Sophos Cloud Optix
Sky News just published an article, complete with video, entitled Stuxnet Super Virus ‘In Hands Of Bad Guys’.
In the article and the video, you will see and hear a variety of startling claims.
The narrator, for example, states that “Stuxnet disrupted Iran’s nuclear programme. The bug, or malware, was slipped into the circuits in the new Busheshr power plant.”
Really? Prove it. Show me some credible evidence.
A tame ethical hacker, interviewed to camera by Sky, points at some graphs on a web page, claiming that the graphs show the number of attacks this month and last month.
The screen grab is too indistict to make out. It could show anything, and probably does, especially since the hacker doesn’t bother to define “attack”. Does he mean the number of reports from computers where an attempt at infection was detected and blocked? Where an infected file ran on a PC which needed to be cleaned up? Or a full-blown infection in which an industrial control device was actually affected, as ultimately intended by the virus?
An unnnamed source is quoted by Sky to have said that “we have hard evidence that the virus is in the hands of bad guys – we can’t say any more than that.”
Honestly? A virus in the hands of bad guys? What a surprise. “We can’t say any more.” Really? This is the same sort of excuse I’ve heard many times before from those who claim to have irrefutable evidence of some sort of nation-state cyberwarfare.
Try looking up catchy names like Titan Rain, Ghostnet, and Operation Aurora. Now find someone who claims to be able to show that those were cyberwar. Then ask them about the proof. If they don’t jump at once behind the “if I tell you, I’ll have to kill you” copout, please tell me. They sound like people we could genuinely learn from.
And Sky even managed to get a UK-based consultant to say, as deadpan as you like, that with a copy of the Stuxnet malware, you could pretty much do anything you want. “You could shut down the Police 999 [UK emergency number] system. You could shut down hospital systems and equipment. You could shut down power stations, you could shut down the transport network across the United Kingdom.”
(That’s the first time I’ve heard that the UK actually has a country-wide integrated transport network which could operate all at once, which is surely an important prerequsite for any possibility of shutting it down in its entirety.)
We don’t need yet more speculation about Stuxnet when we already face a determined and extensive enemy in the form of cybercriminals. They are routinely stealing our credentials, plundering our bank accounts, raiding our retirement funds, subverting our payment systems and even – as one poor fellow in Western Australia found out recently – selling our houses from under our feet.
The problem with inaccurate, inflammatory and irresponsible stories about Stuxnet – good though they may be for page impressions and video views – is that they make cybercriminality sound like a second-rate problem when it is positioned against a news backdrop alleging cyberwar.
Yet it is the sort of rampant and general cybercriminality I mention above which is, in my opinion, significantly more likely to undermine the economic stability of, and thus the quality of life in, many developed countries.
Let’s stop being frightened of shadows and actually concentrate on getting rid of the cyberenemy already in our midst.
About up to Sky's normal standards. Can't wait to see the Fox News version (bet it will be Obama's fault!)
That Sky article (I read it before reading this) set off several of my 'this is a hoax' alarms… Massive threats, unsubstantiated claims (even Google doesn't know who he is!), hyperbole (the national transport network).
It just didn't have the 'forward this to all your friends' line.
Good post . The report is on Sky as I type, and it looks to me like a pitch for business by IT security consultants. Although I liked the guy who said 'if you're a generation behind, you've already lost', because he'd already said we're a generation behind, so on his logic he is himself redundant. Its all too much like the Millennium Bug fears that threw up a lot of unscrupulous cowboys, or the technical 'threat inflation' routinely practiced by the defence industry.
And anyway, we dont need something as technical as 0-day sploits wrapped up in a specific package for Siemens PLC's to bring our transport system to a halt in the UK.
We have snow to do that for us.
Wow. The line, “Try looking up catchy names like Titan Rain, Ghostnet, and Operation Aurora,” pretty much underscores the extreme irony of this post (and why I’m bothering to reply in the first place). Both the tone and content of your blog underscores why AV companies (like yours) are so terrible at finding any type of malware that extends past mass exploitation campaigns – and even that’s arguable. How about rather than focusing on quotes by fourth-rate consultants in third-rate media outlets, you focus on why malware with revoked Authenticode certificates (in the case of Stuxnet), or binaries with completely mangled PE structures (in the case of most maliciously obfuscated binaries) are blatantly missed by your products?
If an altered Stuxnet was allowed to get into highly integrated industries (car manufacturing, food production etc) where large numbers of the PLC controllers are connected together, then perhaps damage could be done. But this has been a wake-up call to Siemens and other PLC manufacturers, it shouldn't take long for them to issue firmware fixes that nip this problem in the bud.
If you're really interested in Stuxnet I would advise you to read the blog of Ralph Langner: http://www.langner.com/en/blog/
He is one of the very rare persons who really has the background knowledge and intelligence to estimate the real threat of Stuxnet.
I'm not joking, read the blog from the beginning. It is not only interesting for newbies but also gives us a perspective about what we have to fear in the future of cyberwar.