Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security News

Stuxnet Authors Made Key Errors 228

Trailrunner7 writes "There is a growing sentiment among security researchers that the programmers behind the Stuxnet attack may not have been the super-elite cadre of developers that they've been mythologized to be in the media. In fact, some experts say that Stuxnet could well have been far more effective and difficult to detect had the attackers not made a few elementary mistakes."
This discussion has been archived. No new comments can be posted.

Stuxnet Authors Made Key Errors

Comments Filter:
  • by vivin ( 671928 ) <vivin.paliath@nOsPam.gmail.com> on Tuesday January 18, 2011 @06:48PM (#34922084) Homepage Journal

    Ok! Ok! I must have, I must have put a decimal point in the wrong place or something. Shit. I always do that. I always mess up some mundane detail.

  • by PatPending ( 953482 ) on Tuesday January 18, 2011 @06:49PM (#34922094)

    "There are a lot of skills needed to write Stuxnet," he said. "Whoever did this needed to know WinCC programming, Step 7, they needed platform process knowledge, the ability to reverse engineer a number of file formats, kernel rootkit development and exploit development. That's a broad set of skills. Does anyone here think they could do all of that?"

    May I have a show of /. hands, please?

    • by Spyware23 ( 1260322 ) on Tuesday January 18, 2011 @06:56PM (#34922144) Homepage

      This is the article worth pointing to on the subject: http://rdist.root.org/2011/01/17/stuxnet-is-embarrassing-not-amazing/ [root.org], not the bullshit linkbait threatpost.com(MERCIAL) "article".

    • I'll raise my hand but only slightly over my shoulder as I don't know EXACTLY what they mean by platform process knowledge, that seems too generic.

      But just about everything else I've either gotten experience with or touched base somewhere.

    • And they probably skipped beta testing too. Oh, look, those same /. hands are still up...
  • Criticism is easy (Score:5, Insightful)

    by mewsenews ( 251487 ) on Tuesday January 18, 2011 @06:51PM (#34922110) Homepage
    It's pretty safe to assume at this point that Stuxnet was developed as an Israel/USA military collaboration. Spokespeople from both countries smirk before saying "no comment" when asked about it. That being said, hackers have huge egos. The types of hackers that present at security conferences even more so. It's tremendously easy for them to pick apart the worm several months after it was discovered and say "oh ho ho, it doesn't encrypt it's command and control communications!!" like they're smarter than the people that built it.
    • Re:Criticism is easy (Score:5, Interesting)

      by fuzzyfuzzyfungus ( 1223518 ) on Tuesday January 18, 2011 @07:18PM (#34922350) Journal
      Easy; but not always invalid. Encrypted command and control communications have been standard in the better purely monetary botnets for at least a few years now.

      Everything is easier from the peanut gallery; but the notion that you have to be at least as good at your game as is a public-ally known strain of criminal in order to be considered for "super-spy" status seems like a very fair rule of thumb.
    • Re:Criticism is easy (Score:5, Interesting)

      by peragrin ( 659227 ) on Tuesday January 18, 2011 @07:37PM (#34922498)

      Smirking isn't a sign of guilt, but merely enjoying the outcome anyways.

      Besides Russia has as much to lose. Think how many billions Russia loses if iran can make it's own fuel for the reactors Russia helped to build?

    • by timeOday ( 582209 ) on Tuesday January 18, 2011 @07:44PM (#34922572)
      What I fail to see in the article is how the virus would have been any more effective had they used the entire bag of tricks. You use what you must, and save the rest for next time.
    • Re: (Score:2, Funny)

      by Anonymous Coward

      Then they should have outsourced it to the chinese and got it done correctly at half the price, Typical American product all show and dosnt do the basics well.

    • Re:Criticism is easy (Score:5, Interesting)

      by aaaaaaargh! ( 1150173 ) on Wednesday January 19, 2011 @05:16AM (#34925394)

      I agree with the OP and want to mention another issue.

        Common encryption algorithms can be detected heuristically with high accuracy. Moreover, the original implementation/source code of the encryption can usually be identified. Perhaps the developers did not want the adversary to find out which implementation they used and for obvious reasons didn't want to use their own implementation. Also, when you use encryption, keys on the C&C endpoints are linked to the malware in a way that cannot plausibly denied -- not very desirable either.

