Stuxnet Worm Claimed To Be Devastating In Iran

sciencewatcher writes "At debka.com, a website associated with intelligence communities focusing on the Middle East, the claim is made that Tehran this week secretly appealed to a number of computer security experts in West and East Europe with offers of handsome fees for consultations on ways to exorcise the Stuxnet worm spreading havoc through the computer networks and administrative software of its most important industrial complexes and military command centers."

Re:So what's the word, people.

[Bert64]

Doesn't really matter either way...

Iran was grossly negligent in allowing their critical infrastructure to run on software controlled by a hostile government (and which they most likely had to pirate because there are export restrictions against iran).

Perhaps it's just me...

[d3ac0n]

But I'm having a really hard time getting upset over the Iranian government being brought to a crawl by a computer virus. These ARE the same people that have made no bones about wanting to commit genocide against all Jews, and have tortured and murdered millions of their own people.

Personally, I hope it causes a total collapse. Perhaps then the Green Revolution people (those that are still alive, anyway) can have a chance at creating a true Democracy in Persia. The Persian people certainly deserve it.

What DOES worry me is that this is, in some ways, a "genie out of the bottle" moment. Formal "Weaponized" use of a computer virus to attack a state. While I'm sure it was inevitable, it is still a bit of a shock to know that the day has arrived.

All the more reason to be sure to be using a variety of redundant and disparate OS types to support your infrastructure I guess.

Incentive to give this impression

[Anonymous Coward]

(repost as the first one isn't showing up)

They would in any case have an incentive to give the impression that everything grinds to a halt. The more their nuclear programme slows down the longer it will be until Israel feels the urgent need to bomb it.

I like to play a little game called "Which world do we live in?". You describe two worlds that are generally similar but differ on some characteristics, and try to find out which of the two worlds we live in, or ways to go about finding out. I am not sure of an easy way to find out in this case.

Re:So what's the word, people.

[Randle_Revar]

If Stuxnet is attacking Iran, I'd bet on Israel (just) ahead of the US.

Re:Get The Fuck Off This Site You Racist Piece A S

[jDeepbeep]

If anything he said was untrue, I feel certain you would improve your argument against his statements, by providing information from factual unbiased sources. Just saying. *waits for offtopic mods*

Spreading havoc?

[brian0918]

It's my understanding that Stuxnet was designed to only *do only* to one certain computer/system that was specifically targeted. On all other computers that do not match the signature of that computer, it leaves them alone. So what is the "havoc" that it is causing?

Re:So what's the word, people.

[davev2.0]

I think Iran did it to themselves.

Re:So what's the word, people.

[John Hasler]

So would I, but I'd put Israel way ahead. However, I don't discount the possibility that no government was involved.

Re:So what's the word, people.

[Darkness404]

...Except for the fact that encryption software is often times classified as "military" technology, making the distribution of most software impossible.

Re:Millions?

[Anonymous Coward]

Sadly, most industrial control stuff runs on Winderz. It's all DCOM-based and takes so much banging your head against the monitor to get configured and working properly that oftentimes, you end up having disabled most any security features available out of sheer "maybe THIS will work" frustration. When you finally DO get it working, the last thing you want to do is go back and start turning on the security features as it will just break this fragile house of cards.

At least that's been my experience with it.

Posting anonymously cuz I just kind of admitted I'm DOING IT WRONG. But I swear it's true.

Re:Perhaps it's just me...

[elrous0]

If a virus like this were to succeed in its apparent goals (reeking havoc on the Natanz enrichment facility [globalsecurity.org], or worse, the new Bushehr nuclear power plant [wikipedia.org]) it could potentially cause an accident that could kill a LOT of innocent people. It had the very real capacity to send the reactors at Bushehr into meltdown. And I'm pretty sure the people who live around that facility had nothing to do with genocide against the Jews (nor have most Iranians ever fired so much as a shot against Israel).

Re:Spreading havoc?

[dr2chase]

As I understand it (I just used teh Google to figure out whether this worm phones home), the worm does phone "somewhere", and worms on a network update among themselves in a peer-to-peer fashion.

So, perhaps it started as one thing, and has become another. In particular, if the party answering the "phone home" can tell who is calling, they might deliver different payloads to known-Iranian IP addresses and other addresses. (That's what *I* would do.)

Reality seems to be catching up to our more paranoid fantasies, and I'm not sure that's a good thing. I'm feeling better and better about cut-wire security, and it sounds like it would be a good idea to stuff the USB slot full of epoxy.

Re:Spreading havoc?

[__aaqvdr516]

IAAICT (I am an Instrumentation and Controls Tech)

Stuxnet specifically targets Siemens Simatic Wincc software and associated PLC's. Essentially, the Wincc software is the programming base to interact with the PLC's, which are discreet CPU/memory clusters running optimized code for whatever it is you'd like to do. There are many PLC manufacturers and they use their own programming software to upload/download to their cpu's. The fact that this worm only interacts with Siemens software is not surprising as Siemens is one of the major manufacturers of industrial equipment. I have a large number of Siemens devices all around where I work. I do not use Siemens PLC's though, so I am unaffected by this worm.

