It’s happening.
null and void: “It’s happening.”
Over-generalization (IOW: No it’s not); it’s a targeted event ... besides, the Iranians are all using ‘expired’ Siemens authoring control-software ...
For an interesting read see:
http://www.schneier.com/blog/archives/2010/09/the_stuxnet_wor.html
One of the better posts from that thread:
“The ability to take over a PLC/SCADA plant and make it do something specific is going to take inside knowledge, not just of the networks and SCADA, but of the actual process, wiring and components and so the question is, do the attackers have this information”
Yup that’s my reasoning as well (but I did not put it in my comment above because some people think I say to much as it is (No Nick P I’m not pointing the finger :-)
It’s why I questioned the origin of the worm with,
‘All this actually tells us is that they likley have significant experiance of SCADA or they where a lot closer to the target than people are admitting.’
Which is one of the reasons I sugested that Iran it’s self could have been the “state sponsor”.
Every time I hear about “cyber warfare” and how “crackers could bring down the world” I think ‘yup when they learn to be engineers with domain knowledge and that ain’t goner happen any time soon’.
To have more chance of success than luck as a cracker you have to,
1, Locate your chosen target.
2, Enumerate it for weaknesses.
3, Exploit weaknesses without tripping alarms.
4, Enumerate the internal network without tripping alarms.
5, Locate host controler.
6, Enumerate the host for weaknesses.
7, Gain access to host controler without tripping alarms.
To get this far there are three ways I know,
A, Have “insider knowledge”.
B, Have focused intel and “domain knowledge” to direct the attack.
C, Have “domain knowledge” and use a “fire and forget” attack methodology.
On the face of it this worm appears to be C and similar to the PDF/DOC harvest version of Zeus that went for the .mil network.
However when you look at what would be required to move forward with a real warfare attack then it comes a long way short as you said.
As you dig a little deeper you realise as you said that domain knowledge alone is insufficient to get a real warfare result.
Which means that either,
D, It was trying to close the intel gap.
E, It was a fund raiser / saber rattler.
Personaly from some experiance I would doubt that D would actually get you any where as near as direct human intel. Also D is quite costly compared with direct human intel. Further there is the issue of “footprints and fingerprints” burglers try very hard not to leave signs of “reconosaance” such as footprints, and further they try even harder not to leave positive incriminating evidence such as “fingerprints”.
This worm leaves both footprints and fingerprints, all of which is a little to obvious and makes me start looking for a rat.
Again on the face of it four Zero Day does seem a little extragavent, or does it?
Personaly I think not but my reasoning is long winded.
Which leaves us with shock horror access to code signing keys.
But again how significant is this... we have recently seen the HDCP master key being revealed and not so long ago the keys to TI calculators.
So the question becomes how many other code signing keys have become vulnerable and the answer unsurprisingly is ask how much security is used around the keys...
Generaly not a lot. That is lowley “code cutters” get lowley pay and getting code cranked through the code signing process is a lot easier than people think as the lowly code cutters do not regard it as security just part of the code cutting “handle cranking”.
And often neither do the managers etc, some “bought in” tallent may well have slipped code through the process without any body noticing.
All of which is just as easy for “state sponsored” as it is for “non state sponsored”...
This then brings in the question of “plausible deniability”, by the use of an intermediate party to a third party between a state player and the third party malware cutter.
I could go on but...
Posted by: Clive Robinson at September 23, 2010 12:08 PM