  • Fascinating... (Score:5, Interesting)

    by RsG ( 809189 ) on Tuesday January 18, 2011 @06:53PM (#34922118)

    For those who don't RTFAs, this one has something interesting, not mentioned in the summary. The analyst thought the worm might have started as something else and been re-purposed for sabotage. There might be two separate coder groups, one who made the original program and one who made it into a weapon. The latter group was apparently less skilled, though still would have needed a considerable breadth of knowledge.

    Makes me wonder if the perpetrator might not be one of Iran's less advanced neighbours, instead of the US or Israel. After all, there are plenty of Middle Eastern nations who are worried about Iranian power and expansion. And there's two obvious suspects that would be blamed when it came to light.

    Of course, it could also be that either American or Israeli coders were rushed, understaffed, over-compartmentalized or otherwise had the quality of their work reduced.

    • It could very well have even been a group inside Iran. The recent elections have shown that there are a large group of people opposed to the current regime, most of them youth. Ahmadinejad's main claim to power is that he is protecting Iran from a US invasion(which yet another reason why W's war to avenge daddy was a huge mistake), if he can be shown to be inept at protecting Iran's military interests then he can conceivably be thrown out.
      • Probably a critical group from inside Iran won't have the knowledge of how to operate the centrifugues, let alone doing it stealthy and through commands in a virus...

        Whoever did this had first hand access to Siemens inner secrets

        Also, even in "moderate" groups, I don't think there are many who hate an Iranian A-Bomb. Probably many would be willing to not get it in exchange for better relations/foreign support/avoiding the expenses, but I don't think it is the biggest concern about their government.

        • All you would need is one rogue engineer, not all that improbable.

          Also, even in "moderate" groups, I don't think there are many who hate an Iranian A-Bomb. Probably many would be willing to not get it in exchange for better relations/foreign support/avoiding the expenses, but I don't think it is the biggest concern about their government.

          Thats the brilliance of it, they may be trying to publicly humiliate the regime. They want to show the people that the regime is so incompetent it cannot possibly be
    • by Plugh ( 27537 )

      Two words: Government Job

    • The analysis is retarded. The worm didn't use sophisticated protection mechanisms because those significantly increase the likelihood the the payload wont ever get executed.

      Obviously in a situation like this trying to add obfuscation is entirely useless, either the payload is executed and the damage done or it's not.

    • I don't understand why it's assumed that ugly/bad code must come from developing countries. I have seen plenty of bad code coming out of US/Europeans. Unless there were comments in the code in a different language, there's no way to know who wrote it. In the end, it did its job.
  • by SuperKendall ( 25149 ) on Tuesday January 18, 2011 @06:55PM (#34922132)

    Screwed up details that reveal it could have been built better?

    Well that proves a government was behind it!

  • by matty619 ( 630957 ) on Tuesday January 18, 2011 @06:57PM (#34922152)

    I'm guessing had it come out that it was of Chinese origin, we'd be inundated with articles about how the Chinese are so much smarter than everyone else because the code is just so darned perfect, only the scary Red Chinese could have pulled it off....and America's days are numbered....duck and cover.

    But when it's the US/Israel? Meh...it's not that good.

  • Seems to me, CIA/Mossad devs (if it is in fact one or both of them involved) could have purposely have done it this way to throw anyone trying to figure out who did it, off the trail. These researchers are proving that to be an effective method of dealing with possible tracking.
  • Yeah, sure... (Score:5, Interesting)

    by RichiH ( 749257 ) on Tuesday January 18, 2011 @07:01PM (#34922200) Homepage

    1) From what I read, and I read a lot on that topic, Stuxnet is pretty damn awesome. The exploits alone are estimated to have been worth a seven to eight figure...
    2) Secrecy might not have been a priority.
    3) Maybe they wanted to be detected to drive a point home.
    4) Mindgame question: What if Russia, China or someone else did it and wanted to frame the USA & Israel?

    • by AHuxley ( 892839 )
      Russia is more hands on, look at its own dissidents, press, NGO's, regional independence movements.
      http://en.wikipedia.org/wiki/Alpha_Group [wikipedia.org]
      China floods a country of interest with aid, cash, trade and friendly experts.
      It then extracts needed raw materials for cents on the $ and the drops in the gift of clinics, roads, schools, wells, dams ect. Sort of like the US/UK/Russia did with less coup and arms sales.
      Who deals with code? GCHQ, NSA, BND, CIA and their friends. From weak mass telco crypto product
    • Or how about the US, Israel, Russia, China, the UK and several other countries. If the US knew the Russians were behind it, do you think the CIA is going to announce it to the world, or just do as much damage by keeping their mouth shut. Probably several intelligence agencies knew what what was going on, but sometimes you can do more by knowing when to keep your mouth shut.

