Stuxnet – People Who Live in Glass Houses Should Not Throw Stones

The USA and Israel are reported to have released Stuxnet malware in Iran and did not intend the malware to escape a secure network. It did and now the world knows that USA has declared war via malware. The problem for the USA is that this strategy will backfire. Not only will a malware-arms-race develop but USA, being huge in IT and largely a monoculture of that other OS is ripe for the picking.

Malware has been shown to be effective and cheap at copying information/secrets/passwords, fraud, and other crimes but, in war, nothing prevents participants from going further, sabotaging IT. Combatants can plant IT bombs to go off at precisely-defined times to do the most damage. Think erased hard-drives, modified messages, bit-rot, DDOS, and all that. If the USA is not yet tired of war they certainly are doing their best to provoke another waste of resources. They will do more harm to themselves than all the terrorists have ever done in history, and they are virtually defenceless because hundreds of millions of PCs use x86 and XP or “7”. The USA has painted a bull’s eye on its back.

see Confirmed: US and Israel created Stuxnet, lost control of it | Ars Technica.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

11 Responses to Stuxnet – People Who Live in Glass Houses Should Not Throw Stones

  1. Ivan says:

    What part of “targeted attack” don’t you understand, Bob?

    @ Pete: You must be a riot at parties with your willingness to quibble. What does it matter if a substation is destroyed or a line melted? Or lines in a substation melting and setting everything on fire, therefore destroying the substation?

    The end effect is still the same.

    Anyway, Gnome and KDE automount and autoindex everything on a usbdrive before the drive is visited, by default. Those two are the majority desktops.

  2. Ivan wrote, .

    That can only happen with something like a buffer-overflow and getting the overflow to be in-line executable. How unlikely is that to happen on 300 distros with several realeases and different versions of libraries? The only likely way that is to happen is an inside job where the intruder is able to practise on an image of the target machine. Compare that effort to what the script-kiddies have to do to compromise thousands of machines running that other OS.

  3. oiaohm says:

    Ivan “But Linux desktop environments autoindex images when USB sticks are inserted.”

    Most Linux desktop environments don’t auto index images until the drive is at-least visited. They don’t auto mount on insert and start indexing like windows does.

    “malware to attack known vulnerabilities in graphic libraries to do what they want.”
    Funny enough most depend on what complier and what complier option the graphics library was built with if they work.

    “cat kitten.jpg malware_linux_binary > cute_kitten.jpg”
    Yes items like this had been tested against Linux systems and found to be inconstant on operation. Its not a sure way to infect a Linux system if you don’t know the distribution at other end. Inconstantly directly links to complier options.

    Ivan go read the bloomberg report. No were does computer system take out the lines. Takes out the substations. Substations there are a lot of them unmanned in the USA. Only trained personal can work on them. The voltages in there can kill. This can still cause a long outage.

    Now you don’t know infrastructure. Without a control system that works to control feed directions you will be tripping the safe guards on the lines a lot. The tree hitting powerline August 2003 did not melt one line. But caused a lot of lines to trip there safe guards. Once they are tripped someone physically has to visit them and turn them back on that pushes more load onto the other other lines. So now you are in a nightmare problem if computer is not doing maths right. You could end up with every line tripped. Of course the USA grid also lacks a manual fall back option due to lack of staff at substations. Due to backhoe through critical power company fiber in Australia our power networks have been tested in manual. Ok result is not nice 8 hours of power a day for about 1 week. Manual load cycling. You cannot push as much power through the grid without computer control.

    Read back I did not say that a power grid attack was impossible. The effect you were talking about melting lines is impossible.

    “Main reason why there is any risk from something like Stuxnet is that our infrastructure is defective.”
    This is still true. We run lines close to there limits so there is no option to say when this line gets inside 10 percent of max load start worry. Lot lines run inside 0.1 percent of max load for many hours at a time ie 99.9 load. With human manually controlling line can only be taken to 90 percent load. Preferred is between 80 to 90 with human in control to allow for load spikes.

    So to be able to operate with computers down USA power network needs to be way larger and more staff.

    So yes the infrastructure being defective and being run close to max load is why 1 tree caused power outages in 2003. Not enough stack space to take a failure. What ever Stuxnet could do to the power grid a large nasty lighting storm hitting enough of the USA grid could generate the same problem.

    Harder the computers against Stuxnet does not fix the problem that the USA power grid could be taken out by mother nature. Ok if not a lightning storm what else could trip every line to fail at once. 1 big solar flare also resulting emp from the big solar flare would also take out all non hardened silicon.

    Yes mother nature is holding all the cards here computer controlled can be killed by mother nature any time it decides to. If you cannot turn your computers off and operate you power grid manually you are a sitting duck.

  4. Ivan says:

    cat kitten.jpg malware_linux_binary > cute_kitten.jpg

    user clicks on cute_kitten.jpg to view the image
    malware executes
    linux machine compromised regardless of file extension

  5. Ivan wrote, “When a city the size of Munich spends tens of millions to migrate over a period of twelve years, you can guarantee that the US government will quintuple that if they decide to listen to a retired Canadian school teacher and move to Debian, which we both know won’t happen.”

