting industrial control systems provides a blueprint for a new generation of cyberweapons

spacer Telecom: 06.01.2012
U.S., Long Engaged in Cyberwar Against Iran, Has Now Declared It

Obama administration officials admit that the United States designed, installed, and monitored the Stuxnet worm aimed at foiling Iran’s nuclear ambitions

spacer Telecom: 12.14.2011
Sons of Stuxnet

Hackers are learning new lessons from the most sophisticated virus code ever written

Computing: 12.01.2007
Controlled Chaos

We need to exploit the science of order and disorder to protect networks against coming generations of superworms

Stuxnet: Leaks or Lies?

Did journalist David Sanger discover the true story behind Stuxnet, or was he caught in a deeper web of deception?

BY Steven Cherry // Tue, September 04, 2012

 

Steven Cherry: Hi, this is Steven Cherry for IEEE Spectrum’s “Techwise Conversations.”

The Stuxnet computer worm of 2010 was by far the most sophisticated attack software ever written. Half a million bytes long, Stuxnet was designed to propagate via thumb drives and other removable storage. It targeted a single, specific type of highly specialized industrial device: uranium-enrichment centrifuges made by one company, the German conglomerate Siemens, at one location, Iran’s Natanz processing facility.

In a book published earlier this year by Crown Publishing, New York Times journalist David Sanger describes how, according to his sources, Stuxnet “escaped into the wild” when an engineer accidentally infected his own computer and later plugged it into the Internet.

My guest today is a software engineer who has been involved with industrial control systems for decades. He has even helped Siemens design some of the software tools used to program systems like the one in Natanz. He says that some aspects of Sanger’s account are just not possible.

Larry Constantine is a professor in the mathematics and engineering department at the University of Madeira, in Portugal. He’s also the coauthor, with Ed Yourdon, of one of the most influential books in computer science, Structured Design. He was my guest last year when several spin-off worms of the Stuxnet technology were found by cybersecurity firms. He joins us by phone.

Larry, welcome back to the podcast.

Larry Constantine: I’m glad to be here.

Steven Cherry: Larry, let’s start by reminding our listeners in a bit more detail what Stuxnet was designed to do and what made it special.

Larry Constantine: Well, there are several things that made Stuxnet distinctive. It was, at the time, the largest piece of malicious software that had ever been discovered. Since then, larger complexes have been uncovered, possibly developed by some of the same people. Stuxnet was a specifically targeted attack system; it looked for a particular configuration that happened to be unique and distinctive to the Natanz facility for enriching uranium. It reached its target through several intermediate steps, first looking for configurations of Siemens software used to program these PLCs, or programmable logic controllers. Once it found the Siemens software, it waited for an opportunity when an engineering workstation would be connected directly to the PLC controllers, and then it would install a portion of itself—the payload—into the PLC computer and then systematically work to destroy some of the high-speed centrifuges. It did this by first spinning them up to beyond their designed speed and then suddenly slamming on the brakes to slow them way down. While it was doing this, it also used a very clever man-in-the-middle attack in which it recoded recorded normal activity and then played this back during the times when it was carrying out its attack on the centrifuges. It was also designed to phone home and look at specific sites to get updates to its code so that it could be refined on the fly if necessary. So it combined a number of distinctive features, and in history, as far as we know, it’s the first piece of malicious software specifically designed to destroy real-world physical equipment.

Steven Cherry: In his book, Sanger describes in some detail how the Stuxnet worm escaped into the wild. What is Sanger’s account, and what’s wrong with it?

