Stuxnet minus the hype – What you actually need to know

Sophos USB key

There has been a lot of hype and speculation in the media over the last few weeks about the Stuxnet virus. I thought it might do us some good to ignore the conjecture and look at the implications of the virus for the rest of us.

Disclaimer: It’s unlikely I am exceedingly well known in the industrial control community, but on the tiny offchance you run an industrial control system, this article may not be for you. If you are someone whose job it is to be worried about this and want some personalized advice, please contact me by email.

Now that I’ve got that out of the way, what does Stuxnet mean to the rest of us? Not much. It gave us four new zero-day vulnerabilities to patch. Microsoft has released fixes for two of them (MS10-046 and MS10-061), but has yet to fix the other two. The two remaining flaws are for privilege escalation and are therefore less risky than the remote code execution flaws already fixed. The moral of the story? Deploy your patches, same (I hope) as you always do. For most, this is business as usual.

Stuxnet uses USB mass storage devices as one of its primary infection vectors. If you have been infected with Stuxnet or are concerned about USB malware, you should take a serious look at your IT security policies. If you allow random USB sticks, iPods, Blackberries, and digital cameras to connect to your PCs without controls, you are far more likely to be victimized by any of thousands of pieces of opportunistic malware than to be hit by Stuxnet.

In an interview I did yesterday with Slate magazine, Farhad Manjoo exposed the risks involved and wrote about how most people do not look at a USB device and see risk. In reply to the article, Lysa Myers of West Coast Labs summarized it quite succinctly on Twitter, “You wouldn’t stick something you found in a parking lot in your mouth, why your computer?”

In last week’s Chet Chat, Paul Ducklin and I discussed policies regarding USB device control. Paul shared his thoughts on whether Stuxnet is the beginning of a new cyberwar and how effective deployment against its target requires others’ negligence.

Is this cyberwar? If it is, it’s not terribly scary. The attacks on Estonia and Georgia are far more representative of cyberwar than this. Consider the fact that Anonymous (4chan) are able to remove opponents from the internet at will with a small force and you begin to understand that Stuxnet is not the only game in town.

To a small degree this underlines the importance of alerting owners of bot-infected computers to the fact that they are no longer in control, as Comcast announced they will be doing, and as Aussie ISPs have voluntarily been doing for some time. In the big picture, this will likely have a far greater impact on nations’ abilities to defend and protect their internet assets than panicking over one worm that targets an unknown victim.

If you aren’t controlling access to USB devices this is an excellent opportunity to devise a sensible device control policy. Patching is more important than ever, but please… don’t panic.