  • by Jahava ( 946858 ) on Tuesday January 18, 2011 @07:07PM (#34922250)

    Is there a good source for a technically in-depth list of the mistakes, rather than the vague "ignored several known techniques" summary crap the article discusses?

    • The headline is Slashdot crap. The linked article and another article provided in these comments have security researchers pointing out ways in which Stuxnet could have been written better. This strokes their own egos and ironically provides free design advice to whoever wrote the thing in the first place when they go to create their next weapon.
  • Mistakes, well what do you expect from the lowest cost bidders for this government project?
  • Open source (Score:4, Funny)

    by u19925 ( 613350 ) on Tuesday January 18, 2011 @07:11PM (#34922292)
    The Sutxnet should have been developed using open source model. That way more experts would have seen the code and that would have eliminated all these errors. Maybe I should create a project in SourceForge.

    • 1: SpinUpCentrifuge
      2: BOOL shaking = Alert( "Is Centrifuge shaking violently?" );
      3 if ( ! shaking) FAIL TEST

      • by TWX ( 665546 ) on Tuesday January 18, 2011 @11:48PM (#34924114)

        I know your post was intended for humor, but I have a more serious question that maybe someone can answer...

        Did the modifications to the centrifuge control serve to damage the centrifuge, the contents of the centrifuge, or both? If the point was to damage the centrifuge, then the solution is determining why the centrifuges failed, correcting that, and ordering new centrifuges. If the point was to damage the nuclear material so that it isn't good enough to be used in a bomb, then the solution is to, again, determine why the centrifuges failed, and to figure out if it's possible to reprocess the material a second time to get it right, and if not, to start on a new batch of material. If the point was to do both, then not only do the centrifuges need to turn out bad product, but they have to do it subtly enough to not attract attention while the centrifuges slowly damage themselves, leading to a lot of bad product and a lot of bad centrifuges at the same time. Solution, determine the source of the problem, then replace the centrifuges and start processing again.

        I would think that the goal would be to make the Iranians involved *think* that they were getting the grade of Uranium Hexafluoride that they had planned on while instead delivering to them substandard product, so when they built weapons they had Uranium that either would reach critical mass or else wouldn't be nearly as efficient and would cause a much smaller boom. Achieving this would require not damaging the centrifuges yet damaging what they produce. This would allow an adversary of Iran to take this in to account in both diplomatic circles (being willing to push Iran harder despite the threat of a nuclear exchange) and in military ones (actively planning strategy considering nuclear fizzles), and if that's the case, this worm's discovery means that it's only a short-term problem for the Iranians, not a long-term problem that would allow for strategic thinking. The discovery means that Iran is set back, not thwarted as it would have been if the worm had gone on undetected for years and years, and while expensive for Iran (even if they can reprocess existing product that wasn't processed right the first time), it's not damning to the long term goals.

        • by topham ( 32406 )

          The centrifuges in question are hard to acquire, difficult to maintain and impossible to rebuild from the scrap left over after a significant failure.

        • From what I read it basically made the centrifuge shake itself to death, possibly with some kind of oscillation... while it reported normal readings to the command console.

          While it may have been "sneakier" to throw off what the centrifuges were producing, it would have been a fairly temporary setback once discovered. Destroying the centrifuges after having processed radioactive seems like it would leave a big mess and cost a lot to replace.

  • conspiracy 101 (Score:5, Interesting)

    by Anne Honime ( 828246 ) on Tuesday January 18, 2011 @07:17PM (#34922334)
    It may very well be that the lack of proper cloaking was intentional, for at least two reasons : on the one hand, as long as the aim was reached, there was no need to reveal the full scope of expertise put behind it. Better keep still unknown cloaking techniques in case they may come handy in the future. On the second hand, stuxnet is certainly as much a psychological weapon as it is a technological one. What would be the interest to disrupt Iran's nuclear program if nobody knew what happened ? As such, it's a very good deterrent : any would be rogue third world country willing to go nuclear knows "someone" will take offense and knows that this "someone" has the abilities to bring their program down. But at this point, nobody can pinpoint who this "someone" may be with plausible certainty.
    • Re:conspiracy 101 (Score:5, Insightful)

      by rm999 ( 775449 ) on Tuesday January 18, 2011 @08:49PM (#34923166)

      Yes, Israel WANTS the world to know what happened, and they want the world to know they were involved. This is why Mossad has been gleefully and publicly showing off that Iran's nuclear weapon development has been pushed back years.