This whole thing smells to me like a disgruntled software guy that used to work for Siemens.

Is this really stupid, or... what?

[Dr. Crash]

What I don't understand is why the *heck* the SCADA systems running Iran's { illegal | sooper-sekrit | stealth } nuclear weapons program aren't air-gapped! Isn't that something like standard procedure?

Re:So what's the word, people.

[Hijacked Public]

So they should have built their own software to run on S7 PLCs? What country that you know of does that? Do you know of any country that does? If so name them, because I've been to dozens and never seen anything of the sort.

They could have probably run a lot of their automation with relay logic, but at a significantly increased cost.

Re:So what's the word, people.

[NatasRevol]

Well given that they're running Windows for critical infrastructure & military command centers - apparently without AV, I'd say that yes, they did do it to themselves.

Re:So what's the word, people.

[bsDaemon]

Clinton issued an executive order placing cryptographic software under the dominion of the Commerce Department with regards to export, and the Commerce Department simplified export rules to make things easier. However, they can always take it back, its not law, just policy.

Re:So what's the word, people.

[rtb61]

The catch with the whole theory of a software hack, the stuxnet worm is far too tightly tied to Iran, hardware is far more likely to be the culprit rather than software. So hardware infrastructure in Iran, well if it was sourced from China or Russia likely safe, except of course in companies head quartered elsewhere were involved.

So access to windows source and Siemens PLC seems a must, so the really only leaves two suspects. Now if the worm in industrials plants result of industrial accidents that kill people, then clearly it would be an act of war, which would be pretty stupid because there are far more effective means of crippling infrastructure with far more primitive methods.

Re:wait, couldn't they fix it with one of these

[Xest]

On the contrary! I was being nosy and noticed the script right at the top in the opening body tag, hence why I asked why it tries to resize your browser.

Re:So what's the word, people.

[MyLongNickName]

The issuing of executive orders (i.e. making law) is unconstitutional.

Some people have this opinion. However, that has not been the position of the courts or congress. in fact this practice has happened since at least the beginning of the nineteenth century (possibly 18th as well... they didn't keep records of exec orders until mid 20th century I think). Thus the rest of your statement is meaningless.

Re:Perhaps it's just me...

[elrous0]

Why is this guy labeled a troll? It's no secret that the Israelis have forced the Palestinians into ghettos for decades now (a sad irony considering that many of the Jews who did this had themselves had just come from the jewish ghettos of Germany), and that bigotry on both sides pervades the country. Even many jews admit as much [amazon.com], and condemn the radical Zionists who would gladly plow over the Palestinians as if they were animals. I'm no fan of the Palestinians either, BTW, but I'm under no illusions that Israel is just filled with a bunch of innocent, noble, oppressed Jews just trying to living in fucking harmony with the world.

Re:So what's the word, people.

[John Hasler]

> So access to windows source and Siemens PLC seems a must...

I see no need for access to Windows source, and anyone can buy the Siemens hardware.

Re:Treat anything from Debka cautiously

[Anonymous Coward]

those aquariums were secretly moved...

Step one...

[hesaigo999ca]

Step one, never ever, link a computer that is critical and or military in nature. We all hear never should any computer used to control the power grid be placed connected to the internet, follow this rule, as your #1 priority, then the rest follows, no matter how many times you fix it, it will return broken because you are connected to the biggest network of hackers of all, the internet...!

Re:So what's the word, people.

[Anonymous Coward]

(and which they most likely had to pirate because there are export restrictions against iran).

For the US -- there's nothing stopping me selling computer software to Iran, unless that software is of military/nuclear/etc use (you can see the full details of what's not allowed here (the PDF) [businesslink.gov.uk]).

Iran is deemed a "State Sponsor of Terrorism" - http://www.state.gov/s/ct/c14151.htm
http://en.wikipedia.org/wiki/Sanctions_against_Iran

If you sell ANY software to Iran that they *could* then use in their supposed nuclear or ballistic weapons programs, you are fucked. Sure, you can argue your TODO List reminder program is benign, but heck, can you counter that it *could* be used to keep the U235 enrichment on target?? Are you willing to spend next 20 years in jail for that?

For the US,
    1. Iran is a state sponsor of terrorism (Hezbolah being one)
    2. Iran wants to develop nuclear capability
    3. Iran is under UN sanctions preventing and restricting sales of dual-use equipment, software and processes.

I suspect the only computer expects Iran will be talking to will be either,
    1. threatened or put in jail for violating UN sanctions, or
    2. be foreign intelligence officers

Re:So what's the word, people.

[bsDaemon]

So... its unconstitutional for the Chief Executive to issue an Executive Order to Executive Branch agencies, telling them how he thinks they should act, within their Legislatively mandated authority to craft details of policy implementation within the scope of the legislation in question?

Just because its a bitch move doesn't make it unconstitutional.

Re:smells like more israeli racism than news to me

[Anonymous Coward]

The web site should be judged on its track record, not on your strange definition of "racism".

