Stuxnet almost certainly meant to hobble Iranian uranium

Paul Raven @ 17-11-2010

Remember all the hypothesising about what the Stuxnet worm was supposed to do, and who had designed it for such? Well, the expert verdicts are in, and it appears Stuxnet was designed to very subtly sabotage uranium centrifuges by varying their rotation speeds in a way that, while hard to notice for humans, would effectively negate the enrichment process they are designed to perform.

So Iran’s Bushehr plant was almost certainly the target (or one target among many); and while we don’t have (and may never have) any substantive proof as to exactly who decided that they wanted to spoke Ahmedinejad’s nuclear wheels on the sly, I think we all know how the odds would fall if you were to pop down to your local bookmakers*.

Regardless of who did it, Stuxnet represents the opening of a particularly well-stocked Pandora’s box: highly-specific sabotage targetting of embedded (and potentially critical)  industrial systems. As Bruce Sterling points out, anyone who hadn’t thought of it before has certainly thought of it now. All the recent hyperbole describing the antics of patriotic  DDoS skript-kiddiez as “cyberwar” is gonna look pretty facile when stuff like Stuxnet becomes commonplace… which, with the benefit of hindsight, may have been the entire point all along.

[ * I’ll take a £5 spread on the US and Israel, please. ]

What we know and what we assume: Schneier on Stuxnet

Paul Raven @ 08-10-2010

Bruce Schneier has a good round-up of the hard facts about the Stuxnet worm (as mentioned previously), as well as an examination of how those hard facts – combined with a few very speculative conspiracy-theory-grade interpretations of some of the more cryptic and tiny facts – have led to the current state of the story in mainstream (i.e. non-techie) media, namely “it was probably an Israeli job”.

Best I can tell, this rumor was started by Ralph Langner, a security researcher from Germany. He labeled his theory “highly speculative,” and based it primarily on the facts that Iran had an usually high number of infections (the rumor that it had the most infections of any country seems not to be true), that the Bushehr nuclear plant is a juicy target, and that some of the other countries with high infection rates–India, Indonesia, and Pakistan–are countries where the same Russian contractor involved in Bushehr is also involved. This rumor moved into the computer press and then into the mainstream press, where it became the accepted story, without any of the original caveats.

Once a theory takes hold, though, it’s easy to find more evidence. The word “myrtus” appears in the worm: an artifact that the compiler left, possibly by accident. That’s the myrtle plant. Of course, that doesn’t mean that druids wrote Stuxnet. According to the story, it refers to Queen Esther, also known as Hadassah; she saved the Persian Jews from genocide in the 4th century B.C. “Hadassah” means “myrtle” in Hebrew.

Stuxnet also sets a registry value of “19790509” to alert new copies of Stuxnet that the computer has already been infected. It’s rather obviously a date, but instead of looking at the gazillion things–large and small–that happened on that the date, the story insists it refers to the date Persian Jew Habib Elghanain was executed in Tehran for spying for Israel.

Sure, these markers could point to Israel as the author. On the other hand, Stuxnet’s authors were uncommonly thorough about not leaving clues in their code; the markers could have been deliberately planted by someone who wanted to frame Israel. Or they could have been deliberately planted by Israel, who wanted us to think they were planted by someone who wanted to frame Israel. Once you start walking down this road, it’s impossible to know when to stop.

Are those mysterious little comments in the code the flourished signatures of master cyberwar artistes? Or a frame-job packed with credible deniability? Or an elaborate double (or triple) bluff? Truth of the matter is, we’re all just guessing. They say that life sometimes imitates art; this is a case of life imitating The Illuminatus! Trilogy, only without so many puns or sex scenes. We all have a story we want to map on to the world, and it only takes a few pins to tack it down in a way that seems to explain everything…

[ * For the record, my instinct tells me – with admittedly very little professional knowledge to back it up – that Stuxnet stinks of nation-state vs. nation-state, and I get the impression Schneier thinks so too. His point is about how we treat speculative interpretations as givens when they match up with the way we already think things work… confirmation bias, in other words. ]

Cyberwar that actually deserves the name

Paul Raven @ 24-09-2010

After a few years of grandstanding and chest-thumping about the dangers of cyberwar from the military complexes of the West, especially the US, we finally see something that actually looks like a covert act of digital warfare initiated at nation-state level (as opposed to the petty vandalism and independent street-gang-equivalent activity that has been heretofore labelled as cyberwar). And you know what? It might well have been the US military establishment that did it.

The story in question is the Stuxnet computer worm, which you’ve probably read about somewhere already. But just in case you’ve not, here’s the skinny: Stuxnet takes advantage of four different security holes in Microsoft Windows (which is far from out of the ordinary; if you’re gonna rob houses, go for the ones with no locks on the doors), which means it can spread very fast; it’s controlled and upgraded in a decentralised peer-to-peer fashion (also not new, as we saw the same thing in the big botnet worms of recent times), and has the added ability to jump onto removable media (thumb drives) to expand the infection vectors.

So far, so geeky. The weird bit is what Stuxnet actually does. Rather than setting up spam email farms or harvesting credit card numbers (the traditional remunerative ends of such software), it targets a very specific type of embedded industrial control software developed by Siemens… software that, according to Wired, is “installed in pipelines, nuclear plants, utility companies and manufacturing facilities to manage operations.” Furthermore, the configuration suggests a very specific sort of installation was the intended target, and that sabotage thereof was the intent; a German researcher theorises (admittedly without much in the way of evidence) that one of Iran’s nuclear plants was the target, and that the US or Israel are the likely nation-states-of-origin. It’s a sad thing to admit, but that’s all too believable a theory… which is doubtless why it’s getting so many mentions. Read, and read widely:

Of course, plausibility isn’t probability; perhaps Stuxnet was developed by a rival company wishing to discredit the safety of Siemens’ systems*. The web enables industrial espionage, so why not industrial sabotage? But it seems an odd angle to take; deft marketing does just as effective a job of discrediting market-leading tech without engaging in criminal activity, and a black-ops hacking project would be an odd way to spend an R&D budget that would be better spent on, y’know, building a better mousetrap. Sabotage is a political act, ideological warfare… and that’s a nation-state game, not a corporate one.

It’ll be interesting to see what more we hear about Stuxnet, if anything, but I suspect it marks the start of a new chapter of geopolitics and technologised warfare.

[ * The fact that said systems run on Windows machines should be indictment enough, to be honest. ]

A dark day for the space industry

Paul Raven @ 27-07-2007

NASA hasn’t had a good year for PR so far. Following on from the embarrassing media circus over the exploits of an ex-astronaut earlier this year, now they’re having to go public with the news that not only were some astronauts drunk in charge of their launch vehicles, but that they also discovered an act of sabotage on a computer module destined for the ISS.

Even the private sector hasn’t escaped the black cloud; an explosion at the test facility of Burt Rutan’s Scaled Composites, the company that is to supply Virgin Galactic with its sub-orbital vehicles, has killed three and injured as many again.

Stories like the above make me think that, as much as good as they look on paper, we probably shouldn’t be building nuclear powered rockets just yet – the cost of mistakes and mismanagement could be far higher.