      It is odd that a mission that was 100% successful (something even Iran won't deny) is being criticized for not being good enough. Maybe some researchers just wanted their names in the newspaper?

    • And as such, they now know to protect their networks with an appropriate 'air-gap' where critical infrastructure is concerned.

      • It wouldn't have saved them, because as far as I understood what I read, stuxnet used usb keys to replicate and target the systems. Air gap was already a well known practice, but it is based on the assumption no one will leak anything inside the protected part. But the (short) history of social engineering shows plentifully that's seldom the case. There are many ways to entice an accredited human being into breaking that kind of security. You can plant an operative, corrupt an operator, deceit a worker into
  • It's a government IT project, of course it is going to be botched.

  • Points to things been too good?
    The Unabomber manifesto, the use of certain people and devices can point back to/expose groups eg http://en.wikipedia.org/wiki/Gladio_in_Italy [wikipedia.org]
    The early use of a 'new' plastic explosive, a DNA sequence http://www.newscientist.com/article/dn2265-anthrax-attack-bug-identical-to-army-strain.html [newscientist.com] can all be tested. Could the code in a more perfect, more pure, quality form (as found in the wild) ever really point back to teaching methods or something geographical?
    If its still
  • As always... (Score:2, Insightful)

    by Anonymous Coward

    It's much easier to highlight someone else's mistakes than create something that would stand up to the same scrutiny yourself.

  • ...or maybe the creators either didn't care if it was discovered or wanted it to be discovered. If it was Israel, the last time they decided to stop another countries nuclear program, they just flew jets over and bombed it. Not too much subtly in that. It could be that they wanted Iran to eventually find it just so they'd know. Saber rattling does little good if nobody can hear the saber or know who's doing it. Perhaps somebody thought it was more important to let Iran know they were out there and would try
    • Dr. Strangelove: Of course, the whole point of a Doomsday Machine is lost, if you *keep* it a *secret*! Why didn't you tell the world, EH?

      Ambassador de Sadesky: It was to be announced at the Party Congress on Monday. As you know, the Premier loves surprises.

  • Was it more important to have a really amazing virus, or was it more important to get something "good enough" out the door in time?

    I think Stuxnet did pretty well at its intended purpose.

  • This was probably not a western state. There were too many mistakes made.

    Does this mean I'm really Chinese?

  • by PPH ( 736903 )

    ... when can we expect the first service pack?

  • They didn't release it under the GPL.

  • Those developers being outsmarted by a teenage kid makes the idea of government involvement much more believable.

  • If most governments did it, it was sent out to be done by a contractor for the lowest bid. Thus, you got something that made the bare specification and little else.

  • ...if the damn thing worked?

    As has been pointed out by comments in TFA, it's quite possible that security wasn't a major consideration for the virus. Maybe they didn't care to cloak the code. Isn't what really matters that the attack succeeded? I'd take these criticisms a lot more seriously if the Iranians had thwarted the attack and had tracked down the coders. The article just sounds like sour grapes.

  • These errors would never have been occured when Stuxnet were open source.

  • So the worm is not perfect, but who is? They may not have had time to build it into perfection due to time constraints. Maybe they deemed it necessary to release something that worked as soon as possible, instead of when it's too late.

  • So this malware is brilliant at some things but makes rookie mistakes in others.

    Maybe it was some very skilled programmers working in a field they were not fully familiar with?

    Perhaps US and Israel do not have super skilled virus authors on their payroll? I would actually like that to be true.

  • One department in the ultra-semi-secret world of semi-clandestine operations and general screwing around would have been in charge of building the thing to accomplish whatever task it was designed for, though due to rampant compartmentalization, they probably didn't know where it was being aimed.

    Another department was probably in charge of making sure the world found out about it and that the project got plenty of attention so as to continue the psy-ops war against Iran. ("I'm not yet convinced that Iran r

Beware of all enterprises that require new clothes, and not rather a new wearer of clothes. -- Henry David Thoreau

Working...