I’m not sure that the graphics in this capsule video about the Stuxnet virus add a great deal of information to the narration, but they sure look pretty >[via FlowingData]. Almost pretty enough to distract you from the scary underlying message, namely that SOME NATION-STATE OR ANOTHER WENT AND DESIGNED A WEAPON TO SPIKE IRAN’S NUCLEAR WHEELS WITHOUT CONSIDERING THAT IT MIGHT GET RE-CODED, REVERSE ENGINEERED AND TURNED BACK ON THEM BY THEIR ENEMIES.
Just goes to show that spending a lot of money on 1337 black-hat h4x0rz doesn’t preclude you being a short-sighted fool… or perhaps simply being the sort of political actor whose idea of the long game is to give everyone in the room the same weapon and see who moves first. At this point, I’m not certain which is the scarier prospect.
This kinds of miss the point that 0-day exploits (essentially, code that exploits unknown bugs to take control of the vulnerable software) are no longer 0-days once they are published. So the offensive capabilities of the virus started quickly diminishing after it is published.
By now, Stuxnet is full of cool historical vulnerabilities, and probably some nice tricks, but it is no longer the weapon it once was.
Well… that’s the theory, and it relies on the assumption that vulnerabilities will be quickly fixed by the vendors (but industrial software vendor have an absolutely terrible track record in this regard) the fix deployed or the vulnerability obstructed by the system administrators (but I would not rely on utility companies doing anything remotely close to state of the art in computer security).
So… well… the security of industrial computer systems suck. The only new thing there is that the general public might be slightly more aware of the situation. Experts have known it since forever.