Larry Constantine: Well, the issue to me—why this, I think, is important—is whether journalists who are reporting important political stories to the public have a responsibility to get pivotal technical details right. And there are a number of things about Sanger’s account which are just not possible. So there are a number of possibilities here. One is that Sanger somehow, despite the fact that he’s a good journalist, didn’t do all the necessary background research. Another possibility is that he was deliberately misled by his sources. A third possibility might even be that he actually knew the account that he was sharing was not valid but had been requested or directed to do that since he was dealing with high-level personnel in the current administration. So, what did he get wrong? First of all, the Stuxnet worm did not escape into the wild. The analysis of initial infections and propagations by Symantec show that, in fact, that it never was widespread, that it affected computers in closely connected clusters, all of which involved collaborators or companies that had dealings with each other. Secondly, it couldn’t have escaped over the Internet, as Sanger’s account maintains, because it never had that capability built into it: It can only propagate over [a] local-area network, over removable media such as CDs, DVDs, or USB thumb drives. So it was never capable of spreading widely, and in fact the sequence of infections is always connected by a close chain. Another thing that Sanger got wrong that he reported in slightly different words in his original New York Times article earlier this year and in the book was the notion that the worm escaped when an engineer connected his computer to the PLCs that were controlling the centrifuges and his computer became infected, which then later spread over the Internet. This is also patently impossible because the software that was resident on the PLCs is the payload that directly deals with the centrifuge motors; it does not have the capability of infecting a computer because it doesn’t have any copy of the rest of the Stuxnet system, so that part of the story is simply impossible. In addition, the explanation offered in his book and in his article is that Stuxnet escaped because of an error in the code, with the Americans claiming it was the Israelis’ fault that suddenly allowed it to get onto the Internet because it no longer recognized its environment. Anybody who works in the field knows that this doesn’t quite make sense, but in fact the last version, the last revision to Stuxnet, according to Symantec, had been in March, and it wasn’t discovered until June 17. And in fact the mode of discovery had nothing to do with its being widespread in the wild because in fact it was discovered inside computers in Iran that were being supported by a Belarus antivirus company called VirusBlokAda. So there are a number of aspects of Sanger’s story that on technical grounds simply cannot be correct, and to me this is a significant issue, not just an obscure technical matter, because it raises broad questions about the nature of the so-called leaks from administration personnel to Sanger about the quality and reliability of his reporting. If he got these aspects wrong—and these are the ones that I was able to check through public sources and my knowledge of industrial control systems—then the question is, what else did he get wrong? And interestingly enough, none of the mainstream media seems to be interested in this story, which is why I’m talking with you.

Steven Cherry: [laughs] Well, I’ll take that as some sort of weird, backhanded compliment, I guess. Now, it’s been tacitly—and in some ways explicitly—acknowledged, that the U.S. and Israeli governments were behind the Stuxnet worm, as security experts thought all along. What if it’s a national security secret of two different nations—shouldn’t we just, no pun intended, let it lie?

Larry Constantine: Well, the specific technical details which I’ve just been talking about of course are already in the public media; they’re easily retrieved off the Web, and in fact I’m surprised that Sanger in fact didn’t just use his sources in industrial security, because he’s previously talked with Ralph Langner, for example, in Germany to double-check his story. The Israelis have already released information about their role. In fact, Der Spiegel, in Germany, reported back last year—August, I believe—that Meir Dagan at Mossad in Israel had actually acknowledged that Mossad and Israel were responsible for the Stuxnet worm. The only new thing that’s recently come out and been made public is the role of the German intelligence service, the BND, in persuading Siemens to cooperate in the construction—possibly—and definitely the infection of the facilities at Natanz. On the other hand, there are parts of the story that Sanger and others have reported that also do not ring true because the pattern of infection shows that actually the initial infections were almost certainly outside of the Natanz facility but in organizations that were closely connected to Natanz. So it seems unlikely that Siemens personnel actually carried the Stuxnet worm physically into the plant on a USB stick but rather served as vectors to infect computers of closely collaborating organizations. As to the national security issue, this is one of the things that has led to criticism of Sanger, is that he’s essentially leaking critical intelligence, and in fact there’s a congressional investigation that’s been started into this. I wonder if perhaps they aren’t really leaks... Is it possible this is deliberate disinformation for which Sanger was the witting or unwitting carrier of the message?

Steven Cherry: So if I understand this correctly, Stuxnet could propagate over a local-area network but not the Internet. That seems sort of counterintuitive. If something can spread over a short-range network, why can’t it spread over a long-range network?

Larry Constantine: Well, the distinction is again technical. When people say something is spread over the Internet and when there’s a virus or a worm that becomes widespread, it usually is spread either by the Web or e-mail. The thing is that Stuxnet has to actually see the local addresses over the local-area network, which is by definition more limited than the Internet. Now, it did have the capability of exploiting a hole in what’s called “remote procedure calls,” which—I don’t know the details—but might allow it, for example, to do something over a virtual private network. And there are some things about the patterns of infections in other countries that suggest that computers in one organization or one part of an organization connected by a virtual private network would be seen by Stuxnet as local and would be able

gipoco.com is neither affiliated with the authors of this page nor responsible for its contents. This is a safe-cache copy of the original web site.