    Munich spent less migrating to GNU/Linux than if it had stayed on the Wintel treadmill. They could probably lay off some IT staff now if they wanted but it’s politics. Migration applied in place of “upgrading” to M$’s next OS may cost very little in comparison. When I did that, the savings in licensing was applied to hardware, allowing us to nearly double the expenditure on hardware for the same total cost. We could have migrated for half what it cost to take another step on the Wintel treadmill. You will recall M$ publicly offered a huge discount to stay competitive for a single step. Munich has now passed two steps, NT to XP and XP to “7”. The cost to migrate to the next release of GNU/Linux is trivial since the distro makes the upgrade a mere command in most cases and the open standards keep their documents working.

    Ivan wrote, “There is very little stopping anyone from cat’ing together cute kitten pictures with malware to attack known vulnerabilities in graphic libraries to do what they want.”

    There are many fewer such vulnerabilities in GNU/Linux because GNU/Linux does not consider images executable, as that other OS does… As well GNU/Linux systems may have several graphics libraries in use while that other OS uses one that the malware artists know will be on 1000 million PCs and it’s tied into the OS intimately. Targeting matters in many ways. Having a monoculture of that other OS is a serious vulnerability. A huge difference in the way images are processed is that other OS hides file-extensions to that “cute_kitten43.jpg” shown to the user could actually be “cute_kitten43.jpg.exe”. That nonsense does not happen in GNU/Linux. Another is that GNU/Linux examines the file and does not operate based on the file-name.

  6. Ivan says:

    Migration is not that expensive.

    When a city the size of Munich spends tens of millions to migrate over a period of twelve years, you can guarantee that the US government will quintuple that if they decide to listen to a retired Canadian school teacher and move to Debian, which we both know won’t happen.

    I have never seen a GNU/Linux virus.

    Gnome-look has nice screensavers and themes.

    The (false) sense of security while using Linux allows social engineering attacks like that to work, the lack of quality detection tools allows that malware to remain installed.

    @ Pete, Bloomberg disagrees with you on the feasibility of a power grid attack.

    Stuxnet has been documented as getting into a few places by autorun. A feature Linux has always lacked.

    But Linux desktop environments autoindex images when USB sticks are inserted.

    There is very little stopping anyone from cat’ing together cute kitten pictures with malware to attack known vulnerabilities in graphic libraries to do what they want.

    The operating system simply doesn’t matter in a targeted attack.

  7. oiaohm says:

    Ivan really you know nothing of infrastructure.

    “send enough power through a high tension line and it will melt”
    This is not possible. These are fused or have huge circuit breakers each end. Required for lightning strike. Yes a lightning strike can hit line melt and cut it. That overload causes the fuse/circuit breaker to trip each end so cutting the power on the line. Attempting to overload a line will trigger the same safe guards. These safe guards are not computer controlled. In normal operation they should never trip. In fact the computer gets instructed to send a overload to test that they will trip from time to time.

    Nuclear meltdowns are because we are idiots using rod based designed for reactors instead of pebble bed and other safe designs. Japan disaster recently it would not matter what OS you had melt down was going to happen. Mother nature stuffed the cooling system. A safe design like a pebble bed reactor kill the cooling system it rises to a particular temp and naturally levels off. No meltdown no major issue just a little warm so its going to be a little tricky to restart without having a steam explosion. That still will not cause it to fail badly.

    Main reason why there is any risk from something like Stuxnet is that our infrastructure is defective.

    Stuxnet has been documented as getting into a few places by autorun. A feature Linux has always lacked.

    Basically Ivan if a computer virus can do real world damage the infrastructure in use is defective and normally weak to mother nature as well.

  8. Ivan wrote, ” why spend the mega-millions to migrate?”

    Migration is not that expensive. I can migrate a computer lab in about an hour under optimum conditions, say 24 PCs at $40/h, $1.67 per PC. It just takes one installation on the terminal server and setting a bunch of BIOS to boot PXE. For a billion PCs, it is a lot of work/time/money but it is far less than paying M$ and partners, $100 or so.

    I have never seen a GNU/Linux virus. I have heard of apps that could be compromised by faked input files but never seen an example. Then, that’s likely to result in user-level access.

  9. Ivan says:

    Now that I’m only mildly amused…

    Why worry about data loss when a targeted virus could cause real world damage like melted power lines (send enough power through a high tension line and it will melt), nuclear meltdowns (change the temperature reporting in the software that controls the cooling systems), etc. Oh, and as the virus is targeted, the use of Linux would not prevent any of those disastrous scenarios from occurring.

    So why spend the mega-millions to migrate?

  10. kozmcrae says:

    Ivan said:

    “Really, Bob?”

    I recently changed distros. I just paved over the old one. My home partition remained intact with all my data, email and even configuration settings for different applications. But I will grant you this: Migrations are pain, that’s 45 minutes I’ll never see again. 😉

  11. Ivan says:

    Really, Bob? That’s the worst case scenario you can come up with? Data loss? The same thing that happens when you install Debian?

    I’ll get back to you when I stop laughing.

Leave a Reply