Re:So what's the word, people.

[penix1]

The issuing of executive orders (i.e. making law) is unconstitutional.

You are 100% wrong.

http://legal-dictionary.thefreedictionary.com/Executive+Order [thefreedictionary.com]

I refer you to the following:

Absent specific statutory authority, an executive order may have the force and effect of law if Congress has acquiesced in a long-standing executive practice that is well-known to it. For example, in Dames v. Regan, 453 U.S. 654, 101 S. Ct. 2972, 69 L. Ed. 2d 918 (1981), the U.S. Supreme Court upheld various executive orders that suspended claims of U.S. nationals arising out of the Iranian hostage crisis, citing Congress's Acquiescence in a 180-year-old practice of settling U.S. citizens' claims against foreign governments by executive agreement.

That is settled law, in short, the law of the land. And...

Executive orders also may be authorized by the president's independent constitutional authority (Cunningham v. Neagle, 135 U.S. 1, 10S. Ct. 658, 34 L. Ed. 55 [1890]). Various clauses of the U.S. Constitution have been cited to support the issuance of executive orders. Among them are the Vestiture Clause, which states, "The executive Power shall be vested in a President of the United States of America" (art. II, 1, cl. 1); the Take Care Clause, which states that the president "shall take Care that the Laws be faithfully executed" (art. II, 3); and the Commander in Chief Clause, which states that the president "shall be Commander in Chief of the Army and Navy of the United States, and of the Militia of the several States, when called into the actual Service of the United States" (art. II, 2, cl. 1).

Even though they are executive policies, they still carry the weight of law.

Re:So what's the word, people.

[DavidTC]

Um, no.

The executive branch was granted the power, by Congress, to make rules and regulations about exporting munitions. Previous administrations put the entirety of that power under the State Department, which had really strict rules. Clinton's order just move encryption under the Commerce Department instead of the State Department, and the Commerce Department is a lot less paranoid. (Other munitions are still under State.)

I love how people have heard about Bush's illegal signing statements, learn they are like 'executive orders', and now presume all executive orders are illegal.

Executive orders, and signing statements, (which are just executive orders that get carried along with bills), are mostly used for the president to decide things that are left for him to decide under the law.

Congress gives the President a budget and the power to do something, he signs the bill and writes an executive order (Or attaches a signing statement to the bill as he signs it, so it will always be with that bill.) making an Office of Doing That Thing in the Department of Whatever, and gives them the money.

Executive orders are just public statements of policy that the executive branch must follow, they are not 'laws', and they move power around within the executive, they don't give the executive any power.

Bush, of course, did a lot of nonsense, things like signing a bill into law and, at the same time, asserting that no one has to follow it. This was obviously bad.

But you really need a basic civics lesson about how the executive works and about how Congress gives it powers. Very often, Congress gives 'regulatory power' over things to the executive, along with a few specific regulations, and the executive branch is in charge of figuring all that out, because you don't want the damn Congress figuring out licensing fees from a Chicago TV station or what roads to build in a national forest. Congress gives the executive branch the power to figure that out, and the President writes orders putting that power under the FCC or the National Parks Service.

Of course, often Congress does specify where in the executive branch things go, and even creates new offices, which the president cannot override. This is generally frowned upon at levels lower than cabinet positions....Congress creates the top level Departments, and maybe one level below that, but generally shouldn't be micromanaging within the offices, as it makes any sort of reorganization difficult. I.e., they create the Department of Homeland Security, and put the FBI (and others) within it, and assign specific crimes for the FBI to handle...but they shouldn't really be creating offices in the FBI to handle those crimes. (Because, over time, crimes change, and the FBI might find itself with one nearly empty office and one overworked one. I mean, at one time it would have made sense to have a 'train robbery' division.)

Congress can do that, though, legally. They just shouldn't, and don't, so it's up to the president to issue executive orders.

Re:Spreading havoc?

[swb]

Why should they fear criminal hackers?

I'm sure during the "orientation" session it was made clear that if they fucked up, there were some scenarios to consider -- like suddenly finding yourself in Pelican Bay State Prison under a new name, starting a 30 year stretch for multiple child molestation convictions.

Re:So what's the word, people.

[Dare nMc]

built their own software to run on S7 PLCs

To be fair, were not at a hostile level with Germany, so we may not have the same level of concern, for a foreign based software ownership (Siemiens)

It is fair to say the PLC's don't have to be always accessible from windows computers, Can be disconnected after verified... That connection is likely for SCADA (data logging/monitoring protocol to the S7), which is available for other operating systems.

A quick search shows these guys, among others:
http://www.modcomp.com/scada/scada_app.html [modcomp.com]

So it does seam for critical infrastructure they should have done a better job of hiding the foreign (and closed) software behind non foreign software (or completely disconnected from it.)

Re:Spreading havoc?

[kevinNCSU]

You're forgetting hackers like to target people miles away with complete anonymity. Not people they work with that hold sub-machine guns, sign their pay checks, and have their complete life's history on file along with polygraph tests.